X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; q=dns; s= default; b=yNI9XzrwQMTcd2lrGZ1qPSAmNJ9YIzcf8Uz7s1Jy/Bwxgul1ZMEkS N0ZCaKVCIbLrzw9lP+66qTSbF7gWJTW2GJP8ofL5PZX5kukQsA4xVHldlTQ7A+Iq IyKqGIZDJR2jszDyIhtG4fiKUPSIJFpl7jkpAQYj3MU41TSmpQVTmo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:date:from:to:subject:message-id:reply-to :references:mime-version:content-type:in-reply-to; s=default; bh=f1mNfci+agcKd4npeBJv58CpWFk=; b=lZqsZBWXF0SQTPhSLnJB81xEtZts qjy4ID91jXZnfVRt7xr3N3J3VR/z+UzTW9AyQ5n1ZqXvK9uwLvHJtWGCCti70WsF oDOpOirp17WTmQJfgM1tNxyT4Cr1xjr5PNB2djm2W3m7LjA2+tpS1aDvKg7wXkeV NdNfFhu5zHL4YxM= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-4.6 required=5.0 tests=AWL,BAYES_50 autolearn=ham version=3.3.2 X-HELO: calimero.vinschen.de Date: Sat, 17 May 2014 12:12:40 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: Re: Coverity Scan Message-ID: <20140517101240.GO430@calimero.vinschen.de> Reply-To: cygwin AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com References: <5359F391 DOT 8060309 AT tiscali DOT co DOT uk> <20140425083500 DOT GA5666 AT calimero DOT vinschen DOT de> <20140425155324 DOT GA2412 AT ednor DOT casa DOT cgf DOT cx> <53766E46 DOT 4070207 AT tiscali DOT co DOT uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJAclU0AInkryoed" Content-Disposition: inline In-Reply-To: <53766E46.4070207@tiscali.co.uk> User-Agent: Mutt/1.5.23 (2014-03-12) --IJAclU0AInkryoed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi David, On May 16 21:00, David Stacey wrote: > On 25/04/14 16:53, Christopher Faylor wrote: > >On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote: > >>On Apr 25 06:33, David Stacey wrote: > >>> Coverity Scan [1] is a commercial (paid for) static analysis tool, b= ut > >>> they offer it to Open Source programmes for free. I was having a bro= wse > >>> through the list of Open Source programmes using Coverity Scan, and > >>> noticed that Cygwin wasn't listed. Would there be any interest in > >>> analysing the cygwin1.dll source code on a fairly regular basis? If = so, > >>> I would be happy to have a go at setting up an analysis job for Cygw= in. > >>> I would imagine this would be of interest to CGF, Corinna and anyone > >>> else who regularly updates the Cygwin source code. Obviously, this is > >>> only worth doing if the analysis results are looked at and acted upo= n. > >>Depends. If the report contains lots of false positives, it's getting > >>annoying pretty quickly. > >We use coverity at work. It is annoying and it does have false positive > >but a lot of what look like false positives often turn out to be: "Oh, > >wait. (#*(&$ Yeah. That's a problem." > > > >If we could use coverity I'm sure it would be interesting if we can get > >it. >=20 > OK - we're in! You can find our project page at > https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails = to > Corinna and CGF inviting them to join the project ;-) I got no such mail. You didn't try the account I'm using for the mailing list, I hope? Please use my company address vinschen AT redhat DOT com. > It would be responsible of us to restrict access to known vulnerabilities, > so please _don't_ ask for visibility of the scan results. I will leave it= to > CGF and Corinna to decide who we give access to and when. I have no idea how this works. I had hoped I'd just get emails with the scan results, the less fancy the solution, the better. We can set this up using gpg encrypted mails, that would be the most elegant solution, IMHO. > There is still a little work to do in setting up the Coverity scan. The n= ext > step is to group the code into logical clusters, which Coverity calls > Components. Typically, this is done on directories or other file grouping= s, > and the tool allows you to concentrate on just one of these components at > once. If you let me know what components you'd like, I'll set them up. Well, the problem is that we're going to switch to git pretty soon, and that will slightly change the directory layout. But basically, in the winsup dir, you see the subdirs cygserver cygwin doc lsaauth testsuite utils Of those you can ignore=20 doc testsuite The other four would be natural groups, I think. The toplevel and winsup dirs don't need to be scanned either. > The Coverity build is being performed on one of my PCs at the moment. I'll > try to do this at least weekly using a snapshot from the snapshots page. > I'll also try to submit patches as and when time allows. You are aware that we need a copyright assignment from you if you'd like to provide patches, right? Please have a look at the "Before you get started" section of http://cygwin.com/contrib.html > But if this is > going to work then anyone who regularly contributes to the Cygwin source > code will have to make use of the tool. In theory, at the time of writing this, I'd suggest to include only cgf, yaakov, and me. Other people could join us on request, if they provide patches to the Cygwin code base, or provided non-trivial patches in the past. > Finally, I'd like to thank Dakshesh Vyas at Coverity for allowing us to j= oin > the Scan programme. Yes, that's nice. I'm thanking him as well. Corinna --=20 Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Maintainer cygwin AT cygwin DOT com Red Hat --IJAclU0AInkryoed Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTdzYYAAoJEPU2Bp2uRE+ghiIQAI/OSxjlSVczEAKArwyOnSUr I5+5UCe3P+fvOgAMqgg3QLEivWjU3zHleNcGrF4Q5jFAtmifgOF4W1Iprhz+uEi7 E270BtohhhmGGxMSVjLuaxzAUAgDIaS7EF3g3YKEKQfv5Je2d0dtN1HcPBU4s2Ro o66HVjeYSNwXvV0O75iUbpufF4a72vYNdFQ3++dRm9uZIa7Hwtj6FIU+AYK+XLHB q2OQ1r+06GyzHBImlV+NUg7NMjHBuIHUTv9DmbtLYSIs1Cnsdq09PeVctDnZN1rC F6Egmg+z1U/pmZlSOf6U59vpvrPDwESzHPBbGTBstjdPNdPF04DGD0JYxD9HUIAB qBl+sqoKycxhMmeCePDrZsTh8TlKpRCV8jO7TA9Jcujqf0LUzskDHYha10IuDg6L jJP/lqquvecT5uEv9ZyVGunZ7vbW/NfhNkoOWAwnl8jm6FK5fV1repW8KtTAwJab zL+Hp8AlIdSVm6DrE/GuEzRmsGC+KccTIlwE4iOfTuiTY3Ld1RBT/zLLG+gqc+Yy Z9rfnZ06sLUshaqiPI11TFPcxP92avEDTeMlV5RSwNNm9mi9Vn0SUnMVbkt8zKGq Kn5vf6XPfd59XOb1j/1q08zR9N4e72CptM/cewkgRXBownr2hwJsmGpvGdiwyCzI ylQaKcDEHPj43KQIx5XK =eGe7 -----END PGP SIGNATURE----- --IJAclU0AInkryoed--