Re: RFC v2: Static Analysis in edk2 CI


Felix Polyudov
 

Yes, we can run other analyzer; however, in case of CodeChecker we also need a server to upload the result to.

-----Original Message-----
From: rfc@edk2.groups.io <rfc@edk2.groups.io> On Behalf Of Michael D
Kinney via groups.io
Sent: Thursday, June 23, 2022 9:30 PM
To: rfc@edk2.groups.io; pedro.falcato@...; Felix Polyudov
<Felixp@...>; Kinney, Michael D <michael.d.kinney@...>
Cc: Rebecca Cran <rebecca@...>; edk2-devel-groups-io
<devel@edk2.groups.io>
Subject: [EXTERNAL] Re: [edk2-rfc] RFC v2: Static Analysis in edk2 CI


**CAUTION: The e-mail below is from an external source. Please exercise
caution before opening attachments, clicking links, or following guidance.**

I have Coverity scan builds running in a GitHub Action and then uploaded to
Coverity.

We should be able to configure a GitHub Action to run other analyzers.

Mike

-----Original Message-----
From: rfc@edk2.groups.io <rfc@edk2.groups.io> On Behalf Of Pedro
Falcato
Sent: Tuesday, June 14, 2022 1:00 PM
To: rfc@edk2.groups.io; POLUDOV, FELIX <felixp@...>
Cc: Rebecca Cran <rebecca@...>; edk2-devel-groups-io
<devel@edk2.groups.io>
Subject: Re: [edk2-rfc] RFC v2: Static Analysis in edk2 CI

(Re-adding devel@ since Felix dropped it)

On Tue, Jun 14, 2022 at 8:59 PM Pedro Falcato
<pedro.falcato@...>
wrote:

Just want to note that if we want to go ahead with fuzzing (I
detailed a possible plan to do so in the mailing list a month or so
ago) we will definitely need somewhere to run fuzzing (even if it's Google's
syzbot).
Getting somewhere where we can run static analysis, fuzzing just
makes sense IMO (hell, who knows, maybe even CI or something like
Gerrit for mailing list-less code reviews).

On Tue, Jun 14, 2022 at 7:43 PM Felix Polyudov via groups.io
<felixp= ami.com@groups.io> wrote:

Yes, LLVM/CLANG Static Analyzer is another possibility. I've
mentioned it in the first version of the RFC.
CodeChecker
(https://codechecker.readthedocs.io/en/latest/) is an open source front-end
for the scan-build and clang-tidy.
It simplifies analyzer configuration and provides web-based report
storage. However, it has to be hosted somewhere.
If somebody has an idea on how edk2 community can host the
CodeChecker, that's definitely an option to consider.





--
Pedro Falcato
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.

Join rfc@edk2.groups.io to automatically receive all group messages.