From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by mx.groups.io with SMTP id smtpd.web10.12452.1655161177256048802 for ; Mon, 13 Jun 2022 15:59:37 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@bsdio.com header.s=fm3 header.b=SWLE5Fn+; spf=pass (domain: bsdio.com, ip: 66.111.4.28, mailfrom: rebecca@bsdio.com) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 115215C0143; Mon, 13 Jun 2022 18:59:36 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 13 Jun 2022 18:59:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdio.com; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1655161176; x= 1655247576; bh=m6clYfVBzjtGtXqkhmVobiENctdGqG5VtTa8TF62jkk=; b=S WLE5Fn+KLleRHDwl4k5/4wah73z5eIxjI36inCcUkl++Qu9kj6ZbegpWot20vt88 2vwIYTjVuxqOIJYfQ72IFGT8nhpwx0BbKKokVKQu/dyLF2TapfIH9+T4LgEZp/VG SGos4i19ae3989lOIa4RqmgHGWGEjQd+ef9Hi9Blejw8Cm787sAaWK9p+xIcppAi eLAPCQhO3K2Ddqqw3ALopZPW3FoPIQ8x3A6QtB2/aYuzcFNKIKYnadeGcvKS5nnB nYz0VFdQHE7EsNhDq9l78YBid9QC5b+gOTbxcl/fq85WHNeLKt9y/df3YvZNQN57 +GqusUWLo7WMKymlq8KNg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1655161176; x= 1655247576; bh=m6clYfVBzjtGtXqkhmVobiENctdGqG5VtTa8TF62jkk=; b=n 1iKwDilpqg8aU29BWGd97hcPcHD+Fz0Ci8hPz8IXKN4JnGPXo3kxkGKUlUBvHFeF Q4+BhDJTKmXsN6noeYzYKYobVq/AszgJP3Sr07416/38JBi4EJh2SW/LBiHQQtQN k1Vz7ZvGPJPlcspkTjPaJtVXrVMkZ7/dDtO3pOb8/R1hO5d0YwltF89SubtpscU4 tvRbQkdaMLmMnulck9uxJHMKIzRtqiw4bbFqDPBkATI3K9B1ZmfBmYCrkPF/bxcr iPXRz4/1U0T1TH7EWA04+r/uAbGS33xP4H9YpusM6IWWuTtkp1zqVFtrkiceQau+ fuFGyKgAvPqjbS/Vyj48A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedruddukedgudeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthffohhmrghinhculdegledmnecujfgurhepkfffgggfuffvvehfhfgj tgfgsehtjeertddtfeejnecuhfhrohhmpeftvggsvggttggrucevrhgrnhcuoehrvggsvg gttggrsegsshguihhordgtohhmqeenucggtffrrghtthgvrhhnpeffhfdvjeetueekkedu lefhfeeviefghedukefhleegieduvdehhfelffeuleejhfenucffohhmrghinhepghhroh huphhsrdhiohdptghovhgvrhhithihrdgtohhmpdgtohhvvghrihhthidrtghomhdrthho pdhgihhthhhusgdrtghomhdpghhithhhuhgsrdhiohenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehrvggsvggttggrsegsshguihhordgtohhm X-ME-Proxy: Feedback-ID: i5b994698:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 13 Jun 2022 18:59:34 -0400 (EDT) Message-ID: <9afb0946-a585-18b9-0e8f-6faaaf1516bf@bsdio.com> Date: Mon, 13 Jun 2022 16:59:33 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: [edk2-rfc] RFC v2: Static Analysis in edk2 CI To: rfc@edk2.groups.io, pedro.falcato@gmail.com, "Kinney, Michael D" Cc: "POLUDOV, FELIX" , "devel@edk2.groups.io" References: From: "Rebecca Cran" In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit LLVM's tools also appear to be much easier to review, for other people to run etc. I'd suggest at least starting with clang-tidy + scan-build and possibly adding Coverity later. I've found the Coverity tools, while very powerful, tend to get ignored after a while because it's quite a process to keep it running, go through the issues it detects and keep the database up-to-date etc. -- Rebecca Cran On 6/13/22 15:54, Pedro Falcato wrote: > (Replying under Mike for devel visibility) > > Felix, > > Why coverity? I feel like we could run something akin to LLVM's clang-tidy > + scan-build; it's open source (transparent *and* we can improve it or add > UEFI quirks) and doesn't rely on a third-party service. I'm sure we could > figure something out for hosting the thing. Otherwise, looks good to me. > > Thanks, > Pedro > > On Mon, Jun 13, 2022 at 7:54 PM Michael D Kinney > wrote: > >> +devel@edk2.groups.io >> >> Mike >> >>> -----Original Message----- >>> From: rfc@edk2.groups.io On Behalf Of Felix >> Polyudov via groups.io >>> Sent: Monday, June 13, 2022 10:48 AM >>> To: rfc@edk2.groups.io >>> Cc: Kinney, Michael D >>> Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI >>> >>> This is version 2 of the proposal that provides additional details >> regarding the bring up process. >>> The initial version is at https://edk2.groups.io/g/rfc/message/696 >>> >>> The goal of the proposal is integration of the static analysis (SA) into >> the edk2 workflow. >>> - Use Open Coverity SA service to scan edk2 repository. The service is >> free for open source projects. >>> edk2 Open Coverity project: >> https://scan.coverity.com/projects/tianocore-edk2 >>> - Update edk2 CI scripts to run analysis once a week >>> - Perform analysis on all the edk2 packages using package DSC files >> that are used for CI build tests >>> (Coverity analysis is executed in the course of a specially >> instrumented project build). >>> - SA results are uploaded to scan.coverity.com. To access them one >> would need to register on the site and request tianocore- >>> edk2 project access. The site can be used to triage the reported issues. >> Confirmed issues can be addressed using a standard edk2 >>> process (Bugzilla, mailing list). >>> - During the initial bring up period, access to the SA results is >> restricted to stewards, maintainers, and members of the >>> TianoCore InfoSec group, who are encouraged to review reported issues >> with the primary goal of identifying security-related >>> issues. All such issues should be handled in accordance with the >> following guidelines: >> https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues >>> - The initial bring up period ends when embargo for all the identified >> security issues ends or after 30 days if no security >>> issues have been identified >>> - Once brig up period is over, SA results access is open to everybody. >>> - The package maintainers should monitor weekly scan results for a newly >> reported issues and reach back to original patch >>> submitters to resolve them. Package maintainers can revert the patch if >> no action is taken by the submitter. >>> -The information contained in this message may be confidential and >> proprietary to American Megatrends (AMI). This communication >>> is intended to be read only by the individual or entity to whom it is >> addressed or by their designee. If the reader of this >>> message is not the intended recipient, you are on notice that any >> distribution of this message, in any form, is strictly >>> prohibited. Please promptly notify the sender by reply e-mail or by >> telephone at 770-246-8600, and then delete or destroy all >>> copies of the transmission. >>> >>> >>> >>> >> >> >> >> >> >>