Hi Ali, From what I can tell, the Coverity Desktop analysis tools would require paid licenses, which are different from the Coverity Scan ( https://scan.coverity.com/faq) that is being used by DPDK as an open source project. So, to enable using the tooling to scan all the patches, we'd need to work out the requirements around getting access to the other Synopsys tools. Cheers, Lincoln On Mon, May 24, 2021 at 12:13 PM Ferruh Yigit wrote: > On 5/24/2021 1:13 PM, Ali Alnubani wrote: > >> -----Original Message----- > >> From: ci On Behalf Of Ferruh Yigit > >> Sent: Monday, May 24, 2021 3:02 PM > >> To: Aaron Conole > >> Cc: ci@dpdk.org > >> Subject: Re: [dpdk-ci] [dpdk-dev] DPDK Release Status Meeting 20/05/2021 > >> > >> On 5/20/2021 8:19 PM, Aaron Conole wrote: > >>> Ferruh Yigit writes: > >>> > >>>> On 5/20/2021 1:15 PM, Ferruh Yigit wrote: > >>>>> Release status meeting minutes {Date} > >>>>> ===================================== > >>>>> :Date: 20 May 2021 > >>>>> :toc: > >>>> > >>>> <...> > >>>> > >>>>> * Coverity is running regularly > >>>>> - Can we have out of cycle run for -rc4? Last run was yesterday. > >>>>> - We need a way to verify coverity issues before merging it, will > carry > >> topic > >>>>> to CI mail list an Aaron > >>>> > >>>> Hi Aaron, > >>>> > >>>> There is a need to verify coverity fixes before merging them. Do you > >>>> think can we do that? And should I create a Bugzilla ticket for it? > >>> > >>> I think you can create a BZ for it. Last I remember, coverity does > >>> not allow so many frequent builds (without paying?), so there is > >>> probably a non-technical limitation. Otherwise, we could simply > >>> submit all patch series to coverity and look at the results. > >>> > >>> As it stands, there is maybe more thought that has to come with this. > >>> > >>> Maybe we can use a tag that indicates which coverity ID it purports to > >>> fix, and we can then kick off a run. > >>> > >> > >> Yes, we can only run coverity with the patches that has coverity tag. > >> > >> Do we know the limitation on the run? Even if we can run once a day I > think it > >> can be enough, coverity already not running daily, in the gap days > coverity > >> patches can be verified. > >> Also we can skip coverity run if the main branch is not updated since > last > >> check, this can gain some runs too. > >> > >> Created following Bugzilla: > >> https://bugs.dpdk.org/show_bug.cgi?id=719 > >> > >> btw, Aaron I didn't able to cc your Red Hat email but found following, > can you > >> confirm it is your email address: > >> aconole@bytheb.org > > > > It should also be possible to run Coverity's cov-run-desktop binary to > make sure a patchset doesn't introduce new defects in the first place. Is > there a reason why we don't do this already? > > If there is a way for developer to verify it easily, it is even better. > > In the version of coverity I run, user is building project with the > coverity > toolset and uploading the resulting binaries to the coverity server, which > scans > and makes result available via web interface. > > This way user can't validate the patch in the client, but if there is a > way for > it we can try that too. > > > The binary scans only the modified files and compares to the latest full > scan to check how many new defects there are. > > The binary can run on UNH's servers so I don't think it would be > limited. Are we maybe limited by how many times we can pull the > summary/data of the latest scan? We can pull it only once a day and use it > offline mode. > > > > Regards, > > Ali > > > > -- *Lincoln Lavoie* Principal Engineer, Broadband Technologies 21 Madbury Rd., Ste. 100, Durham, NH 03824 lylavoie@iol.unh.edu https://www.iol.unh.edu +1-603-674-2755 (m)