git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: "Theodore Ts'o" <tytso@mit.edu>
To: Junio C Hamano <gitster@pobox.com>
Cc: Markus Vervier <markus.vervier@x41-dsec.de>, git@vger.kernel.org
Subject: Re: Covierty Integration / Improvement
Date: Sun, 3 Apr 2022 19:16:23 -0400	[thread overview]
Message-ID: <Ykoqxx40Fk0DiF9i@mit.edu> (raw)
In-Reply-To: <xmqqbkxhvoh5.fsf@gitster.g>

On Sun, Apr 03, 2022 at 02:36:22PM -0700, Junio C Hamano wrote:
> I have old e-mails from the scan-admin@coverity.com but the last one
> seems to be from late June 2018, which is ages ago in Git timescale.
> I do not recall us paying for such a service so I am guessing that
> they had some program that open source projects can enroll, get our
> public sources scanned and get the result sent back?

Yep, that's the way it works.  Someone has to use tools provided by
them to build the open source project and upload the results for them
to analyze.  Coverity predates github, so it's not new-fangled enough
to automatically pull sources from repositories; besides, their paying
customers tend to be using their tool for their proprietary software,
so they haven't had any incentive to create an auto-analyze tool that
pulls from an open source repository.

Some folks at Red Hat do have scripts run out of crontab, that will
monitor git branches on projects that they are interested in and when
they notice that the branch has been updated, they will build and
upload the raw material used by Coverity to their dashboard.  Eric
Sandeen has been doing this for e2fsprogs, and a few other file system
related repo's, and I suspect if someone asked, he would probably be
willing to provide the scripts that he uses.

You do need to be the project admin, or someone authorized by the
project admin, to upload new data for Coverity, or to look at the
analysis of the Coverity results.  I have no idea who the project
admin is for git, but I'm sure if you, as the Git maintainer showed up
and requested to be added as one of the project admin, the open source
ombudsperson (I don't remember the exact title, but they do have
someone who interfaces with OSS projects), would be happy to oblige.

> https://scan.coverity.com/projects/git/ (visible without signing in)
> seems to match my recollection. They haven't been scanning since
> late June 2018.  I wasn't the primary developer who registered us or
> who has been reading these reports but if I recall correctly, we
> weren't doing anything custom, and fell somewhere between just "we
> are curious to see how well Coverity works" and "Yay, a free
> offering. We have nothing to lose, other than our time, to sign
> ourselves up and if it comes up with useful scan result that would
> be good".

My experience with e2fsprogs is that it does have a fair amount of
false positives, but I've been willing to wade through the false
positives, and mark them as such in their web dashboard, because the
early warnings it gives when we've pushed new code that has a
potential security problem is worth it.  But make no mistake, it
definitely requires a certain amount of maintainer time work with the
tool.

Cheers,

						- Ted

  reply	other threads:[~2022-04-03 23:16 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-01 20:49 Markus Vervier
2022-04-03 21:36 ` Junio C Hamano
2022-04-03 23:16   ` Theodore Ts'o [this message]
2022-04-04 10:14     ` Ævar Arnfjörð Bjarmason
2022-04-05 22:22     ` Johannes Schindelin
2022-04-05 22:17 ` Johannes Schindelin
2022-04-06 15:08   ` Johannes Schindelin
2022-04-06 17:55     ` Theodore Ts'o
2022-04-06 20:20       ` Junio C Hamano
2022-04-07 11:49       ` Johannes Schindelin
2022-04-07  7:21   ` Markus Vervier
2022-04-07 11:58     ` Johannes Schindelin
     [not found]       ` <CAJY0qZLwQJ_6Me1em4X6M=YJb0O2+7rSYeKisLFOGH7_BW3Lww@mail.gmail.com>
     [not found]         ` <CAJY0qZJaBvwA19PN=Gm4c5gSVqYYBOoVwgF=1mZTNEjmXFSc7A@mail.gmail.com>
2022-05-10 17:46           ` Derek Zimmer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Ykoqxx40Fk0DiF9i@mit.edu \
    --to=tytso@mit.edu \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=markus.vervier@x41-dsec.de \
    --subject='Re: Covierty Integration / Improvement' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).