From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 17335 invoked by alias); 16 May 2014 20:00:40 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com Received: (qmail 17321 invoked by uid 89); 16 May 2014 20:00:39 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=1.6 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_COUK,SPF_PASS autolearn=no version=3.3.2 X-HELO: out.ipsmtp4nec.opaltelecom.net Received: from out.ipsmtp4nec.opaltelecom.net (HELO out.ipsmtp4nec.opaltelecom.net) (62.24.202.76) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (CAMELLIA256-SHA encrypted) ESMTPS; Fri, 16 May 2014 20:00:37 +0000 X-SMTPAUTH: drstacey@tiscali.co.uk X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApQBAA9udlNV0k66/2dsb2JhbAANTINVxE4JAYEtgxkBAQEEOEARCxgJFg8JAwIBAgFFEwgBAYhKrEulShMEjlYWhCoEsCk X-IPAS-Result: ApQBAA9udlNV0k66/2dsb2JhbAANTINVxE4JAYEtgxkBAQEEOEARCxgJFg8JAwIBAgFFEwgBAYhKrEulShMEjlYWhCoEsCk Received: from 85-210-78-186.dynamic.dsl.as9105.com (HELO [192.168.1.67]) ([85.210.78.186]) by out.ipsmtp4nec.opaltelecom.net with ESMTP; 16 May 2014 21:00:16 +0100 Message-ID: <53766E46.4070207@tiscali.co.uk> Date: Fri, 16 May 2014 20:03:00 -0000 From: David Stacey User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: Coverity Scan References: <5359F391.8060309@tiscali.co.uk> <20140425083500.GA5666@calimero.vinschen.de> <20140425155324.GA2412@ednor.casa.cgf.cx> In-Reply-To: <20140425155324.GA2412@ednor.casa.cgf.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2014-05/txt/msg00368.txt.bz2 On 25/04/14 16:53, Christopher Faylor wrote: > On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote: >> On Apr 25 06:33, David Stacey wrote: >>> Coverity Scan [1] is a commercial (paid for) static analysis tool, but >>> they offer it to Open Source programmes for free. I was having a browse >>> through the list of Open Source programmes using Coverity Scan, and >>> noticed that Cygwin wasn't listed. Would there be any interest in >>> analysing the cygwin1.dll source code on a fairly regular basis? If so, >>> I would be happy to have a go at setting up an analysis job for Cygwin. >>> >>> I would imagine this would be of interest to CGF, Corinna and anyone >>> else who regularly updates the Cygwin source code. Obviously, this is >>> only worth doing if the analysis results are looked at and acted upon. >> Depends. If the report contains lots of false positives, it's getting >> annoying pretty quickly. > We use coverity at work. It is annoying and it does have false positive > but a lot of what look like false positives often turn out to be: "Oh, > wait. (#*(&$ Yeah. That's a problem." > > If we could use coverity I'm sure it would be interesting if we can get > it. OK - we're in! You can find our project page at https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails to Corinna and CGF inviting them to join the project ;-) It would be responsible of us to restrict access to known vulnerabilities, so please _don't_ ask for visibility of the scan results. I will leave it to CGF and Corinna to decide who we give access to and when. There is still a little work to do in setting up the Coverity scan. The next step is to group the code into logical clusters, which Coverity calls Components. Typically, this is done on directories or other file groupings, and the tool allows you to concentrate on just one of these components at once. If you let me know what components you'd like, I'll set them up. The Coverity build is being performed on one of my PCs at the moment. I'll try to do this at least weekly using a snapshot from the snapshots page. I'll also try to submit patches as and when time allows. But if this is going to work then anyone who regularly contributes to the Cygwin source code will have to make use of the tool. Finally, I'd like to thank Dakshesh Vyas at Coverity for allowing us to join the Scan programme. Cheers, Dave. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple