LLVM's tools also appear to be much easier to review, for other people to run etc. I'd suggest at least starting with clang-tidy + scan-build and possibly adding Coverity later.
toggle quoted messageShow quoted text
I've found the Coverity tools, while very powerful, tend to get ignored after a while because it's quite a process to keep it running, go through the issues it detects and keep the database up-to-date etc.
On 6/13/22 15:54, Pedro Falcato wrote:
(Replying under Mike for devel visibility)
Why coverity? I feel like we could run something akin to LLVM's clang-tidy
+ scan-build; it's open source (transparent *and* we can improve it or add
UEFI quirks) and doesn't rely on a third-party service. I'm sure we could
figure something out for hosting the thing. Otherwise, looks good to me.
On Mon, Jun 13, 2022 at 7:54 PM Michael D Kinney <michael.d.kinney@...>
-----Original Message-----Polyudov via groups.io
From: email@example.com <firstname.lastname@example.org> On Behalf Of Felix
Sent: Monday, June 13, 2022 10:48 AMregarding the bring up process.
Cc: Kinney, Michael D <michael.d.kinney@...>
Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI
This is version 2 of the proposal that provides additional details
The initial version is at https://edk2.groups.io/g/rfc/message/696the edk2 workflow.
The goal of the proposal is integration of the static analysis (SA) into
- Use Open Coverity SA service to scan edk2 repository. The service isfree for open source projects.
edk2 Open Coverity project:https://scan.coverity.com/projects/tianocore-edk2
- Update edk2 CI scripts to run analysis once a weekthat are used for CI build tests
- Perform analysis on all the edk2 packages using package DSC files
(Coverity analysis is executed in the course of a speciallyinstrumented project build).
- SA results are uploaded to scan.coverity.com. To access them onewould need to register on the site and request tianocore-
edk2 project access. The site can be used to triage the reported issues.Confirmed issues can be addressed using a standard edk2
process (Bugzilla, mailing list).restricted to stewards, maintainers, and members of the
- During the initial bring up period, access to the SA results is
TianoCore InfoSec group, who are encouraged to review reported issueswith the primary goal of identifying security-related
issues. All such issues should be handled in accordance with thefollowing guidelines:
- The initial bring up period ends when embargo for all the identifiedsecurity issues ends or after 30 days if no security
issues have been identifiedreported issues and reach back to original patch
- Once brig up period is over, SA results access is open to everybody.
- The package maintainers should monitor weekly scan results for a newly
submitters to resolve them. Package maintainers can revert the patch ifno action is taken by the submitter.
-The information contained in this message may be confidential andproprietary to American Megatrends (AMI). This communication
is intended to be read only by the individual or entity to whom it isaddressed or by their designee. If the reader of this
message is not the intended recipient, you are on notice that anydistribution of this message, in any form, is strictly
prohibited. Please promptly notify the sender by reply e-mail or bytelephone at 770-246-8600, and then delete or destroy all
copies of the transmission.