Hello,
I am writing this email to get feedback from the members of the Fedora development community about OpenScanHub for Fedora.
# tl;dr
OpenScanHub does static and dynamic analysis of rpm packages and it may be helpful in the Fedora community. Please take a look at our staging proof of concept[4] and provide feedback. The proof of concept is in its early stages so there may be some bugs here or there! If the feedback is positive we may roll this out in official infrastructure and integrate with Fedora CI and Packit.
# What
OpenScanHub is a service for static and dynamic analysis. It has been in development inside Red Hat[1] for more than 12 years and was open sourced on GitHub[2] earlier this year. You can read a brief explanation of this service on my blog[3]. We would like to deploy this service on the Fedora infrastructure and start scanning packages shipped in the Fedora project through it.
# Why
I am sharing a prototype[4] of this service to get feedback from the community. This prototype is running on the staging instance of the Fedora infrastructure, so you would have to login[5] to the staging instance before submitting any scan. If you have never logged into that account, it may require you to do a password reset.
Once you are logged into the staging instance, you can login through the `krb5login` button[6] on the top right corner of the homepage and submit a scan through this form[7].
There are 3 different types of scans supported by OpenScanHub:
MockBuild performs a full scan of the package including downstream patches. Example[8] mockbuild for `openssl-3.1.1-4.fc39`.
DiffBuild performs a differential scan on the downstream patches. So you can find only the defects that are introduced by the downstream patches. Example[9] diffbuild for `openssl-3.1.1-4.fc39`. This option would not work if the package fails to compile without patches.
VersionDiffBuild performs a differential scan between 2 different versions of the package, and you can see defects introduced by the “newer” version of the package. Example[10] differential build between `openssl-3.1.1-4.fc39` and `openssl-3.0.9-2.fc38`.
All the submitted scans can be seen on the tasks[11] page.
This prototype is running on very limited resources, so please do not submit scan for any resource consuming package. Not all defects reported by OpenScanHub may be actual bugs, so please avoid fixing reported defects without careful examination. If we receive positive feedback on this prototype, there may be a possibility of integrating this service with the Fedora CI and Packit projects.
This is a very early stage prototype and may behave inconsistently. Please keep the discussion in this thread constructive. Thank you!
[1] https://kdudka.fedorapeople.org/muni23.pdf
[2] https://github.com/openscanhub/openscanhub
[3] https://situ.im/posts/openscanhub
[4] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/
[5] https://accounts.stg.fedoraproject.org
[6] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/auth/krb5login/
[7] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/scan/new/
[10] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/task/7/log/added.html
[11] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/task/-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue