git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / mirror / code / Atom feed
From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Markus Vervier <markus.vervier@x41-dsec.de>
Cc: git@vger.kernel.org, Derek Zimmer <derek@ostif.org>
Subject: Re: Covierty Integration / Improvement
Date: Thu, 7 Apr 2022 13:58:31 +0200 (CEST)	[thread overview]
Message-ID: <nycvar.QRO.7.76.6.2204071350080.347@tvgsbejvaqbjf.bet> (raw)
In-Reply-To: <6cb10d5e-d8f2-0d7e-a15a-4728466e0c21@x41-dsec.de>

Hi Markus,

On Thu, 7 Apr 2022, Markus Vervier wrote:

> On 4/6/22 00:17, Johannes Schindelin wrote:
> > On Fri, 1 Apr 2022, Markus Vervier wrote:
> > > X41 is processing the current RfP
> > would you kindly provide a bit more context? This seems to come right out
> > of left field. Is "RfP" a "Request for Proposals"? If so, I am not aware
> > that the git developer team submitted one...
>
> thank you and everyone else for their comments. To clear up the context:
>
> The OSTIF (https://ostif.org) is organizing a security audit for git
> and one of the questions was about Coverity and if the results it gave in the
> past could be verified and/or improved.

Thank you for the context!

If OSTIF can help us get better support from Coverity (as you can see at
https://github.com/git-for-windows/build-extra/commit/23eea104 I could
have wished for a better experience there), I am all for it!

Out of curiosity: are you (or is OSTIF) affiliated with Synopsys somehow?

If not, have you considered if you could help us getting a comprehensive
CodeQL coverage instead? Theoretically, CodeQL should be able to do the
same as Coverity, while allowing us to tweak the analysis in a lot more
powerful ways than Coverity (most notably, it should allow us to reduce
the number of false positives rather dramatically).

It is the number of knobs CodeQL allows that has looked too daunting for
me to give it more than a cursory try [*1*].

Thank you,
Johannes

Footnote *1*: I had played with CodeQL last year but was called away to a
more pressing project, therefore this is woefully incomplete:
https://github.com/git-for-windows/git/compare/main...dscho:codeql

  reply	other threads:[~2022-04-07 11:58 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-01 20:49 Markus Vervier
2022-04-03 21:36 ` Junio C Hamano
2022-04-03 23:16   ` Theodore Ts'o
2022-04-04 10:14     ` Ævar Arnfjörð Bjarmason
2022-04-05 22:22     ` Johannes Schindelin
2022-04-05 22:17 ` Johannes Schindelin
2022-04-06 15:08   ` Johannes Schindelin
2022-04-06 17:55     ` Theodore Ts'o
2022-04-06 20:20       ` Junio C Hamano
2022-04-07 11:49       ` Johannes Schindelin
2022-04-07  7:21   ` Markus Vervier
2022-04-07 11:58     ` Johannes Schindelin [this message]
     [not found]       ` <CAJY0qZLwQJ_6Me1em4X6M=YJb0O2+7rSYeKisLFOGH7_BW3Lww@mail.gmail.com>
     [not found]         ` <CAJY0qZJaBvwA19PN=Gm4c5gSVqYYBOoVwgF=1mZTNEjmXFSc7A@mail.gmail.com>
2022-05-10 17:46           ` Derek Zimmer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=nycvar.QRO.7.76.6.2204071350080.347@tvgsbejvaqbjf.bet \
    --to=johannes.schindelin@gmx.de \
    --cc=derek@ostif.org \
    --cc=git@vger.kernel.org \
    --cc=markus.vervier@x41-dsec.de \
    --subject='Re: Covierty Integration / Improvement' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).