On Tue, 2013-12-17 at 13:17 -0500, Rahul Sundaram wrote:
Hi
On Tue, Dec 17, 2013 at 12:47 PM, Daniel P. Berrange wrote:
The issues reported against libvirt all appear to be false positives. Not entirely surprising since we already have coverity run against libvirt code nightly.
Thanks for the quick response. Does Red Hat run it only for packages in RHEL or it is run against all Fedora packages? If not, would it be possible for Red Hat to do so and publish the results on a regular basis? That might be a useful service.
Nightly Coverity scans for whole Fedora wouldn't work - RHEL subset of packages is scanned bi-yearly - as the ~1500 C/C++ takes 21+ days to scan (150M lines of code). Whole Fedora would take ~3 months+ . Our RHEL maintainers are notified about the results and are encouraged to share the results with upstreams - many of them do. Publishing them is a bit tricky - I can of course publish them (we scan with cppcheck, enhanced gcc warnings, clang and coverity) - but the reports may contain some attack vectors - and for inactive packages, it would only show the doors to attackers. If you are community guy (maintainer/upstream) and you are interested in getting the result of the bi-yearly scans, just send me an email and list of packages you want to get the result (of course, as I said, we scan only RHEL set of packages). We work on open sourcing this scanning tool based on mock (covering the static analyzers) - so people can use it for their packages more easily. It could even be integrated into the infrastructure somehow, as there is no license limitation.
For non RHEL packages, I would recommend to work with upstream to join http://scan2.coverity.com/ .
In addition, very beneficial thing is to get DIFFERENCE between two scans - I would recommend codescan-diff ( https://git.fedorahosted.org/git/codescan-diff.git ) - it was originally designed for the internal Coverity scans, but now it has support for various static analyzers.
Greetings, Ondrej Vasik