jamulus icon indicating copy to clipboard operation
jamulus copied to clipboard
verified publisher icon jamulussoftware

Investigate Android sound code issues reported by Codacy

Open ann0see opened this issue 3 years ago • 10 comments

Describe the bug

Codacy complains that the following variable is not used (and I don't see that this is false):

https://github.com/jamulussoftware/jamulus/blob/a9deb2259161b6cb86c12259f3e6f398189029ef/android/sound.cpp#L150

Also this warning: image

I assume this is a false positive? To Reproduce

See https://app.codacy.com/gh/ann0see/jamulus/file/68862695471/issues/source?bid=21822857&fileBranchId=21822857

Expected behavior

No Codacy warnings

Screenshots

See above

Operating system

Android

Version of Jamulus

Latest

Additional context

@j-santander @sthenos could you please have a look at these warnings too?

ann0see avatar Mar 31 '22 21:03 ann0see

I assume this is a false positive?

No it isn't, but it is not a real issue since it will always be initialized before starting Sound.

(And I'm still hoping to get my sound-redesign implemented, since it will solve a lot of these sound related issues ;=))

pgScorpio avatar Apr 01 '22 15:04 pgScorpio

If this is simple, we might as well try to resolve it in 3.11.0.

pljones avatar Aug 12 '23 10:08 pljones

@ann0see I'm happy to pick this one up, unless you're planning to?

pljones avatar Aug 19 '23 17:08 pljones

Feel free to do so. It should be a quick fix.

ann0see avatar Aug 20 '23 08:08 ann0see

latencyMode appears not to exist:

$ grep latencyMode android/*.* src/*.*
$

iOboeBufferSizeMono appears not to exist:

$ grep iOboeBufferSizeMono android/*.* src/*.*
$

Where on Github do I look to see Codacity output - is this on jamulussoftware/jamulus:main?

pljones avatar Aug 28 '23 19:08 pljones

Where on Github do I look to see Codacity output - is this on jamulussoftware/jamulus:main?

No. It's just enabled for my repo for security reasons: https://app.codacy.com/gh/ann0see/jamulus/dashboard

ann0see avatar Aug 28 '23 20:08 ann0see

Given anyone can enable Codacity against Jamulus, I don't understand how there is any security benefit in not running the tool on each commit and reporting the findings as part of the build? We use CodeQL in a similar manner - that also reports potential security flaws.

pljones avatar Aug 29 '23 17:08 pljones

Codacy is an external proprietary tool while CodeQL is something supported by GitHub. Every plug-in in the official repo is another potential attack vector.

ann0see avatar Aug 29 '23 17:08 ann0see

That doesn't answer my point. If anyone can use Codacity to expose flaws in Jamulus, should the Jamulus team not take on responsibility by having the reports delivered to the team as part of each build? Either there's a use for the tool, or there isn't, right?

pljones avatar Aug 29 '23 17:08 pljones

Yes. This is true. We can enable Codacy for the repo. We just didn't as it is a proprietary tool.

ann0see avatar Aug 29 '23 18:08 ann0see