diff options
author | Patrick Georgi <patrick@coreboot.org> | 2022-03-08 19:47:41 +0100 |
---|---|---|
committer | Patrick Georgi <patrick@coreboot.org> | 2022-03-14 19:02:32 +0000 |
commit | 46213f6bbebebc6d9f19dd2e8644242c4a8ba39f (patch) | |
tree | de03604c9e97cd040bc07f26b83e369dabd44cee /Documentation/infrastructure/coverity.md | |
parent | cf4a3472b99cfbb7a4f431a4e0cb9dc424276bd4 (diff) |
Documentation: Describe our Coverity Scan integration
Change-Id: I0a2b68a4b4b54c7345280b252d624799316641b1
Signed-off-by: Patrick Georgi <patrick@coreboot.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/62666
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Singer <felixsinger@posteo.net>
Diffstat (limited to 'Documentation/infrastructure/coverity.md')
-rw-r--r-- | Documentation/infrastructure/coverity.md | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/Documentation/infrastructure/coverity.md b/Documentation/infrastructure/coverity.md new file mode 100644 index 0000000000..3034d50e74 --- /dev/null +++ b/Documentation/infrastructure/coverity.md @@ -0,0 +1,103 @@ +# Coverity Scan for open source firmware + +## What’s Coverity and Coverity Scan? + +Coverity is a static analysis tool. It hooks into the build process +and in addition to the compiler creating object files, Coverity collects +information about the code. That data is then processed in a separate pass +to identify common programming errors, like out of bounds accesses in C. + +Coverity Scan is an online service for Open Source projects providing this +analysis for free. The analysis pass is done on their servers and issues +can be handled in their [web UI](https://scan.coverity.com/). + +The Scan service has some quotas based on code size to avoid overloading +the system, but even at one build per week, that’s usually good enough +because the identified issues still need to be triaged and fixed or they +will simply be re-identified next week. + +### Triage? + +The Web UI looks a bit like an issue tracker, even if it’s not a very +good one. It’s possible to mark identified issues as valid or invalid, +and annotate them with metadata which CLs fix them. The latter isn’t +strictly necessary because Coverity Scan simply marks issues it can’t +find anymore as fixed, but at times it helped identify issues that made +a comeback. + +### Alternatives + +There’s also clang’s scan-build, which is fully open-source, and +finds different issues. As such, it’s less of an alternative and more +of a complement. + +There’s a regular run of that for coreboot but not for the other projects +hosted at coreboot.org. + +One downside is that it emits a bunch of HTML to report on issues, +but there’s no interactivity (e.g. marking issues solved), no way +to merge multiple builds (e.g. multiple board builds of a single tree) +or a simple way to extract burndown charts and the like from that. + +#### Looking for a project? + +On the upside, it can emit the data in a machine readable format, so if +anybody needs a project, a scan-build web-frontend like Coverity Scan would +be feasible without having to go through scan-build’s guts, just by parsing +text files - plus all the stateful and web parts to build on top. + +## Logging into Coverity Scan + +Coverity Scan needs an account. It supports its own accounts and GitHub +OAuth. + +Access to the dashboards needs approval: Request and you shall receive. + +## coreboot & friends and Coverity Scan + +coreboot, flashrom, Chromium EC and other projects of that family have +been made Coverity aware, that is, their build systems support building +with a custom compiler configuration passed in “just right” to enable +Coverity to add its hooks. + +The public coreboot CI system at +[https://qa.coreboot.org/](https://qa.coreboot.org/) regularly does +builds with Coverity and sends them off to Coverity Scan. + +Specifically, it covers: + +* Chromium EC: [Coverity Scan site][crECCoverity] ([build job][crECBuildJob]) +* coreboot: [Coverity Scan site][corebootCoverity] ([build job][corebootBuildJob]), [scan-build output][corebootScanBuild] ([build job][corebootScanBuildJob]) +* em100: [Coverity Scan site][em100Coverity] ([build job][em100BuildJob]) +* fcode-utils: [Coverity Scan site][fcodeUtilsCoverity] ([build job][fcodeUtilsBuildJob]) +* flashrom: [Coverity Scan site][flashromCoverity] ([build job][flashromBuildJob]) +* memtest86+: [Coverity Scan site][memtestCoverity] ([build job][memtestBuildJob]) +* vboot: [Coverity Scan site][vbootCoverity] ([build job][vbootBuildJob]) + +[crECCoverity]: https://scan.coverity.com/projects/chromium-ec +[corebootCoverity]: https://scan.coverity.com/projects/coreboot +[em100Coverity]: https://scan.coverity.com/projects/em100 +[fcodeUtilsCoverity]: https://scan.coverity.com/projects/fcode-utils +[flashromCoverity]: https://scan.coverity.com/projects/flashrom +[memtestCoverity]: https://scan.coverity.com/projects/memtest86 +[vbootCoverity]: https://scan.coverity.com/projects/vboot + +[corebootScanBuild]: https://www.coreboot.org/scan-build/ + +[crECBuildJob]: https://qa.coreboot.org/view/coverity/job/ChromeEC-Coverity/ +[corebootBuildJob]: https://qa.coreboot.org/view/coverity/job/coreboot-coverity/ +[corebootScanBuildJob]: https://qa.coreboot.org/view/coverity/job/coreboot_scanbuild/ +[em100BuildJob]: https://qa.coreboot.org/view/coverity/job/em100-coverity/ +[fcodeUtilsBuildJob]: https://qa.coreboot.org/view/coverity/job/fcode-utils-coverity/ +[flashromBuildJob]: https://qa.coreboot.org/view/coverity/job/flashrom-coverity/ +[memtestBuildJob]: https://qa.coreboot.org/view/coverity/job/memtest86plus-coverity/ +[vbootBuildJob]: https://qa.coreboot.org/view/coverity/job/vboot-coverity/ + +Some projects (e.g. Chromium EC) build a different subset of boards on +each run, ensuring that everything is analyzed eventually. The downside +is that coverity issues pop up and disappear somewhat randomly as they +are discovered and go unnoticed in a later build. + +More projects that are hosted on review.coreboot.org (potentially as a +mirror, like vboot and EC) could be served through that pipeline. Reach +out to {stepan,patrick,martin}@coreboot.org. |