On Thu, Nov 14, 2024 at 10:23 PM Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > On Thu, Nov 14, 2024 at 08:47:36AM +0100, Siteshwar Vashisht wrote: > > Hello, > > > > I am writing this message to get feedback from the community on new > > findings by static analyzers in Critical Path Packages that have > > changed in Fedora 42. > > > > TLDR: This report[1] contains 37330 findings. Please review the report > > and provide feedback. > > > > A mass scan was performed this week on the packages that have changed > > in Fedora 42. This report[1] contains all the new findings that have > > been identified in the packages listed in Critical Path Packages. > > Newly added findings since Fedora 41 are listed under ‘+’ column. > > Please review the report and fix or report any findings upstream that > > may be real bugs. Not all findings reported by OpenScanHub may be > > actual bugs, so please verify reported findings before investing time > > into fixing or reporting them. We hope this is helpful for the > > packages you maintain and for the upstream projects. Questions can be > > asked on the OpenScanHub mailing list[2]. If you want to see the full > > logs of the scans, they are available on the tasks[3] page. User > > documentation for performing a scan is available on the Fedora > > wiki[4]. > > > > Constructive feedback is appreciated. Thank you! > > Have you addressed the concerned raised when you last posted about this? > > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/DTNTMHNZ76N4EG7G22AKKQQTGVB274NC/ Several fixes have been made since the feedback from the report from July: - The terms "flaw" and "defect" have been replaced with "finding". - clang was disabled due to a large amount of false positives. - Report from July contained a large amount of "Limiting analysis of branches" messages from cppcheck. They have been suppressed in the latest report. - There is a mention of '+' column in my first email, which shows differential scan results since Fedora 41. Maintainers that may not have time to look at the full report can only look at the differential scan report. - Adding to the previous point, we have enabled differential scans in Packit[1] in upstreams. If that gets wider adoption, we will see less findings in mass scan reports. - The issue of false positives is one of the most important, but hard to solve. I started a discussion[2] on GitHub, but we do not have a good answer to it yet. If you have ideas, please share on GitHub. Let me know if I missed anything. Thanks! > > Rich. > > > [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f42-13-Nov-2024/ > > [2] https://lists.fedoraproject.org/archives/list/openscanhub@xxxxxxxxxxxxxxxxxxxxxxx/ > > [3] https://openscanhub.fedoraproject.org/task/ > > [4] https://fedoraproject.org/wiki/OpenScanHub > > > > -- > > _______________________________________________ > > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > > -- > Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones > Read my programming and virtualization blog: http://rwmj.wordpress.com > virt-top is 'top' for virtual machines. Tiny program with many > powerful monitoring features, net stats, disk stats, logging, etc. > http://people.redhat.com/~rjones/virt-top > > -- > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue [1] https://packit.dev/posts/openscanhub-prototype [2] https://github.com/openscanhub/openscanhub/issues/290 -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
