From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 50A2AA056B;
	Wed, 11 Mar 2020 18:34:52 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 71B911BF7F;
	Wed, 11 Mar 2020 18:34:51 +0100 (CET)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
 [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 89FC92BAA
 for <dev@dpdk.org>; Wed, 11 Mar 2020 18:34:49 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1583948089;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=cwryKLE6LUCT3sd/lzcrcIyy2h+ourzMqhAYQbEO+y0=;
 b=JLVOPjXLoIjKq2+12jEf70MNnYk/XuPyS2M5nObghvade6cXQjamtRvWuL3ptKLCZSg3DV
 xAiz3JPfdlLAUpEW/U/ETXAx98QyfVCQzUKjGqKuFLuCsTkiwBz2up+vdNn4iHcRwa92ld
 K5lrw+9KFBdPVaXyoo+afq2QyUq/fgI=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-228-yzCkeXrZNbq1AxJlpZUTIQ-1; Wed, 11 Mar 2020 13:34:35 -0400
X-MC-Unique: yzCkeXrZNbq1AxJlpZUTIQ-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DD681189D6C5;
 Wed, 11 Mar 2020 17:34:33 +0000 (UTC)
Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.84])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 44FAF5D9C5;
 Wed, 11 Mar 2020 17:34:30 +0000 (UTC)
From: Aaron Conole <aconole@redhat.com>
To: Thomas Monjalon <thomas@monjalon.net>
Cc: dev@dpdk.org,  john.mcnamara@intel.com,  david.marchand@redhat.com
References: <8562014.CDJkKcVGEf@xps>
Date: Wed, 11 Mar 2020 13:34:30 -0400
In-Reply-To: <8562014.CDJkKcVGEf@xps> (Thomas Monjalon's message of "Mon, 09
 Mar 2020 16:53:16 +0100")
Message-ID: <f7ta74m7q3d.fsf@dhcp-25.97.bos.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dpdk-dev] Coverity scan
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Thomas Monjalon <thomas@monjalon.net> writes:

> We have a public Coverity scan triggered by John for the community:
> =09https://scan.coverity.com/projects/dpdk-data-plane-development-kit
> Note there is a tool to help with this task:
> =09http://thyrsus.com/gitweb/?p=3Dcoverity-submit.git;a=3Dshortlog;h=3Dre=
fs/tags/1.13
>
> I see two issues with this scan:
> =09- it is run manually
> =09- not all code is scanned currently
>
> Note that we should be able to run one scan per day for free:
> =09https://scan.coverity.com/faq#frequency
>
> With David, we looked at automating the Coverity scan,
> with the help of Travis automation:
> =09https://scan.coverity.com/travis_ci
> Such automation cannot be configured on the existing Coverity project.

Why not?

> I tried to open a new Coverity project connected to our GitHub.

I don't know that it will work.  Either you'll need a separate GitHub,
or you'll need to use a special branch.

> I have a very poor confidence in Coverity/Travis/GitHub integration.
> I will explain below why.

Hrrm.. lots of projects use it.  And they do just what you prescribe
below (skipping jobs/builds when on the coverity branch).

> 1/ The instructions were wrong. In this command, there are two mistakes:
> =09openssl s_client -connect https://scan.coverity.com:443 |
> =09sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
> =09sudo tee -a /etc/ssl/certs/ca-
> For the record, a proper a simpler command is:
> =09true | openssl s_client -connect scan.coverity.com:443 |
> =09openssl x509 |
> =09sudo tee -a /etc/ssl/certs/ca-certificates.crt

Okay, that's fixable.

> 2/ The coverity scan is triggered as a job addon.
> The rest of the job must be cancelled with this tricky patch:
>
> -script: ./.ci/${TRAVIS_OS_NAME}-build.sh
> +script: if [ "${COVERITY_SCAN_BRANCH}" !=3D 1 ] ; then ./.ci/${TRAVIS_OS=
_NAME}-build.sh ; fi

More than that, because we probably also want:

if ([[ "${TRAVIS_JOB_NUMBER##*.}" =3D=3D "1" ]] && [[ "${TRAVIS_BRANCH}" =
=3D=3D "coverity_scan" ]]); then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi

That will only do one job (which solves 3/ below)

> 3/ We need only to prepare the source code once per day.
> But our .travis.yml has many jobs which must be dropped or ignored.
>
> 4/ A big encrypted token must be added in the configuration:
> =09# encrypted COVERITY_SCAN_TOKEN
> =09- secure: "VgRYG9N5adKkM9/QpPgswn1c+VXS1mFVN0vgdjuC/bDv2x4u...etc..."

Why it's a problem?

> 5/ The addon is triggered when pushing to a specific branch
> (adding config for the record):
> =09coverity_scan:
> =09=09project:
> =09=09=09name: "DPDK/dpdk"
> =09=09notification_email: test-report@dpdk.org
> =09=09build_command_prepend: "meson build -Dexamples=3Dall"
> =09=09build_command: "ninja -C build"
> =09=09branch_pattern: coverity_scan
>
> 6/ This attempt failed with this log (no more information):
> =09$ export PROJECT_NAME=3DDPDK/dpdk
> =09Coverity Scan analysis selected for branch coverity_scan.
> =09Coverity Scan API access denied. Check $PROJECT_NAME and $COVERITY_SCA=
N_TOKEN.

Probably there is an issue with the token + PROJECT_NAME.

>
> So I am giving up with Travis+Coverity.
> The only benefit of Travis is to have a central build configuration.
> So when a driver is enabled in Travis, it would be scanned in Coverity.
> Note: Coverity does a build step to prepare the sources.

I can try to assist with this if you've not completely abandoned the idea.

>
> Now the question: how can we better configure the community Coverity scan=
?
> I propose to set it up in our community lab.
> Comments? Suggestions?

Since we do have something working, but it's manual, is there a way to
at least make it happen automatically?  Maybe some cron job?