As you may know, Coverity provides a static code analyzer, free for open source projects. Apparently the SFI license is not too dodgy for them and one fork of this repo is already using it: https://scan.coverity.com/projects/ja2-stracciatella
Since it's from an inactive fork, it's not tracking upstream - this repo - and so can't be used to detect regressions quickly. (Cov can actually be integrated with Travis). The past fixes have hopefully already made it here.
I suggest the author be contacted and the source url changed to this repo.