RFC v2: Static Analysis in edk2 CI

Felix Polyudov

This is version 2 of the proposal that provides additional details regarding the bring up process.

The initial version is at https://edk2.groups.io/g/rfc/message/696

The goal of the proposal is integration of the static analysis (SA) into the edk2 workflow.

- Use Open Coverity SA service to scan edk2 repository. The service is free for open source projects.
edk2 Open Coverity project: https://scan.coverity.com/projects/tianocore-edk2
- Update edk2 CI scripts to run analysis once a week
- Perform analysis on all the edk2 packages using package DSC files that are used for CI build tests
(Coverity analysis is executed in the course of a specially instrumented project build).
- SA results are uploaded to scan.coverity.com. To access them one would need to register on the site and request tianocore-edk2 project access. The site can be used to triage the reported issues. Confirmed issues can be addressed using a standard edk2 process (Bugzilla, mailing list).
- During the initial bring up period, access to the SA results is restricted to stewards, maintainers, and members of the TianoCore InfoSec group, who are encouraged to review reported issues with the primary goal of identifying security-related issues. All such issues should be handled in accordance with the following guidelines:
- The initial bring up period ends when embargo for all the identified security issues ends or after 30 days if no security issues have been identified
- Once brig up period is over, SA results access is open to everybody.
- The package maintainers should monitor weekly scan results for a newly reported issues and reach back to original patch submitters to resolve them. Package maintainers can revert the patch if no action is taken by the submitter.

-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.

Join {rfc@edk2.groups.io to automatically receive all group messages.