Re: RFC: Static Analysis in edk2 CI

Re: RFC: Static Analysis in edk2 CI

[Michael D Kinney]

Hi Felix,

I think this is a great idea to add this to edk2 CI.

I recommend we focus initially on a full scan once a week to get started.

If we see lots of escapes, we can evaluate how to enable the scan on a submitted PR.

What do you need with from the community to move this proposal forward?

Thanks,

Mike

> -----Original Message-----
> From: rfc@edk2.groups.io <rfc@edk2.groups.io> On Behalf Of Felix Polyudov via groups.io
> Sent: Wednesday, September 1, 2021 5:53 PM
> To: rfc@edk2.groups.io
> Subject: [edk2-rfc] RFC: Static Analysis in edk2 CI
> 
> I would like to start a discussion regarding integration of the static analysis (SA) into the edk2 workflow.
> I assume the SA benefits are well understood, so I'll get straight to the point; however, if anybody doubts the cause,
> feel free to disagree.
> Here is the high level overview on how we can integrate SA into edk2 CI.
> Once we agree on a large picture, we can discuss the details.
> 
> - Use Open Coverity SA service. The service is free for open source projects. edk2 Open Coverity project already exists:
>     https://scan.coverity.com/projects/tianocore-edk2
> - Update edk2 CI scripts to run analysis once a week
>  (I'm not proposing running SA on every pull request since the process is time consuming)
>   - Perform analysis on all the edk2 packages using package DSC files that are used for CI build tests
>    (Coverity analysis is executed in the course of a specially instrumented project build).
> - SA results are uploaded to scan.coverity.com. To access them one would need to register on the site and request
> tianocore-edk2 project access. The site can be used to triage the reported issues. Confirmed issues can be addressed using
> a standard edk2 process (Bugzilla, mailing list).
> 
> Side notes:
> - Another SA option is a CLANG CodeChecker (https://codechecker.readthedocs.io/en/latest/). However, as far as I'm aware,
> no hosted CodeChecker service is available and it will be on edk2 community to deploy one.
> - It is potentially possible to run incremental Open Coverity scans on each pull request. However, to do so we would need
> to preserve build process and analyzer output files (essentially, the build folder) across the scans.
> -The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This
> communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the
> reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any
> form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then
> delete or destroy all copies of the transmission.
> 
> 
> 
>