We have started using a static analyzer (Coverity) on our code base. We were promptly stupefied by the sheer amount of warnings we received (its in the hundreds of thousands) , it will take the entire team a few months to clear them all (obliviously impossible).
the options we discussed so far are
1) hire a contractor to sort out the warning and fix them - he drawback: we will probably need very experiences people to do all these modifications, and no contractor will have required understanding of the code.
2) filter out the warning and deal only with the dangerous ones - the problem here is that our static analysis output will always be cluttered by warning making it difficult for us to isolate problems. also the filtering of the warning is also a major effort.
either way, bringing our code to a state when the static analyzer can be a useful tool for us seems a monumental task.
so how is it possible to work with the static analyzer without braining current development efforts into a complete stand still?