@craigmaloney define good? Personally, I just use a good IDE/Text editor for code review. Most of the scanners out there will throw so many false positives they're just not worth running for the low hanging fruit they find.
@tduehr This was more for automated checking of an existing codebase without having to edit every single file.
@craigmaloney That's depend's on how thorough you need to be.
If you're just looking for a sniff test, all I can add is cppcheck. Though, I haven't used it myself. It also seems like gcc and clang have added some analysis features.
Just remember, analysis tools will only catch flaws in the programs logic and even then they're only going to do so well. They'll never catch business logic flaws (e.g., authz/authn) and usually are limited to the most glaring of logic issues.
@tduehr Thanks. This is for a friend who was planning on writing a regex pattern to check array lengths which brought up the question and the "there has to be a better way". 😁
@craigmaloney if you're just looking for that type of bug then something like cppcheck should work well.
The biggest problem w regexes is the number of false positives in comments.
Everyone is welcome as long as you follow our code of conduct! Thank you. Mastodon.cloud is maintained by Sujitech, LLC.