<div dir="ltr"><div class="gmail_default" style="font-size:small">Hi Ali,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">From what I can tell, the Coverity Desktop analysis tools would require paid licenses, which are different from the Coverity Scan (<a href="https://scan.coverity.com/faq">https://scan.coverity.com/faq</a>) that is being used by DPDK as an open source project. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">So, to enable using the tooling to scan all the patches, we'd need to work out the requirements around getting access to the other Synopsys tools.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Cheers,<br>Lincoln</div><div class="gmail_default" style="font-size:small"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 24, 2021 at 12:13 PM Ferruh Yigit <<a href="mailto:ferruh.yigit@intel.com">ferruh.yigit@intel.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 5/24/2021 1:13 PM, Ali Alnubani wrote:<br>
>> -----Original Message-----<br>
>> From: ci <<a href="mailto:ci-bounces@dpdk.org" target="_blank">ci-bounces@dpdk.org</a>> On Behalf Of Ferruh Yigit<br>
>> Sent: Monday, May 24, 2021 3:02 PM<br>
>> To: Aaron Conole <<a href="mailto:aconole@redhat.com" target="_blank">aconole@redhat.com</a>><br>
>> Cc: <a href="mailto:ci@dpdk.org" target="_blank">ci@dpdk.org</a><br>
>> Subject: Re: [dpdk-ci] [dpdk-dev] DPDK Release Status Meeting 20/05/2021<br>
>><br>
>> On 5/20/2021 8:19 PM, Aaron Conole wrote:<br>
>>> Ferruh Yigit <<a href="mailto:ferruh.yigit@intel.com" target="_blank">ferruh.yigit@intel.com</a>> writes:<br>
>>><br>
>>>> On 5/20/2021 1:15 PM, Ferruh Yigit wrote:<br>
>>>>> Release status meeting minutes {Date}<br>
>>>>> =====================================<br>
>>>>> :Date: 20 May 2021<br>
>>>>> :toc:<br>
>>>><br>
>>>> <...><br>
>>>><br>
>>>>> * Coverity is running regularly<br>
>>>>> - Can we have out of cycle run for -rc4? Last run was yesterday.<br>
>>>>> - We need a way to verify coverity issues before merging it, will carry<br>
>> topic<br>
>>>>> to CI mail list an Aaron<br>
>>>><br>
>>>> Hi Aaron,<br>
>>>><br>
>>>> There is a need to verify coverity fixes before merging them. Do you<br>
>>>> think can we do that? And should I create a Bugzilla ticket for it?<br>
>>><br>
>>> I think you can create a BZ for it. Last I remember, coverity does<br>
>>> not allow so many frequent builds (without paying?), so there is<br>
>>> probably a non-technical limitation. Otherwise, we could simply<br>
>>> submit all patch series to coverity and look at the results.<br>
>>><br>
>>> As it stands, there is maybe more thought that has to come with this.<br>
>>><br>
>>> Maybe we can use a tag that indicates which coverity ID it purports to<br>
>>> fix, and we can then kick off a run.<br>
>>><br>
>><br>
>> Yes, we can only run coverity with the patches that has coverity tag.<br>
>><br>
>> Do we know the limitation on the run? Even if we can run once a day I think it<br>
>> can be enough, coverity already not running daily, in the gap days coverity<br>
>> patches can be verified.<br>
>> Also we can skip coverity run if the main branch is not updated since last<br>
>> check, this can gain some runs too.<br>
>><br>
>> Created following Bugzilla:<br>
>> <a href="https://bugs.dpdk.org/show_bug.cgi?id=719" rel="noreferrer" target="_blank">https://bugs.dpdk.org/show_bug.cgi?id=719</a><br>
>><br>
>> btw, Aaron I didn't able to cc your Red Hat email but found following, can you<br>
>> confirm it is your email address:<br>
>> <a href="mailto:aconole@bytheb.org" target="_blank">aconole@bytheb.org</a><br>
> <br>
> It should also be possible to run Coverity's cov-run-desktop binary to make sure a patchset doesn't introduce new defects in the first place. Is there a reason why we don't do this already?<br>
<br>
If there is a way for developer to verify it easily, it is even better.<br>
<br>
In the version of coverity I run, user is building project with the coverity<br>
toolset and uploading the resulting binaries to the coverity server, which scans<br>
and makes result available via web interface.<br>
<br>
This way user can't validate the patch in the client, but if there is a way for<br>
it we can try that too.<br>
<br>
> The binary scans only the modified files and compares to the latest full scan to check how many new defects there are.<br>
> The binary can run on UNH's servers so I don't think it would be limited. Are we maybe limited by how many times we can pull the summary/data of the latest scan? We can pull it only once a day and use it offline mode.<br>
> <br>
> Regards,<br>
> Ali<br>
> <br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><b>Lincoln Lavoie</b><br></div><div>Principal Engineer, Broadband Technologies</div><div>21 Madbury Rd., Ste. 100, Durham, NH 03824</div><div><a href="mailto:lylavoie@iol.unh.edu" target="_blank">lylavoie@iol.unh.edu</a></div><div><a href="https://www.iol.unh.edu" target="_blank">https://www.iol.unh.edu</a></div><div>+1-603-674-2755 (m)</div><div><a href="https://www.iol.unh.edu" target="_blank"><img src="https://docs.google.com/uc?export=download&id=1j_iI6anwrnbQWNpTyuvukMLSNJJ8_8QU&revid=0B_0ujwABDnFZTmJiR3EzK0d1VjFKTjQvMENBWVM0QnA4ajhjPQ" width="200" height="43"></a><br></div></div></div></div></div></div></div></div></div></div></div>