DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=d8TbC+MSQom+PmfjZnBl0AnIeRdfpQeQuFrnltDYJRY
	EZbUSgrLeDdjKkfy3J8HFb9kvr7lV7VDk77WEHTrnrpwimsOR1ATdmPnvsNN2FpG
	MZiVVM1YgocGcPrRJEqebD7u2HiQ0DBN3ucGUPXKT45eoV8REFxzyYwfkeF/pRIY
	=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Message-ID: <53766E46.4070207@tiscali.co.uk>
Date: Fri, 16 May 2014 21:00:06 +0100
From: David Stacey <drstacey@tiscali.co.uk>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: Coverity Scan
References: <5359F391.8060309@tiscali.co.uk> <20140425083500.GA5666@calimero.vinschen.de> <20140425155324.GA2412@ednor.casa.cgf.cx>
In-Reply-To: <20140425155324.GA2412@ednor.casa.cgf.cx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

On 25/04/14 16:53, Christopher Faylor wrote:
> On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote:
>> On Apr 25 06:33, David Stacey wrote:
>>>   Coverity Scan [1] is a commercial (paid for) static analysis tool, but
>>>   they offer it to Open Source programmes for free. I was having a browse
>>>   through the list of Open Source programmes using Coverity Scan, and
>>>   noticed that Cygwin wasn't listed. Would there be any interest in
>>>   analysing the cygwin1.dll source code on a fairly regular basis? If so,
>>>   I would be happy to have a go at setting up an analysis job for Cygwin.
>>>   
>>>   I would imagine this would be of interest to CGF, Corinna and anyone
>>>   else who regularly updates the Cygwin source code. Obviously, this is
>>>   only worth doing if the analysis results are looked at and acted upon.
>> Depends.  If the report contains lots of false positives, it's getting
>> annoying pretty quickly.
> We use coverity at work.  It is annoying and it does have false positive
> but a lot of what look like false positives often turn out to be:  "Oh,
> wait.  (#*(&$  Yeah.  That's a problem."
>
> If we could use coverity I'm sure it would be interesting if we can get
> it.

OK - we're in! You can find our project page at 
https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails 
to Corinna and CGF inviting them to join the project ;-)

It would be responsible of us to restrict access to known 
vulnerabilities, so please _don't_ ask for visibility of the scan 
results. I will leave it to CGF and Corinna to decide who we give access 
to and when.

There is still a little work to do in setting up the Coverity scan. The 
next step is to group the code into logical clusters, which Coverity 
calls Components. Typically, this is done on directories or other file 
groupings, and the tool allows you to concentrate on just one of these 
components at once. If you let me know what components you'd like, I'll 
set them up.

The Coverity build is being performed on one of my PCs at the moment. 
I'll try to do this at least weekly using a snapshot from the snapshots 
page. I'll also try to submit patches as and when time allows. But if 
this is going to work then anyone who regularly contributes to the 
Cygwin source code will have to make use of the tool.

Finally, I'd like to thank Dakshesh Vyas at Coverity for allowing us to 
join the Scan programme.

Cheers,

Dave.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple