[dpdk-dev] Coverity scan
Thomas Monjalon
thomas at monjalon.net
Mon Mar 9 16:53:16 CET 2020
We have a public Coverity scan triggered by John for the community:
https://scan.coverity.com/projects/dpdk-data-plane-development-kit
Note there is a tool to help with this task:
http://thyrsus.com/gitweb/?p=coverity-submit.git;a=shortlog;h=refs/tags/1.13
I see two issues with this scan:
- it is run manually
- not all code is scanned currently
Note that we should be able to run one scan per day for free:
https://scan.coverity.com/faq#frequency
With David, we looked at automating the Coverity scan,
with the help of Travis automation:
https://scan.coverity.com/travis_ci
Such automation cannot be configured on the existing Coverity project.
I tried to open a new Coverity project connected to our GitHub.
I have a very poor confidence in Coverity/Travis/GitHub integration.
I will explain below why.
1/ The instructions were wrong. In this command, there are two mistakes:
openssl s_client -connect https://scan.coverity.com:443 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
sudo tee -a /etc/ssl/certs/ca-
For the record, a proper a simpler command is:
true | openssl s_client -connect scan.coverity.com:443 |
openssl x509 |
sudo tee -a /etc/ssl/certs/ca-certificates.crt
2/ The coverity scan is triggered as a job addon.
The rest of the job must be cancelled with this tricky patch:
-script: ./.ci/${TRAVIS_OS_NAME}-build.sh
+script: if [ "${COVERITY_SCAN_BRANCH}" != 1 ] ; then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi
3/ We need only to prepare the source code once per day.
But our .travis.yml has many jobs which must be dropped or ignored.
4/ A big encrypted token must be added in the configuration:
# encrypted COVERITY_SCAN_TOKEN
- secure: "VgRYG9N5adKkM9/QpPgswn1c+VXS1mFVN0vgdjuC/bDv2x4u...etc..."
5/ The addon is triggered when pushing to a specific branch
(adding config for the record):
coverity_scan:
project:
name: "DPDK/dpdk"
notification_email: test-report at dpdk.org
build_command_prepend: "meson build -Dexamples=all"
build_command: "ninja -C build"
branch_pattern: coverity_scan
6/ This attempt failed with this log (no more information):
$ export PROJECT_NAME=DPDK/dpdk
Coverity Scan analysis selected for branch coverity_scan.
Coverity Scan API access denied. Check $PROJECT_NAME and $COVERITY_SCAN_TOKEN.
So I am giving up with Travis+Coverity.
The only benefit of Travis is to have a central build configuration.
So when a driver is enabled in Travis, it would be scanned in Coverity.
Note: Coverity does a build step to prepare the sources.
Now the question: how can we better configure the community Coverity scan?
I propose to set it up in our community lab.
Comments? Suggestions?
More information about the dev
mailing list