Mail Archives: cygwin/2014/05/17/06:13:06
--IJAclU0AInkryoed
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi David,
On May 16 21:00, David Stacey wrote:
> On 25/04/14 16:53, Christopher Faylor wrote:
> >On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote:
> >>On Apr 25 06:33, David Stacey wrote:
> >>> Coverity Scan [1] is a commercial (paid for) static analysis tool, b=
ut
> >>> they offer it to Open Source programmes for free. I was having a bro=
wse
> >>> through the list of Open Source programmes using Coverity Scan, and
> >>> noticed that Cygwin wasn't listed. Would there be any interest in
> >>> analysing the cygwin1.dll source code on a fairly regular basis? If =
so,
> >>> I would be happy to have a go at setting up an analysis job for Cygw=
in.
> >>> I would imagine this would be of interest to CGF, Corinna and anyone
> >>> else who regularly updates the Cygwin source code. Obviously, this is
> >>> only worth doing if the analysis results are looked at and acted upo=
n.
> >>Depends. If the report contains lots of false positives, it's getting
> >>annoying pretty quickly.
> >We use coverity at work. It is annoying and it does have false positive
> >but a lot of what look like false positives often turn out to be: "Oh,
> >wait. (#*(&$ Yeah. That's a problem."
> >
> >If we could use coverity I'm sure it would be interesting if we can get
> >it.
>=20
> OK - we're in! You can find our project page at
> https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails =
to
> Corinna and CGF inviting them to join the project ;-)
I got no such mail. You didn't try the account I'm using for the
mailing list, I hope? Please use my company address vinschen AT
redhat DOT com.
> It would be responsible of us to restrict access to known vulnerabilities,
> so please _don't_ ask for visibility of the scan results. I will leave it=
to
> CGF and Corinna to decide who we give access to and when.
I have no idea how this works. I had hoped I'd just get emails with
the scan results, the less fancy the solution, the better. We can
set this up using gpg encrypted mails, that would be the most elegant
solution, IMHO.
> There is still a little work to do in setting up the Coverity scan. The n=
ext
> step is to group the code into logical clusters, which Coverity calls
> Components. Typically, this is done on directories or other file grouping=
s,
> and the tool allows you to concentrate on just one of these components at
> once. If you let me know what components you'd like, I'll set them up.
Well, the problem is that we're going to switch to git pretty soon, and
that will slightly change the directory layout. But basically, in the
winsup dir, you see the subdirs
cygserver
cygwin
doc
lsaauth
testsuite
utils
Of those you can ignore=20
doc
testsuite
The other four would be natural groups, I think. The toplevel and
winsup dirs don't need to be scanned either.
> The Coverity build is being performed on one of my PCs at the moment. I'll
> try to do this at least weekly using a snapshot from the snapshots page.
> I'll also try to submit patches as and when time allows.
You are aware that we need a copyright assignment from you if you'd like
to provide patches, right? Please have a look at the "Before you get
started" section of http://cygwin.com/contrib.html
> But if this is
> going to work then anyone who regularly contributes to the Cygwin source
> code will have to make use of the tool.
In theory, at the time of writing this, I'd suggest to include only cgf,
yaakov, and me. Other people could join us on request, if they provide
patches to the Cygwin code base, or provided non-trivial patches in the
past.
> Finally, I'd like to thank Dakshesh Vyas at Coverity for allowing us to j=
oin
> the Scan programme.
Yes, that's nice. I'm thanking him as well.
Corinna
--=20
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--IJAclU0AInkryoed
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTdzYYAAoJEPU2Bp2uRE+ghiIQAI/OSxjlSVczEAKArwyOnSUr
I5+5UCe3P+fvOgAMqgg3QLEivWjU3zHleNcGrF4Q5jFAtmifgOF4W1Iprhz+uEi7
E270BtohhhmGGxMSVjLuaxzAUAgDIaS7EF3g3YKEKQfv5Je2d0dtN1HcPBU4s2Ro
o66HVjeYSNwXvV0O75iUbpufF4a72vYNdFQ3++dRm9uZIa7Hwtj6FIU+AYK+XLHB
q2OQ1r+06GyzHBImlV+NUg7NMjHBuIHUTv9DmbtLYSIs1Cnsdq09PeVctDnZN1rC
F6Egmg+z1U/pmZlSOf6U59vpvrPDwESzHPBbGTBstjdPNdPF04DGD0JYxD9HUIAB
qBl+sqoKycxhMmeCePDrZsTh8TlKpRCV8jO7TA9Jcujqf0LUzskDHYha10IuDg6L
jJP/lqquvecT5uEv9ZyVGunZ7vbW/NfhNkoOWAwnl8jm6FK5fV1repW8KtTAwJab
zL+Hp8AlIdSVm6DrE/GuEzRmsGC+KccTIlwE4iOfTuiTY3Ld1RBT/zLLG+gqc+Yy
Z9rfnZ06sLUshaqiPI11TFPcxP92avEDTeMlV5RSwNNm9mi9Vn0SUnMVbkt8zKGq
Kn5vf6XPfd59XOb1j/1q08zR9N4e72CptM/cewkgRXBownr2hwJsmGpvGdiwyCzI
ylQaKcDEHPj43KQIx5XK
=eGe7
-----END PGP SIGNATURE-----
--IJAclU0AInkryoed--
- Raw text -