Hi @xcorail, thanks for your contribution!

In order for us to evaluate and accept your PR, we ask that you sign a contribution license agreement. It's all electronic and will take just minutes.

Sincerely,
DataStax Bot.

Thank you @xcorail for signing the Contribution License Agreement.

Cheers,
DataStax Bot.

Hi @xcorail, thank you for your PR.

Your project looks promising but we don't want to commit too strongly to any static analysis tool, because these oftentimes report many false positives. Besides, we already have ErrorProne as part of our build and it does a pretty good job of catching real issues.

Hi @adutra

Thanks for the feedback.

Fair enough. In this case, the LGTM alerts will anyway always there for you, daily refreshed, so that you can look at them occasionally.

If it's not asking too much of your time, you seem to think that the reported alerts are false positives, would you mind pointing me to those FPs, so that we can fix them? As you said code analyzers have a bad reputation with FPs, but we make a great deal about having a low FP rate, and a technology that allows us to fix them in a few days.

Cheers

@xcorail sure, for example all current warnings about potential int overflows, such as this one, are false positives given the context; such an overflow would only happen if someone is crazy enough to specify Integer.MAX_VALUE seconds for a connection timeout :-) .

I am surprised. I would tend to consider this one as a TP in general, because "someone crazy enough" can happen. As a matter of fact, the reason for these alerts are for these cases, of someone malicious enough, who just wants to mess up. So I don't think we'll make a fix on this one.

But I guess from your comment that in your context, this data is not coming from a user input or has been sanitized. In this case, I think it's fair that we classify it as a Warning, and entitle it as Potential overflow. And leave the decision to the users to exclude these alerts if they think they are useless in their context.

Thanks a lot!