From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 50A2AA056B; Wed, 11 Mar 2020 18:34:52 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 71B911BF7F; Wed, 11 Mar 2020 18:34:51 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 89FC92BAA for ; Wed, 11 Mar 2020 18:34:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583948089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cwryKLE6LUCT3sd/lzcrcIyy2h+ourzMqhAYQbEO+y0=; b=JLVOPjXLoIjKq2+12jEf70MNnYk/XuPyS2M5nObghvade6cXQjamtRvWuL3ptKLCZSg3DV xAiz3JPfdlLAUpEW/U/ETXAx98QyfVCQzUKjGqKuFLuCsTkiwBz2up+vdNn4iHcRwa92ld K5lrw+9KFBdPVaXyoo+afq2QyUq/fgI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-228-yzCkeXrZNbq1AxJlpZUTIQ-1; Wed, 11 Mar 2020 13:34:35 -0400 X-MC-Unique: yzCkeXrZNbq1AxJlpZUTIQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DD681189D6C5; Wed, 11 Mar 2020 17:34:33 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.84]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 44FAF5D9C5; Wed, 11 Mar 2020 17:34:30 +0000 (UTC) From: Aaron Conole To: Thomas Monjalon Cc: dev@dpdk.org, john.mcnamara@intel.com, david.marchand@redhat.com References: <8562014.CDJkKcVGEf@xps> Date: Wed, 11 Mar 2020 13:34:30 -0400 In-Reply-To: <8562014.CDJkKcVGEf@xps> (Thomas Monjalon's message of "Mon, 09 Mar 2020 16:53:16 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Subject: Re: [dpdk-dev] Coverity scan X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Thomas Monjalon writes: > We have a public Coverity scan triggered by John for the community: > =09https://scan.coverity.com/projects/dpdk-data-plane-development-kit > Note there is a tool to help with this task: > =09http://thyrsus.com/gitweb/?p=3Dcoverity-submit.git;a=3Dshortlog;h=3Dre= fs/tags/1.13 > > I see two issues with this scan: > =09- it is run manually > =09- not all code is scanned currently > > Note that we should be able to run one scan per day for free: > =09https://scan.coverity.com/faq#frequency > > With David, we looked at automating the Coverity scan, > with the help of Travis automation: > =09https://scan.coverity.com/travis_ci > Such automation cannot be configured on the existing Coverity project. Why not? > I tried to open a new Coverity project connected to our GitHub. I don't know that it will work. Either you'll need a separate GitHub, or you'll need to use a special branch. > I have a very poor confidence in Coverity/Travis/GitHub integration. > I will explain below why. Hrrm.. lots of projects use it. And they do just what you prescribe below (skipping jobs/builds when on the coverity branch). > 1/ The instructions were wrong. In this command, there are two mistakes: > =09openssl s_client -connect https://scan.coverity.com:443 | > =09sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | > =09sudo tee -a /etc/ssl/certs/ca- > For the record, a proper a simpler command is: > =09true | openssl s_client -connect scan.coverity.com:443 | > =09openssl x509 | > =09sudo tee -a /etc/ssl/certs/ca-certificates.crt Okay, that's fixable. > 2/ The coverity scan is triggered as a job addon. > The rest of the job must be cancelled with this tricky patch: > > -script: ./.ci/${TRAVIS_OS_NAME}-build.sh > +script: if [ "${COVERITY_SCAN_BRANCH}" !=3D 1 ] ; then ./.ci/${TRAVIS_OS= _NAME}-build.sh ; fi More than that, because we probably also want: if ([[ "${TRAVIS_JOB_NUMBER##*.}" =3D=3D "1" ]] && [[ "${TRAVIS_BRANCH}" = =3D=3D "coverity_scan" ]]); then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi That will only do one job (which solves 3/ below) > 3/ We need only to prepare the source code once per day. > But our .travis.yml has many jobs which must be dropped or ignored. > > 4/ A big encrypted token must be added in the configuration: > =09# encrypted COVERITY_SCAN_TOKEN > =09- secure: "VgRYG9N5adKkM9/QpPgswn1c+VXS1mFVN0vgdjuC/bDv2x4u...etc..." Why it's a problem? > 5/ The addon is triggered when pushing to a specific branch > (adding config for the record): > =09coverity_scan: > =09=09project: > =09=09=09name: "DPDK/dpdk" > =09=09notification_email: test-report@dpdk.org > =09=09build_command_prepend: "meson build -Dexamples=3Dall" > =09=09build_command: "ninja -C build" > =09=09branch_pattern: coverity_scan > > 6/ This attempt failed with this log (no more information): > =09$ export PROJECT_NAME=3DDPDK/dpdk > =09Coverity Scan analysis selected for branch coverity_scan. > =09Coverity Scan API access denied. Check $PROJECT_NAME and $COVERITY_SCA= N_TOKEN. Probably there is an issue with the token + PROJECT_NAME. > > So I am giving up with Travis+Coverity. > The only benefit of Travis is to have a central build configuration. > So when a driver is enabled in Travis, it would be scanned in Coverity. > Note: Coverity does a build step to prepare the sources. I can try to assist with this if you've not completely abandoned the idea. > > Now the question: how can we better configure the community Coverity scan= ? > I propose to set it up in our community lab. > Comments? Suggestions? Since we do have something working, but it's manual, is there a way to at least make it happen automatically? Maybe some cron job?