* [dpdk-dev] Coverity policy for upstream (base) drivers.
@ 2015-11-12 22:05 Stephen Hemminger
2015-11-12 22:18 ` Thomas Monjalon
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Stephen Hemminger @ 2015-11-12 22:05 UTC (permalink / raw)
To: Thomas Monjalon; +Cc: dev
Looking at the Coverity scan for DPDK, it looks like all the base
drivers are marked to be ignored.
Although the changes to base drivers should not be done directly through
DPDK list. I think it is still valuable to have these driver scanned and
notify (badger) the vendors to fix there code.
Since lots of the bugs could be there, just blindly ignoring warnings
and issues is being naive.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-12 22:05 [dpdk-dev] Coverity policy for upstream (base) drivers Stephen Hemminger
@ 2015-11-12 22:18 ` Thomas Monjalon
2015-11-13 0:16 ` Mcnamara, John
2015-11-12 22:55 ` Matthew Hall
2015-11-13 0:12 ` Mcnamara, John
2 siblings, 1 reply; 10+ messages in thread
From: Thomas Monjalon @ 2015-11-12 22:18 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev
2015-11-12 14:05, Stephen Hemminger:
> Looking at the Coverity scan for DPDK, it looks like all the base
> drivers are marked to be ignored.
>
> Although the changes to base drivers should not be done directly through
> DPDK list. I think it is still valuable to have these driver scanned and
> notify (badger) the vendors to fix there code.
>
> Since lots of the bugs could be there, just blindly ignoring warnings
> and issues is being naive.
I think the Coverity setup is outdated:
ignore_driver_1 /lib/librte_pmd_e1000/e1000/.* Yes Remove
ignore_driver_2 /lib/librte_pmd_fm10k/base/.* Yes Remove
ignore_driver_3 /lib/librte_pmd_i40e/i40e/.* Yes Remove
ignore_driver_4 /lib/librte_pmd_ixgbe/ixgbe/.* Yes Remove
These directories don't exist anymore.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-12 22:18 ` Thomas Monjalon
@ 2015-11-13 0:16 ` Mcnamara, John
0 siblings, 0 replies; 10+ messages in thread
From: Mcnamara, John @ 2015-11-13 0:16 UTC (permalink / raw)
To: Thomas Monjalon, Stephen Hemminger; +Cc: dev
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Thomas Monjalon
> Sent: Thursday, November 12, 2015 10:19 PM
> To: Stephen Hemminger
> Cc: dev@dpdk.org
> Subject: Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
>
> 2015-11-12 14:05, Stephen Hemminger:
> > Looking at the Coverity scan for DPDK, it looks like all the base
> > drivers are marked to be ignored.
> >
> > Although the changes to base drivers should not be done directly
> > through DPDK list. I think it is still valuable to have these driver
> > scanned and notify (badger) the vendors to fix there code.
> >
> > Since lots of the bugs could be there, just blindly ignoring warnings
> > and issues is being naive.
>
> I think the Coverity setup is outdated:
> ignore_driver_1 /lib/librte_pmd_e1000/e1000/.* Yes Remove
> ignore_driver_2 /lib/librte_pmd_fm10k/base/.* Yes Remove
> ignore_driver_3 /lib/librte_pmd_i40e/i40e/.* Yes Remove
> ignore_driver_4 /lib/librte_pmd_ixgbe/ixgbe/.* Yes Remove
>
> These directories don't exist anymore.
Hi Thomas,
The directories don't exist anymore but code from those directories is still in the Coverity database from prior to the restructuring.
There is a new rule to ignore the new base drivers:
ignore_base_code /drivers/net/*/base/* Yes
John
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-12 22:05 [dpdk-dev] Coverity policy for upstream (base) drivers Stephen Hemminger
2015-11-12 22:18 ` Thomas Monjalon
@ 2015-11-12 22:55 ` Matthew Hall
2015-11-13 0:12 ` Mcnamara, John
2 siblings, 0 replies; 10+ messages in thread
From: Matthew Hall @ 2015-11-12 22:55 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev
On Thu, Nov 12, 2015 at 02:05:08PM -0800, Stephen Hemminger wrote:
> Looking at the Coverity scan for DPDK, it looks like all the base
> drivers are marked to be ignored.
>
> Although the changes to base drivers should not be done directly through
> DPDK list. I think it is still valuable to have these driver scanned and
> notify (badger) the vendors to fix there code.
>
> Since lots of the bugs could be there, just blindly ignoring warnings
> and issues is being naive.
I am with Stephen. Ignoring base driver vulns is a bad practice.
With these L1-L4 bugs the chances are good somebody could trigger these and
find 0days using tools as old and simple as this one:
http://isic.sourceforge.net/
Matthew.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-12 22:05 [dpdk-dev] Coverity policy for upstream (base) drivers Stephen Hemminger
2015-11-12 22:18 ` Thomas Monjalon
2015-11-12 22:55 ` Matthew Hall
@ 2015-11-13 0:12 ` Mcnamara, John
2015-11-13 18:49 ` Matthew Hall
2 siblings, 1 reply; 10+ messages in thread
From: Mcnamara, John @ 2015-11-13 0:12 UTC (permalink / raw)
To: Stephen Hemminger, Thomas Monjalon; +Cc: dev
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Stephen Hemminger
> Sent: Thursday, November 12, 2015 10:05 PM
> To: Thomas Monjalon
> Cc: dev@dpdk.org
> Subject: [dpdk-dev] Coverity policy for upstream (base) drivers.
>
> Looking at the Coverity scan for DPDK, it looks like all the base drivers
> are marked to be ignored.
>
> Although the changes to base drivers should not be done directly through
> DPDK list. I think it is still valuable to have these driver scanned and
> notify (badger) the vendors to fix there code.
>
> Since lots of the bugs could be there, just blindly ignoring warnings and
> issues is being naive.
Hi Stephen,
I set up the Coverity rules. I added the ignore rules for the base drivers on the assumption that the DPDK community wasn't, in most cases, going to be able to fix issues that occurred in them. However, as you say, it is best to know about potential bugs even if there isn't a direct route to fix them.
If we are going to turn on analysis of the base drivers then maybe we can wait until after we have a baseline for DPDK 2.3 since I presume there will be a flood of issues and I don't want the new issues in this release (that we can fix more readily) to get lost.
The base drivers aside, we have 114 open issues that should be fixed, or marked as investigated and safe to ignore. Also, the analysis is currently run with only the default DPDK config options. I'll extend the analysis to run as many of the non-default config items as possible.
If people haven't already done so I would urge them to sign up and view/fix the defects.
https://scan.coverity.com/users/sign_up
https://scan.coverity.com/projects/4005 (DPDK)
Apply as "Contributor/Member" if you plan to review/close issues or as "Defect Viewer" if you just wish to see the issues.
I've recently set up a script to identify the likely author of new Coverity defects based on git blame, and to email them the defect report. It isn't 100% accurate, in particular for whitespace changes around existing defects, but it is a start.
John.
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-13 0:12 ` Mcnamara, John
@ 2015-11-13 18:49 ` Matthew Hall
2015-11-13 19:21 ` Mcnamara, John
0 siblings, 1 reply; 10+ messages in thread
From: Matthew Hall @ 2015-11-13 18:49 UTC (permalink / raw)
To: Mcnamara, John; +Cc: dev, Stephen Hemminger
On Fri, Nov 13, 2015 at 12:12:04AM +0000, Mcnamara, John wrote:
> If people haven't already done so I would urge them to sign up and view/fix the defects.
>
> https://scan.coverity.com/users/sign_up
> https://scan.coverity.com/projects/4005 (DPDK)
Hi John,
I got signed up. Thanks for spearheading this.
>From past experience squashing SA defects on my own code and several previous
employers I would like to recommend we band together and configure a SonarQube
instance.
http://www.sonarqube.org/
This is a really awesome SA, QA, Unit Test, etc. Data aggregation tool.
It gives a really nice executive-level view of what is going on in the code.
I wrote some custom scripts that integrated between SonarQube and git to email
people who checked in new SA defects across all of the aggregated SA tools
included in the SonarQube universe.
Matthew.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-13 18:49 ` Matthew Hall
@ 2015-11-13 19:21 ` Mcnamara, John
2015-11-13 19:23 ` Matthew Hall
2015-11-13 19:38 ` Stephen Hemminger
0 siblings, 2 replies; 10+ messages in thread
From: Mcnamara, John @ 2015-11-13 19:21 UTC (permalink / raw)
To: Matthew Hall; +Cc: dev, Stephen Hemminger
> -----Original Message-----
> From: Matthew Hall [mailto:mhall@mhcomputing.net]
> Sent: Friday, November 13, 2015 6:49 PM
> To: Mcnamara, John
> Cc: Stephen Hemminger; Thomas Monjalon; dev@dpdk.org
> Subject: Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
>
> On Fri, Nov 13, 2015 at 12:12:04AM +0000, Mcnamara, John wrote:
> > If people haven't already done so I would urge them to sign up and
> view/fix the defects.
> >
> > https://scan.coverity.com/users/sign_up
> > https://scan.coverity.com/projects/4005 (DPDK)
>
> Hi John,
>
> I got signed up. Thanks for spearheading this.
>
> From past experience squashing SA defects on my own code and several
> previous employers I would like to recommend we band together and
> configure a SonarQube instance.
Hi Matthew,
I definitely be interested in getting SonarQube working with DPDK. We can sync up on this as soon as the 2.2 bush fires die down.
John.
--
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-13 19:21 ` Mcnamara, John
@ 2015-11-13 19:23 ` Matthew Hall
2015-11-13 19:38 ` Stephen Hemminger
1 sibling, 0 replies; 10+ messages in thread
From: Matthew Hall @ 2015-11-13 19:23 UTC (permalink / raw)
To: Mcnamara, John; +Cc: dev, Stephen Hemminger
On Fri, Nov 13, 2015 at 07:21:24PM +0000, Mcnamara, John wrote:
> Hi Matthew,
>
> I definitely be interested in getting SonarQube working with DPDK. We can
> sync up on this as soon as the 2.2 bush fires die down.
>
> John.
Awesome! Looking forward to it.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-13 19:21 ` Mcnamara, John
2015-11-13 19:23 ` Matthew Hall
@ 2015-11-13 19:38 ` Stephen Hemminger
2015-11-13 20:20 ` Matthew Hall
1 sibling, 1 reply; 10+ messages in thread
From: Stephen Hemminger @ 2015-11-13 19:38 UTC (permalink / raw)
To: Mcnamara, John; +Cc: dev
On Fri, 13 Nov 2015 19:21:24 +0000
"Mcnamara, John" <john.mcnamara@intel.com> wrote:
> > -----Original Message-----
> > From: Matthew Hall [mailto:mhall@mhcomputing.net]
> > Sent: Friday, November 13, 2015 6:49 PM
> > To: Mcnamara, John
> > Cc: Stephen Hemminger; Thomas Monjalon; dev@dpdk.org
> > Subject: Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
> >
> > On Fri, Nov 13, 2015 at 12:12:04AM +0000, Mcnamara, John wrote:
> > > If people haven't already done so I would urge them to sign up and
> > view/fix the defects.
> > >
> > > https://scan.coverity.com/users/sign_up
> > > https://scan.coverity.com/projects/4005 (DPDK)
> >
> > Hi John,
> >
> > I got signed up. Thanks for spearheading this.
> >
> > From past experience squashing SA defects on my own code and several
> > previous employers I would like to recommend we band together and
> > configure a SonarQube instance.
>
> Hi Matthew,
>
> I definitely be interested in getting SonarQube working with DPDK. We can sync up on this as soon as the 2.2 bush fires die down.
>
> John.
It looked like SonarQube was both non-free for doing any real scans,
and the default C rules were oriented towards a completely different
Windows oriented coding style.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-dev] Coverity policy for upstream (base) drivers.
2015-11-13 19:38 ` Stephen Hemminger
@ 2015-11-13 20:20 ` Matthew Hall
0 siblings, 0 replies; 10+ messages in thread
From: Matthew Hall @ 2015-11-13 20:20 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: dev
On Fri, Nov 13, 2015 at 11:38:22AM -0800, Stephen Hemminger wrote:
> It looked like SonarQube was both non-free for doing any real scans,
> and the default C rules were oriented towards a completely different
> Windows oriented coding style.
I was using the free version to do SA dashboad for a team of several hundred
previously.
But it's possible they made licensing changes since I last used it.
If you have any thoughts about better freer dashboards I am all ears.
Just trying to get some good tooling in place to deal w/ exponential growth of
DPDK code.
Matthew.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-11-13 20:20 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-12 22:05 [dpdk-dev] Coverity policy for upstream (base) drivers Stephen Hemminger
2015-11-12 22:18 ` Thomas Monjalon
2015-11-13 0:16 ` Mcnamara, John
2015-11-12 22:55 ` Matthew Hall
2015-11-13 0:12 ` Mcnamara, John
2015-11-13 18:49 ` Matthew Hall
2015-11-13 19:21 ` Mcnamara, John
2015-11-13 19:23 ` Matthew Hall
2015-11-13 19:38 ` Stephen Hemminger
2015-11-13 20:20 ` Matthew Hall
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).