Static Analysis: results of FUDcon Lawrence hackfest

Alec Leamas leamas.alec at gmail.com
Thu Jan 24 22:39:09 UTC 2013 

On 2013-01-24 22:03, David Malcolm wrote:
> On Thu, 2013-01-24 at 18:11 +0100, Alec Leamas wrote:
>> On 2013-01-24 17:44, David Malcolm wrote:
>>> Michael Hrivnak and I spent some time at FUDcon Lawrence looking at
>>> static code analysis.
>>>
>>> We hacked on the proposed common format for analysis tools (aka
>>> "firehose").
>>>
>> [cut]
>>
>>> The plan is that the interchange format can be uploaded into a web
>>> UI/database, so that we can:
>>> * scan the entire distro
>>> * compare warnings: e.g. what new warnings appear in a package rebuild?
>>> * have a consistent interface for marking warnings as false positives
>>> * come up with some subset of the warnings that we care about
>>> * etc
>>>
>> [cut]
>>
>> Probably off-topic, but just my 5c...  There are similar checks done by
>> fedora.-review, basically running spec conformance tests that doesn't
>> require a complete build  (performance reasons), boiling down to a list
>> of warnings. These are not directly tied to specific code, only the spec
>> file and never a specific line.  Still, the thought of of getting this
>> in the overall status for a package comes into my mind when I read this.
> That occurred to me as well.  It would probably be possible to run
> rpmlint during "mock-with-analysis" and capture the results.
>
> I've been trying to focus on *source code* warnings to avoid scope
> creep, but this does seem highly relevant to Fedora, so presumably the
> scope could be widened to include warnings about the specfile, and about
> artefacts that end in the package payload, and the package metadata.
>
>
>> To let fedora-review output some XML instead of current text-based
>> report. would be simple. But is there any value in it?  See the package
>> guideline violations that can be detected automatically in the same
>> database and web GUI?! Enclose not just source files but also overall
>> package analyze output (rpmlint comes to my mind)?
>>
>> Perhaps...
> Great idea.  Is it fully automated?  That's what we'd need in order to
> sanely run it within "mock-with-analysis"
>

Yes, it.s just a python script.  I see no major problem besides the 
output format, which certainly need to be something else than current 
text aimed to be pasted in bugzilla.

One thing is that f-r can make more conclusions if it has access to the 
build directory. In a normal invocation it does a complete rebuild of 
the package using mock  (and also installs it + runs rpmlint on 
installed pkg). In this scenario it works as best. Here, it would mean 
that the complete mock rebuild would be run by f-r, with proper options 
for other static analyze tools.

 From my perspective this is somewhat tempting. f-r has a plugin 
concept, so the static analyze steps could be defined as f-r plugins 
with dependencies and ordering. But this is certainly not obvious.

The other way to use f-r is to avoid the build step, running it after 
the static analyze mock rebuild. This somewhat criples f-r. We'll need 
some fixes e. g.,  to run rpmlint, nothing that tricky.

So, some discussions on the overall framework when combining the other 
tools with f-r is needed.  Nothing that complicated though, I guess.

--a

More information about the devel mailing list