From: Thomas Monjalon <thomas@monjalon.net>
To: Aaron Conole <aconole@redhat.com>
Cc: dev@dpdk.org, john.mcnamara@intel.com, david.marchand@redhat.com
Subject: Re: [dpdk-dev] Coverity scan
Date: Wed, 11 Mar 2020 19:02:18 +0100 [thread overview]
Message-ID: <1774839.IobQ9Gjlxr@xps> (raw)
In-Reply-To: <f7ta74m7q3d.fsf@dhcp-25.97.bos.redhat.com>
11/03/2020 18:34, Aaron Conole:
> Thomas Monjalon <thomas@monjalon.net> writes:
>
> > We have a public Coverity scan triggered by John for the community:
> > https://scan.coverity.com/projects/dpdk-data-plane-development-kit
> > Note there is a tool to help with this task:
> > http://thyrsus.com/gitweb/?p=coverity-submit.git;a=shortlog;h=refs/tags/1.13
> >
> > I see two issues with this scan:
> > - it is run manually
> > - not all code is scanned currently
> >
> > Note that we should be able to run one scan per day for free:
> > https://scan.coverity.com/faq#frequency
> >
> > With David, we looked at automating the Coverity scan,
> > with the help of Travis automation:
> > https://scan.coverity.com/travis_ci
> > Such automation cannot be configured on the existing Coverity project.
>
> Why not?
Because Coverity does not allow it.
Travis integration is possible only if the project was created with GitHub credentials.
> > I tried to open a new Coverity project connected to our GitHub.
>
> I don't know that it will work. Either you'll need a separate GitHub,
> or you'll need to use a special branch.
>
> > I have a very poor confidence in Coverity/Travis/GitHub integration.
> > I will explain below why.
>
> Hrrm.. lots of projects use it. And they do just what you prescribe
> below (skipping jobs/builds when on the coverity branch).
Which project is using Travis integration of Coverity?
How do they automatically update the specific branch without conflict?
> > 1/ The instructions were wrong. In this command, there are two mistakes:
> > openssl s_client -connect https://scan.coverity.com:443 |
> > sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
> > sudo tee -a /etc/ssl/certs/ca-
> > For the record, a proper a simpler command is:
> > true | openssl s_client -connect scan.coverity.com:443 |
> > openssl x509 |
> > sudo tee -a /etc/ssl/certs/ca-certificates.crt
>
> Okay, that's fixable.
>
> > 2/ The coverity scan is triggered as a job addon.
> > The rest of the job must be cancelled with this tricky patch:
> >
> > -script: ./.ci/${TRAVIS_OS_NAME}-build.sh
> > +script: if [ "${COVERITY_SCAN_BRANCH}" != 1 ] ; then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi
>
> More than that, because we probably also want:
>
> if ([[ "${TRAVIS_JOB_NUMBER##*.}" == "1" ]] && [[ "${TRAVIS_BRANCH}" == "coverity_scan" ]]); then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi
>
> That will only do one job (which solves 3/ below)
OK good
> > 3/ We need only to prepare the source code once per day.
> > But our .travis.yml has many jobs which must be dropped or ignored.
> >
> > 4/ A big encrypted token must be added in the configuration:
> > # encrypted COVERITY_SCAN_TOKEN
> > - secure: "VgRYG9N5adKkM9/QpPgswn1c+VXS1mFVN0vgdjuC/bDv2x4u...etc..."
>
> Why it's a problem?
It's not a problem. I explained all steps in this email, that's why it's here.
> > 5/ The addon is triggered when pushing to a specific branch
> > (adding config for the record):
> > coverity_scan:
> > project:
> > name: "DPDK/dpdk"
> > notification_email: test-report@dpdk.org
> > build_command_prepend: "meson build -Dexamples=all"
> > build_command: "ninja -C build"
> > branch_pattern: coverity_scan
> >
> > 6/ This attempt failed with this log (no more information):
> > $ export PROJECT_NAME=DPDK/dpdk
> > Coverity Scan analysis selected for branch coverity_scan.
> > Coverity Scan API access denied. Check $PROJECT_NAME and $COVERITY_SCAN_TOKEN.
>
> Probably there is an issue with the token + PROJECT_NAME.
Probably. How can I debug it?
> > So I am giving up with Travis+Coverity.
> > The only benefit of Travis is to have a central build configuration.
> > So when a driver is enabled in Travis, it would be scanned in Coverity.
> > Note: Coverity does a build step to prepare the sources.
>
> I can try to assist with this if you've not completely abandoned the idea.
OK, feel free to ping me for troubleshooting.
> > Now the question: how can we better configure the community Coverity scan?
> > I propose to set it up in our community lab.
> > Comments? Suggestions?
>
> Since we do have something working, but it's manual, is there a way to
> at least make it happen automatically? Maybe some cron job?
Yes a cron job, but where? I proposed a server of the community lab.
next prev parent reply other threads:[~2020-03-11 18:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-09 15:53 Thomas Monjalon
2020-03-11 17:34 ` Aaron Conole
2020-03-11 18:02 ` Thomas Monjalon [this message]
2020-03-11 18:35 ` Aaron Conole
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1774839.IobQ9Gjlxr@xps \
--to=thomas@monjalon.net \
--cc=aconole@redhat.com \
--cc=david.marchand@redhat.com \
--cc=dev@dpdk.org \
--cc=john.mcnamara@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).