So, we have a security signal that’s available, but not used. Why might that be? Is the market in-efficient, or are there real limitations that I missed?
There are a few things that jump to mind:
- Size of code issues. More code will produce a longer report. Rats produces a line count, but doesn’t issue numbers in terms of say “8 issues per KLOC.”
- The severity of issues raised. How do you compare the low, medium and high severity issues? RATS doesn’t help with this.
- Ian Grigg mentioned a real instance of the perverse incentive to make changes to shut up compiler warnings.
So it seems that the market is reasonably efficient, and that RATS would make a poor signal, on difficulty of evaluating it.