Re: Covierty Integration / Improvement

["Ævar Arnfjörð Bjarmason" <avarab@gmail.com>]

COVID19 is spreading via E-Mail now? It's $subject =~
s/Covierty/Coverity/g :)

On Sun, Apr 03 2022, Theodore Ts'o wrote:

> On Sun, Apr 03, 2022 at 02:36:22PM -0700, Junio C Hamano wrote:
>> I have old e-mails from the scan-admin@coverity.com but the last one
>> seems to be from late June 2018, which is ages ago in Git timescale.
>> I do not recall us paying for such a service so I am guessing that
>> they had some program that open source projects can enroll, get our
>> public sources scanned and get the result sent back?
>
> Yep, that's the way it works.  Someone has to use tools provided by
> them to build the open source project and upload the results for them
> to analyze.  Coverity predates github, so it's not new-fangled enough
> to automatically pull sources from repositories; besides, their paying
> customers tend to be using their tool for their proprietary software,
> so they haven't had any incentive to create an auto-analyze tool that
> pulls from an open source repository.
>
> Some folks at Red Hat do have scripts run out of crontab, that will
> monitor git branches on projects that they are interested in and when
> they notice that the branch has been updated, they will build and
> upload the raw material used by Coverity to their dashboard.  Eric
> Sandeen has been doing this for e2fsprogs, and a few other file system
> related repo's, and I suspect if someone asked, he would probably be
> willing to provide the scripts that he uses.
>
> You do need to be the project admin, or someone authorized by the
> project admin, to upload new data for Coverity, or to look at the
> analysis of the Coverity results.  I have no idea who the project
> admin is for git, but I'm sure if you, as the Git maintainer showed up
> and requested to be added as one of the project admin, the open source
> ombudsperson (I don't remember the exact title, but they do have
> someone who interfaces with OSS projects), would be happy to oblige.

Per
https://lore.kernel.org/git/YarO3nkrutmWF7nb@coredump.intra.peff.net/
Jeff ran this from his fork, I'm not sure if that was because he set
something up in the git/git organization, or if by project admin you
mean that any fork of it can set this up on their own.

>> https://scan.coverity.com/projects/git/ (visible without signing in)
>> seems to match my recollection. They haven't been scanning since
>> late June 2018.  I wasn't the primary developer who registered us or
>> who has been reading these reports but if I recall correctly, we
>> weren't doing anything custom, and fell somewhere between just "we
>> are curious to see how well Coverity works" and "Yay, a free
>> offering. We have nothing to lose, other than our time, to sign
>> ourselves up and if it comes up with useful scan result that would
>> be good".
>
> My experience with e2fsprogs is that it does have a fair amount of
> false positives, but I've been willing to wade through the false
> positives, and mark them as such in their web dashboard, because the
> early warnings it gives when we've pushed new code that has a
> potential security problem is worth it.  But make no mistake, it
> definitely requires a certain amount of maintainer time work with the
> tool.

Yes, also per the linked-above output it's quite noise, but there looked
to be some legitimate and hard-to find issues in those reports. It would
be nice to get them running with some regularity on our main branches.