Re: RFC v2: Static Analysis in edk2 CI

Rebecca Cran

LLVM's tools also appear to be much easier to review, for other people to run etc. I'd suggest at least starting with clang-tidy + scan-build and possibly adding Coverity later.

I've found the Coverity tools, while very powerful, tend to get ignored after a while because it's quite a process to keep it running, go through the issues it detects and keep the database up-to-date etc.


Rebecca Cran

On 6/13/22 15:54, Pedro Falcato wrote:
(Replying under Mike for devel visibility)


Why coverity? I feel like we could run something akin to LLVM's clang-tidy
+ scan-build; it's open source (transparent *and* we can improve it or add
UEFI quirks) and doesn't rely on a third-party service. I'm sure we could
figure something out for hosting the thing. Otherwise, looks good to me.


On Mon, Jun 13, 2022 at 7:54 PM Michael D Kinney <michael.d.kinney@...>


-----Original Message-----
From: <> On Behalf Of Felix
Polyudov via
Sent: Monday, June 13, 2022 10:48 AM
Cc: Kinney, Michael D <michael.d.kinney@...>
Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI

This is version 2 of the proposal that provides additional details
regarding the bring up process.
The initial version is at

The goal of the proposal is integration of the static analysis (SA) into
the edk2 workflow.
- Use Open Coverity SA service to scan edk2 repository. The service is
free for open source projects.
edk2 Open Coverity project:
- Update edk2 CI scripts to run analysis once a week
- Perform analysis on all the edk2 packages using package DSC files
that are used for CI build tests
(Coverity analysis is executed in the course of a specially
instrumented project build).
- SA results are uploaded to To access them one
would need to register on the site and request tianocore-
edk2 project access. The site can be used to triage the reported issues.
Confirmed issues can be addressed using a standard edk2
process (Bugzilla, mailing list).
- During the initial bring up period, access to the SA results is
restricted to stewards, maintainers, and members of the
TianoCore InfoSec group, who are encouraged to review reported issues
with the primary goal of identifying security-related
issues. All such issues should be handled in accordance with the
following guidelines:
- The initial bring up period ends when embargo for all the identified
security issues ends or after 30 days if no security
issues have been identified
- Once brig up period is over, SA results access is open to everybody.
- The package maintainers should monitor weekly scan results for a newly
reported issues and reach back to original patch
submitters to resolve them. Package maintainers can revert the patch if
no action is taken by the submitter.
-The information contained in this message may be confidential and
proprietary to American Megatrends (AMI). This communication
is intended to be read only by the individual or entity to whom it is
addressed or by their designee. If the reader of this
message is not the intended recipient, you are on notice that any
distribution of this message, in any form, is strictly
prohibited. Please promptly notify the sender by reply e-mail or by
telephone at 770-246-8600, and then delete or destroy all
copies of the transmission.

Join to automatically receive all group messages.