From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com [209.85.217.49]) by mx.groups.io with SMTP id smtpd.web09.11910.1655157291951470564 for ; Mon, 13 Jun 2022 14:54:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=lcQjSHJ4; spf=pass (domain: gmail.com, ip: 209.85.217.49, mailfrom: pedro.falcato@gmail.com) Received: by mail-vs1-f49.google.com with SMTP id f13so7229358vsp.1; Mon, 13 Jun 2022 14:54:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gNMhvLzUjueg9k6AwTLoR6wjvGnDDTwhcb7yZxhhLyw=; b=lcQjSHJ4/cXdg175+zVm1+dti8gaNv7gt3v4FZSISFETQYxx6lIgVoN0VtCnurT6oj iiWG89xeUmTeUHs10Xharfc3yjjOh+CTS6Y0YFySlZElPtYOApjh8hP6YlVt+vOP8Xt8 KvQJ+6/Mschm5dYuR46lOiVXDbJlD6ULvpRCfPLg0thKgVAw2V1//Sh8XYYmAWizsMjg q2nbFy3bQbTgA/JFqTozRkwuoSUhB88G4xTqR3t2yxxS4CS1WLr0ftFGVYEte9DxSGRt QPWVARMVAh/S+6xiorX4CH9DhvpG9WtJ6bCg9MUD40tzg4zh3W8ZyKFZakt09PPX1drA nUTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gNMhvLzUjueg9k6AwTLoR6wjvGnDDTwhcb7yZxhhLyw=; b=THlczQg7H/SNFuwnekE8WMgt7CWfR3Wi6eJ/FL7Zt4VF8NKsxfPdVNLB32Zi6bVeGm emFIG5oSsjcVCvYSryKnfmgj+zeIbU6hhNymnkGr0bKfvIQnXYgjrJonpqSj9quDCpgm 7/vCOzxp4m7g6laEJhUtM15RJgf3hAk8NYbgBirbjIPMSKq5Cd7dVG+kasoiYzk9KMaO DSQ4R3peSb7U66/9cEScluo2nlQ0WIXRFuQLirLbLoueH/ytl2D6t2ajShQlKBiG7ezE Pchwv6Ag8bm4Ov8hMcUYYhsUdXUPJcW4EZvU44CELpt0bF9tCRa95P3YgEj9fuN5lQWm QoZg== X-Gm-Message-State: AJIora+6/iVAsIhdaz/NhtLC6sdosoP2QasLQ3VSILwvpLoHWxbLs8PK MhftOSFixiA7PNyMSxYEDocno+of9gnaOXbX6/QK1ZS6 X-Google-Smtp-Source: AGRyM1tYWmX0dEi3RWQz/V7bwYaa/Ty45ofG4PC/B+9f1kujo0u4ViEoxXTiI+eU/G3IE29wxbJqargQnlBuAnF2esM= X-Received: by 2002:a05:6102:3087:b0:349:ceb5:87ac with SMTP id l7-20020a056102308700b00349ceb587acmr598392vsb.75.1655157290975; Mon, 13 Jun 2022 14:54:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Pedro Falcato" Date: Mon, 13 Jun 2022 22:54:39 +0100 Message-ID: Subject: Re: [edk2-rfc] RFC v2: Static Analysis in edk2 CI To: rfc@edk2.groups.io, "Kinney, Michael D" Cc: "POLUDOV, FELIX" , "devel@edk2.groups.io" Content-Type: multipart/alternative; boundary="00000000000060475a05e15b56ab" --00000000000060475a05e15b56ab Content-Type: text/plain; charset="UTF-8" (Replying under Mike for devel visibility) Felix, Why coverity? I feel like we could run something akin to LLVM's clang-tidy + scan-build; it's open source (transparent *and* we can improve it or add UEFI quirks) and doesn't rely on a third-party service. I'm sure we could figure something out for hosting the thing. Otherwise, looks good to me. Thanks, Pedro On Mon, Jun 13, 2022 at 7:54 PM Michael D Kinney wrote: > +devel@edk2.groups.io > > Mike > > > -----Original Message----- > > From: rfc@edk2.groups.io On Behalf Of Felix > Polyudov via groups.io > > Sent: Monday, June 13, 2022 10:48 AM > > To: rfc@edk2.groups.io > > Cc: Kinney, Michael D > > Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI > > > > This is version 2 of the proposal that provides additional details > regarding the bring up process. > > > > The initial version is at https://edk2.groups.io/g/rfc/message/696 > > > > The goal of the proposal is integration of the static analysis (SA) into > the edk2 workflow. > > > > - Use Open Coverity SA service to scan edk2 repository. The service is > free for open source projects. > > edk2 Open Coverity project: > https://scan.coverity.com/projects/tianocore-edk2 > > - Update edk2 CI scripts to run analysis once a week > > - Perform analysis on all the edk2 packages using package DSC files > that are used for CI build tests > > (Coverity analysis is executed in the course of a specially > instrumented project build). > > - SA results are uploaded to scan.coverity.com. To access them one > would need to register on the site and request tianocore- > > edk2 project access. The site can be used to triage the reported issues. > Confirmed issues can be addressed using a standard edk2 > > process (Bugzilla, mailing list). > > - During the initial bring up period, access to the SA results is > restricted to stewards, maintainers, and members of the > > TianoCore InfoSec group, who are encouraged to review reported issues > with the primary goal of identifying security-related > > issues. All such issues should be handled in accordance with the > following guidelines: > > > https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues > > - The initial bring up period ends when embargo for all the identified > security issues ends or after 30 days if no security > > issues have been identified > > - Once brig up period is over, SA results access is open to everybody. > > - The package maintainers should monitor weekly scan results for a newly > reported issues and reach back to original patch > > submitters to resolve them. Package maintainers can revert the patch if > no action is taken by the submitter. > > > > -The information contained in this message may be confidential and > proprietary to American Megatrends (AMI). This communication > > is intended to be read only by the individual or entity to whom it is > addressed or by their designee. If the reader of this > > message is not the intended recipient, you are on notice that any > distribution of this message, in any form, is strictly > > prohibited. Please promptly notify the sender by reply e-mail or by > telephone at 770-246-8600, and then delete or destroy all > > copies of the transmission. > > > > > > > > > > > > > > > -- Pedro Falcato --00000000000060475a05e15b56ab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
(Replying under Mike for devel visibility)
=
Felix,

Why coverity? I feel like we= could run something akin to LLVM's clang-tidy + scan-build; it's o= pen source (transparent *and* we can improve it or add UEFI quirks) and doe= sn't rely on a third-party service. I'm sure we could figure someth= ing out for hosting the thing. Otherwise, looks good to me.

<= /div>
Thanks,
Pedro

On Mon, Jun 13, 2022 at 7:54 PM = Michael D Kinney <michael.= d.kinney@intel.com> wrote:
+devel@edk2.groups.io

Mike

> -----Original Message-----
> From: rfc@edk2= .groups.io <= rfc@edk2.groups.io> On Behalf Of Felix Polyudov via groups.io
> Sent: Monday, June 13, 2022 10:48 AM
> To: rfc@edk2.g= roups.io
> Cc: Kinney, Michael D <michael.d.kinney@intel.com>
> Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI
>
> This is version 2 of the proposal that provides additional details reg= arding the bring up process.
>
> The initial version is at https://edk2.groups.io/g/rfc/= message/696
>
> The goal of the proposal is integration of the static analysis (SA) in= to the edk2 workflow.
>
> - Use Open Coverity SA service to scan edk2 repository. The service is= free for open source projects.
>=C2=A0 =C2=A0 =C2=A0edk2 Open Coverity project: https://scan.coverity.com/projects/tianocore-edk2
> - Update edk2 CI scripts to run analysis once a week
>=C2=A0 =C2=A0 - Perform analysis on all the edk2 packages using package= DSC files that are used for CI build tests
>=C2=A0 =C2=A0 (Coverity analysis is executed in the course of a special= ly instrumented project build).
>=C2=A0 =C2=A0 - SA results are uploaded to scan.coverity.com. To acc= ess them one would need to register on the site and request tianocore-
> edk2 project access. The site can be used to triage the reported issue= s. Confirmed issues can be addressed using a standard edk2
> process (Bugzilla, mailing list).
> - During the initial bring up period, access to the SA results is rest= ricted to stewards, maintainers, and members of the
> TianoCore InfoSec group, who are encouraged to review reported issues = with the primary goal of identifying security-related
> issues. All such issues should be handled in accordance with the follo= wing guidelines:
>=C2=A0 =C2=A0http= s://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues=
> - The initial bring up period ends when embargo for all the identified= security issues ends or after 30 days if no security
> issues have been identified
> - Once brig up period is over, SA results access is open to everybody.=
> - The package maintainers should monitor weekly scan results for a new= ly reported issues and reach back to original patch
> submitters to resolve them. Package maintainers can revert the patch i= f no action is taken by the submitter.
>
> -The information contained in this message may be confidential and pro= prietary to American Megatrends (AMI). This communication
> is intended to be read only by the individual or entity to whom it is = addressed or by their designee. If the reader of this
> message is not the intended recipient, you are on notice that any dist= ribution of this message, in any form, is strictly
> prohibited. Please promptly notify the sender by reply e-mail or by te= lephone at 770-246-8600, and then delete or destroy all
> copies of the transmission.
>
>
>
>








--
Pedro Falcato
--00000000000060475a05e15b56ab--