(Replying under Mike for devel visibility)

Felix,

Why coverity? I feel like we could run something akin to LLVM's clang-tidy + scan-build; it's open source (transparent *and* we can improve it or add UEFI quirks) and doesn't rely on a third-party service. I'm sure we could figure something out for hosting the thing. Otherwise, looks good to me.

Thanks,
Pedro

On Mon, Jun 13, 2022 at 7:54 PM Michael D Kinney <michael.d.kinney@intel.com> wrote:
+devel@edk2.groups.io

Mike

> -----Original Message-----
> From: rfc@edk2.groups.io <rfc@edk2.groups.io> On Behalf Of Felix Polyudov via groups.io
> Sent: Monday, June 13, 2022 10:48 AM
> To: rfc@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI
>
> This is version 2 of the proposal that provides additional details regarding the bring up process.
>
> The initial version is at https://edk2.groups.io/g/rfc/message/696
>
> The goal of the proposal is integration of the static analysis (SA) into the edk2 workflow.
>
> - Use Open Coverity SA service to scan edk2 repository. The service is free for open source projects.
>     edk2 Open Coverity project: https://scan.coverity.com/projects/tianocore-edk2
> - Update edk2 CI scripts to run analysis once a week
>    - Perform analysis on all the edk2 packages using package DSC files that are used for CI build tests
>    (Coverity analysis is executed in the course of a specially instrumented project build).
>    - SA results are uploaded to scan.coverity.com. To access them one would need to register on the site and request tianocore-
> edk2 project access. The site can be used to triage the reported issues. Confirmed issues can be addressed using a standard edk2
> process (Bugzilla, mailing list).
> - During the initial bring up period, access to the SA results is restricted to stewards, maintainers, and members of the
> TianoCore InfoSec group, who are encouraged to review reported issues with the primary goal of identifying security-related
> issues. All such issues should be handled in accordance with the following guidelines:
>   https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues
> - The initial bring up period ends when embargo for all the identified security issues ends or after 30 days if no security
> issues have been identified
> - Once brig up period is over, SA results access is open to everybody.
> - The package maintainers should monitor weekly scan results for a newly reported issues and reach back to original patch
> submitters to resolve them. Package maintainers can revert the patch if no action is taken by the submitter.
>
> -The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication
> is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this
> message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly
> prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all
> copies of the transmission.
>
>
>
>








--
Pedro Falcato