From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id A07A8A056B;
	Wed, 11 Mar 2020 19:02:25 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id B470B1BF94;
	Wed, 11 Mar 2020 19:02:24 +0100 (CET)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
 [66.111.4.25]) by dpdk.org (Postfix) with ESMTP id 035792BE6
 for <dev@dpdk.org>; Wed, 11 Mar 2020 19:02:22 +0100 (CET)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 84C5522299;
 Wed, 11 Mar 2020 14:02:20 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute7.internal (MEProxy); Wed, 11 Mar 2020 14:02:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h=
 from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding:content-type; s=mesmtp;
 bh=HB9VqB4nZO948xPuatnpHyUeA5pU8DrkJ7zQf+8oIzQ=; b=JJhLpAwqu5Gj
 ZaRoPcRD2Ad/2PTi1CpRAHvj/naKKUkVDSLg+WzwRTWs9QqWEieeR7bQ/JlRZA1l
 WS2hlzZs+1vHBF+H6RggzSFMSpmKcHhgMLj6jPg53eaqLHxTBhmnj4yEAoABcs7e
 w29dxSoigQ2SFjnlU64SSC+2+CqQQ84=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
 :x-sasl-enc; s=fm2; bh=HB9VqB4nZO948xPuatnpHyUeA5pU8DrkJ7zQf+8oI
 zQ=; b=4XxhvXmWDImlD7NuojL07tHFCOHfh8Q0MxaSM+yNMwJSKHyvsEijWATpY
 FNFe4R7HPlv2tKBvgssMpgvf06+M9mRM4B6aloOeKTtxIIglGkBA31iSc0JnST4E
 Zax6JCoZhe6RI8N+AC41Ro3ga0jSLqe4dND5NYw85Wm2fgmtWEOpRuaYPcKXtIMv
 dzUohDJdNMYwjTkgeWuxECFvI1Qs8hmoVvLwACHHU6HSHIAV+x54cpY3bs6heWMd
 QOcgGamUyVypm8oc2Sm9lhmzTAzyzCesfLd4keaTrP7or0KuUi3ESeJveabgse+E
 bxcl2I001uC9EQaim74D0iW6pV9jw==
X-ME-Sender: <xms:qydpXv_19F9rxyNjhGx1jtLS_TFirUEO5PVtKeOWqLISJlDFuqszdw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedruddvvddguddtjecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
 enucfjughrpefhvffufffkjghfggfgtgesthfuredttddtvdenucfhrhhomhepvfhhohhm
 rghsucfoohhnjhgrlhhonhcuoehthhhomhgrshesmhhonhhjrghlohhnrdhnvghtqeenuc
 ffohhmrghinheptghovhgvrhhithihrdgtohhmpdhthhihrhhsuhhsrdgtohhmnecukfhp
 peejjedrudefgedrvddtfedrudekgeenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
 grmhepmhgrihhlfhhrohhmpehthhhomhgrshesmhhonhhjrghlohhnrdhnvght
X-ME-Proxy: <xmx:rCdpXkhHdzBVGsmhIig_9rGdHH62DKL3apV-RKKGEhuTnLCqHHAmIg>
 <xmx:rCdpXj_ECPUNJgCJcHuQd5MG2OiaJWGfkE_HwUtrVLz_FY9tDud2aA>
 <xmx:rCdpXlBek4tsnA0Uo-morRQj0a_BSw8-FiapaSJ1KQQg0rAvE-k_Eg>
 <xmx:rCdpXpd03azAXArGiVGpP06_fVGaNOwFK8nnZIVoUa5umFpGcmeGpw>
Received: from xps.localnet (184.203.134.77.rev.sfr.net [77.134.203.184])
 by mail.messagingengine.com (Postfix) with ESMTPA id 7801C30612AF;
 Wed, 11 Mar 2020 14:02:19 -0400 (EDT)
From: Thomas Monjalon <thomas@monjalon.net>
To: Aaron Conole <aconole@redhat.com>
Cc: dev@dpdk.org, john.mcnamara@intel.com, david.marchand@redhat.com
Date: Wed, 11 Mar 2020 19:02:18 +0100
Message-ID: <1774839.IobQ9Gjlxr@xps>
In-Reply-To: <f7ta74m7q3d.fsf@dhcp-25.97.bos.redhat.com>
References: <8562014.CDJkKcVGEf@xps>
 <f7ta74m7q3d.fsf@dhcp-25.97.bos.redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [dpdk-dev] Coverity scan
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

11/03/2020 18:34, Aaron Conole:
> Thomas Monjalon <thomas@monjalon.net> writes:
> 
> > We have a public Coverity scan triggered by John for the community:
> > 	https://scan.coverity.com/projects/dpdk-data-plane-development-kit
> > Note there is a tool to help with this task:
> > 	http://thyrsus.com/gitweb/?p=coverity-submit.git;a=shortlog;h=refs/tags/1.13
> >
> > I see two issues with this scan:
> > 	- it is run manually
> > 	- not all code is scanned currently
> >
> > Note that we should be able to run one scan per day for free:
> > 	https://scan.coverity.com/faq#frequency
> >
> > With David, we looked at automating the Coverity scan,
> > with the help of Travis automation:
> > 	https://scan.coverity.com/travis_ci
> > Such automation cannot be configured on the existing Coverity project.
> 
> Why not?

Because Coverity does not allow it.
Travis integration is possible only if the project was created with GitHub credentials.


> > I tried to open a new Coverity project connected to our GitHub.
> 
> I don't know that it will work.  Either you'll need a separate GitHub,
> or you'll need to use a special branch.
> 
> > I have a very poor confidence in Coverity/Travis/GitHub integration.
> > I will explain below why.
> 
> Hrrm.. lots of projects use it.  And they do just what you prescribe
> below (skipping jobs/builds when on the coverity branch).

Which project is using Travis integration of Coverity?
How do they automatically update the specific branch without conflict?


> > 1/ The instructions were wrong. In this command, there are two mistakes:
> > 	openssl s_client -connect https://scan.coverity.com:443 |
> > 	sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
> > 	sudo tee -a /etc/ssl/certs/ca-
> > For the record, a proper a simpler command is:
> > 	true | openssl s_client -connect scan.coverity.com:443 |
> > 	openssl x509 |
> > 	sudo tee -a /etc/ssl/certs/ca-certificates.crt
> 
> Okay, that's fixable.
> 
> > 2/ The coverity scan is triggered as a job addon.
> > The rest of the job must be cancelled with this tricky patch:
> >
> > -script: ./.ci/${TRAVIS_OS_NAME}-build.sh
> > +script: if [ "${COVERITY_SCAN_BRANCH}" != 1 ] ; then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi
> 
> More than that, because we probably also want:
> 
> if ([[ "${TRAVIS_JOB_NUMBER##*.}" == "1" ]] && [[ "${TRAVIS_BRANCH}" == "coverity_scan" ]]); then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi
> 
> That will only do one job (which solves 3/ below)

OK good

> > 3/ We need only to prepare the source code once per day.
> > But our .travis.yml has many jobs which must be dropped or ignored.
> >
> > 4/ A big encrypted token must be added in the configuration:
> > 	# encrypted COVERITY_SCAN_TOKEN
> > 	- secure: "VgRYG9N5adKkM9/QpPgswn1c+VXS1mFVN0vgdjuC/bDv2x4u...etc..."
> 
> Why it's a problem?

It's not a problem. I explained all steps in this email, that's why it's here.


> > 5/ The addon is triggered when pushing to a specific branch
> > (adding config for the record):
> > 	coverity_scan:
> > 		project:
> > 			name: "DPDK/dpdk"
> > 		notification_email: test-report@dpdk.org
> > 		build_command_prepend: "meson build -Dexamples=all"
> > 		build_command: "ninja -C build"
> > 		branch_pattern: coverity_scan
> >
> > 6/ This attempt failed with this log (no more information):
> > 	$ export PROJECT_NAME=DPDK/dpdk
> > 	Coverity Scan analysis selected for branch coverity_scan.
> > 	Coverity Scan API access denied. Check $PROJECT_NAME and $COVERITY_SCAN_TOKEN.
> 
> Probably there is an issue with the token + PROJECT_NAME.

Probably. How can I debug it?


> > So I am giving up with Travis+Coverity.
> > The only benefit of Travis is to have a central build configuration.
> > So when a driver is enabled in Travis, it would be scanned in Coverity.
> > Note: Coverity does a build step to prepare the sources.
> 
> I can try to assist with this if you've not completely abandoned the idea.

OK, feel free to ping me for troubleshooting.


> > Now the question: how can we better configure the community Coverity scan?
> > I propose to set it up in our community lab.
> > Comments? Suggestions?
> 
> Since we do have something working, but it's manual, is there a way to
> at least make it happen automatically?  Maybe some cron job?

Yes a cron job, but where? I proposed a server of the community lab.