Date
1 - 2 of 2
RFC: Static Analysis in edk2 CI
Michael D Kinney
Hi Felix,
I think this is a great idea to add this to edk2 CI.
I recommend we focus initially on a full scan once a week to get started.
If we see lots of escapes, we can evaluate how to enable the scan on a submitted PR.
What do you need with from the community to move this proposal forward?
Thanks,
Mike
toggle quoted message
Show quoted text
I think this is a great idea to add this to edk2 CI.
I recommend we focus initially on a full scan once a week to get started.
If we see lots of escapes, we can evaluate how to enable the scan on a submitted PR.
What do you need with from the community to move this proposal forward?
Thanks,
Mike
-----Original Message-----
From: rfc@edk2.groups.io <rfc@edk2.groups.io> On Behalf Of Felix Polyudov via groups.io
Sent: Wednesday, September 1, 2021 5:53 PM
To: rfc@edk2.groups.io
Subject: [edk2-rfc] RFC: Static Analysis in edk2 CI
I would like to start a discussion regarding integration of the static analysis (SA) into the edk2 workflow.
I assume the SA benefits are well understood, so I'll get straight to the point; however, if anybody doubts the cause,
feel free to disagree.
Here is the high level overview on how we can integrate SA into edk2 CI.
Once we agree on a large picture, we can discuss the details.
- Use Open Coverity SA service. The service is free for open source projects. edk2 Open Coverity project already exists:
https://scan.coverity.com/projects/tianocore-edk2
- Update edk2 CI scripts to run analysis once a week
(I'm not proposing running SA on every pull request since the process is time consuming)
- Perform analysis on all the edk2 packages using package DSC files that are used for CI build tests
(Coverity analysis is executed in the course of a specially instrumented project build).
- SA results are uploaded to scan.coverity.com. To access them one would need to register on the site and request
tianocore-edk2 project access. The site can be used to triage the reported issues. Confirmed issues can be addressed using
a standard edk2 process (Bugzilla, mailing list).
Side notes:
- Another SA option is a CLANG CodeChecker (https://codechecker.readthedocs.io/en/latest/). However, as far as I'm aware,
no hosted CodeChecker service is available and it will be on edk2 community to deploy one.
- It is potentially possible to run incremental Open Coverity scans on each pull request. However, to do so we would need
to preserve build process and analyzer output files (essentially, the build folder) across the scans.
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This
communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the
reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any
form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then
delete or destroy all copies of the transmission.
Felix Polyudov
I would like to start a discussion regarding integration of the static analysis (SA) into the edk2 workflow.
I assume the SA benefits are well understood, so I'll get straight to the point; however, if anybody doubts the cause, feel free to disagree.
Here is the high level overview on how we can integrate SA into edk2 CI.
Once we agree on a large picture, we can discuss the details.
- Use Open Coverity SA service. The service is free for open source projects. edk2 Open Coverity project already exists:
https://scan.coverity.com/projects/tianocore-edk2
- Update edk2 CI scripts to run analysis once a week
(I'm not proposing running SA on every pull request since the process is time consuming)
- Perform analysis on all the edk2 packages using package DSC files that are used for CI build tests
(Coverity analysis is executed in the course of a specially instrumented project build).
- SA results are uploaded to scan.coverity.com. To access them one would need to register on the site and request tianocore-edk2 project access. The site can be used to triage the reported issues. Confirmed issues can be addressed using a standard edk2 process (Bugzilla, mailing list).
Side notes:
- Another SA option is a CLANG CodeChecker (https://codechecker.readthedocs.io/en/latest/). However, as far as I'm aware, no hosted CodeChecker service is available and it will be on edk2 community to deploy one.
- It is potentially possible to run incremental Open Coverity scans on each pull request. However, to do so we would need to preserve build process and analyzer output files (essentially, the build folder) across the scans.
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.
I assume the SA benefits are well understood, so I'll get straight to the point; however, if anybody doubts the cause, feel free to disagree.
Here is the high level overview on how we can integrate SA into edk2 CI.
Once we agree on a large picture, we can discuss the details.
- Use Open Coverity SA service. The service is free for open source projects. edk2 Open Coverity project already exists:
https://scan.coverity.com/projects/tianocore-edk2
- Update edk2 CI scripts to run analysis once a week
(I'm not proposing running SA on every pull request since the process is time consuming)
- Perform analysis on all the edk2 packages using package DSC files that are used for CI build tests
(Coverity analysis is executed in the course of a specially instrumented project build).
- SA results are uploaded to scan.coverity.com. To access them one would need to register on the site and request tianocore-edk2 project access. The site can be used to triage the reported issues. Confirmed issues can be addressed using a standard edk2 process (Bugzilla, mailing list).
Side notes:
- Another SA option is a CLANG CodeChecker (https://codechecker.readthedocs.io/en/latest/). However, as far as I'm aware, no hosted CodeChecker service is available and it will be on edk2 community to deploy one.
- It is potentially possible to run incremental Open Coverity scans on each pull request. However, to do so we would need to preserve build process and analyzer output files (essentially, the build folder) across the scans.
-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.