COVID19 is spreading via E-Mail now? It's $subject =~ s/Covierty/Coverity/g :) On Sun, Apr 03 2022, Theodore Ts'o wrote: > On Sun, Apr 03, 2022 at 02:36:22PM -0700, Junio C Hamano wrote: >> I have old e-mails from the scan-admin@xxxxxxxxxxxx but the last one >> seems to be from late June 2018, which is ages ago in Git timescale. >> I do not recall us paying for such a service so I am guessing that >> they had some program that open source projects can enroll, get our >> public sources scanned and get the result sent back? > > Yep, that's the way it works. Someone has to use tools provided by > them to build the open source project and upload the results for them > to analyze. Coverity predates github, so it's not new-fangled enough > to automatically pull sources from repositories; besides, their paying > customers tend to be using their tool for their proprietary software, > so they haven't had any incentive to create an auto-analyze tool that > pulls from an open source repository. > > Some folks at Red Hat do have scripts run out of crontab, that will > monitor git branches on projects that they are interested in and when > they notice that the branch has been updated, they will build and > upload the raw material used by Coverity to their dashboard. Eric > Sandeen has been doing this for e2fsprogs, and a few other file system > related repo's, and I suspect if someone asked, he would probably be > willing to provide the scripts that he uses. > > You do need to be the project admin, or someone authorized by the > project admin, to upload new data for Coverity, or to look at the > analysis of the Coverity results. I have no idea who the project > admin is for git, but I'm sure if you, as the Git maintainer showed up > and requested to be added as one of the project admin, the open source > ombudsperson (I don't remember the exact title, but they do have > someone who interfaces with OSS projects), would be happy to oblige. Per https://lore.kernel.org/git/YarO3nkrutmWF7nb@xxxxxxxxxxxxxxxxxxxxxxx/ Jeff ran this from his fork, I'm not sure if that was because he set something up in the git/git organization, or if by project admin you mean that any fork of it can set this up on their own. >> https://scan.coverity.com/projects/git/ (visible without signing in) >> seems to match my recollection. They haven't been scanning since >> late June 2018. I wasn't the primary developer who registered us or >> who has been reading these reports but if I recall correctly, we >> weren't doing anything custom, and fell somewhere between just "we >> are curious to see how well Coverity works" and "Yay, a free >> offering. We have nothing to lose, other than our time, to sign >> ourselves up and if it comes up with useful scan result that would >> be good". > > My experience with e2fsprogs is that it does have a fair amount of > false positives, but I've been willing to wade through the false > positives, and mark them as such in their web dashboard, because the > early warnings it gives when we've pushed new code that has a > potential security problem is worth it. But make no mistake, it > definitely requires a certain amount of maintainer time work with the > tool. Yes, also per the linked-above output it's quite noise, but there looked to be some legitimate and hard-to find issues in those reports. It would be nice to get them running with some regularity on our main branches.
