git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: Theodore Ts'o <tytso@mit.edu>
Cc: Junio C Hamano <gitster@pobox.com>,
	Markus Vervier <markus.vervier@x41-dsec.de>,
	git@vger.kernel.org
Subject: Re: Covierty Integration / Improvement
Date: Mon, 04 Apr 2022 12:14:54 +0200	[thread overview]
Message-ID: <220404.86h779jfws.gmgdl@evledraar.gmail.com> (raw)
In-Reply-To: <Ykoqxx40Fk0DiF9i@mit.edu>


COVID19 is spreading via E-Mail now? It's $subject =~
s/Covierty/Coverity/g :)

On Sun, Apr 03 2022, Theodore Ts'o wrote:

> On Sun, Apr 03, 2022 at 02:36:22PM -0700, Junio C Hamano wrote:
>> I have old e-mails from the scan-admin@coverity.com but the last one
>> seems to be from late June 2018, which is ages ago in Git timescale.
>> I do not recall us paying for such a service so I am guessing that
>> they had some program that open source projects can enroll, get our
>> public sources scanned and get the result sent back?
>
> Yep, that's the way it works.  Someone has to use tools provided by
> them to build the open source project and upload the results for them
> to analyze.  Coverity predates github, so it's not new-fangled enough
> to automatically pull sources from repositories; besides, their paying
> customers tend to be using their tool for their proprietary software,
> so they haven't had any incentive to create an auto-analyze tool that
> pulls from an open source repository.
>
> Some folks at Red Hat do have scripts run out of crontab, that will
> monitor git branches on projects that they are interested in and when
> they notice that the branch has been updated, they will build and
> upload the raw material used by Coverity to their dashboard.  Eric
> Sandeen has been doing this for e2fsprogs, and a few other file system
> related repo's, and I suspect if someone asked, he would probably be
> willing to provide the scripts that he uses.
>
> You do need to be the project admin, or someone authorized by the
> project admin, to upload new data for Coverity, or to look at the
> analysis of the Coverity results.  I have no idea who the project
> admin is for git, but I'm sure if you, as the Git maintainer showed up
> and requested to be added as one of the project admin, the open source
> ombudsperson (I don't remember the exact title, but they do have
> someone who interfaces with OSS projects), would be happy to oblige.

Per
https://lore.kernel.org/git/YarO3nkrutmWF7nb@coredump.intra.peff.net/
Jeff ran this from his fork, I'm not sure if that was because he set
something up in the git/git organization, or if by project admin you
mean that any fork of it can set this up on their own.

>> https://scan.coverity.com/projects/git/ (visible without signing in)
>> seems to match my recollection. They haven't been scanning since
>> late June 2018.  I wasn't the primary developer who registered us or
>> who has been reading these reports but if I recall correctly, we
>> weren't doing anything custom, and fell somewhere between just "we
>> are curious to see how well Coverity works" and "Yay, a free
>> offering. We have nothing to lose, other than our time, to sign
>> ourselves up and if it comes up with useful scan result that would
>> be good".
>
> My experience with e2fsprogs is that it does have a fair amount of
> false positives, but I've been willing to wade through the false
> positives, and mark them as such in their web dashboard, because the
> early warnings it gives when we've pushed new code that has a
> potential security problem is worth it.  But make no mistake, it
> definitely requires a certain amount of maintainer time work with the
> tool.

Yes, also per the linked-above output it's quite noise, but there looked
to be some legitimate and hard-to find issues in those reports. It would
be nice to get them running with some regularity on our main branches.

  reply	other threads:[~2022-04-04 10:34 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-01 20:49 Markus Vervier
2022-04-03 21:36 ` Junio C Hamano
2022-04-03 23:16   ` Theodore Ts'o
2022-04-04 10:14     ` Ævar Arnfjörð Bjarmason [this message]
2022-04-05 22:22     ` Johannes Schindelin
2022-04-05 22:17 ` Johannes Schindelin
2022-04-06 15:08   ` Johannes Schindelin
2022-04-06 17:55     ` Theodore Ts'o
2022-04-06 20:20       ` Junio C Hamano
2022-04-07 11:49       ` Johannes Schindelin
2022-04-07  7:21   ` Markus Vervier
2022-04-07 11:58     ` Johannes Schindelin
     [not found]       ` <CAJY0qZLwQJ_6Me1em4X6M=YJb0O2+7rSYeKisLFOGH7_BW3Lww@mail.gmail.com>
     [not found]         ` <CAJY0qZJaBvwA19PN=Gm4c5gSVqYYBOoVwgF=1mZTNEjmXFSc7A@mail.gmail.com>
2022-05-10 17:46           ` Derek Zimmer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=220404.86h779jfws.gmgdl@evledraar.gmail.com \
    --to=avarab@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=markus.vervier@x41-dsec.de \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).