On Tue, 2013-12-17 at 13:17 -0500, Rahul Sundaram wrote: > Hi > > > On Tue, Dec 17, 2013 at 12:47 PM, Daniel P. Berrange wrote: > > The issues reported against libvirt all appear to be false > positives. > Not entirely surprising since we already have coverity run > against > libvirt code nightly. > > > Thanks for the quick response. Does Red Hat run it only for > packages in RHEL or it is run against all Fedora packages? If not, > would it be possible for Red Hat to do so and publish the results on a > regular basis? That might be a useful service. Nightly Coverity scans for whole Fedora wouldn't work - RHEL subset of packages is scanned bi-yearly - as the ~1500 C/C++ takes 21+ days to scan (150M lines of code). Whole Fedora would take ~3 months+ . Our RHEL maintainers are notified about the results and are encouraged to share the results with upstreams - many of them do. Publishing them is a bit tricky - I can of course publish them (we scan with cppcheck, enhanced gcc warnings, clang and coverity) - but the reports may contain some attack vectors - and for inactive packages, it would only show the doors to attackers. If you are community guy (maintainer/upstream) and you are interested in getting the result of the bi-yearly scans, just send me an email and list of packages you want to get the result (of course, as I said, we scan only RHEL set of packages). We work on open sourcing this scanning tool based on mock (covering the static analyzers) - so people can use it for their packages more easily. It could even be integrated into the infrastructure somehow, as there is no license limitation. For non RHEL packages, I would recommend to work with upstream to join http://scan2.coverity.com/ . In addition, very beneficial thing is to get DIFFERENCE between two scans - I would recommend codescan-diff ( https://git.fedorahosted.org/git/codescan-diff.git ) - it was originally designed for the internal Coverity scans, but now it has support for various static analyzers. Greetings, Ondrej Vasik -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
