104 lines
4.9 KiB
Markdown
104 lines
4.9 KiB
Markdown
# Coverity Scan for open source firmware
|
||
|
||
## What’s Coverity and Coverity Scan?
|
||
|
||
Coverity is a static analysis tool. It hooks into the build process
|
||
and in addition to the compiler creating object files, Coverity collects
|
||
information about the code. That data is then processed in a separate pass
|
||
to identify common programming errors, like out of bounds accesses in C.
|
||
|
||
Coverity Scan is an online service for Open Source projects providing this
|
||
analysis for free. The analysis pass is done on their servers and issues
|
||
can be handled in their [web UI](https://scan.coverity.com/).
|
||
|
||
The Scan service has some quotas based on code size to avoid overloading
|
||
the system, but even at one build per week, that’s usually good enough
|
||
because the identified issues still need to be triaged and fixed or they
|
||
will simply be re-identified next week.
|
||
|
||
### Triage?
|
||
|
||
The Web UI looks a bit like an issue tracker, even if it’s not a very
|
||
good one. It’s possible to mark identified issues as valid or invalid,
|
||
and annotate them with metadata which CLs fix them. The latter isn’t
|
||
strictly necessary because Coverity Scan simply marks issues it can’t
|
||
find anymore as fixed, but at times it helped identify issues that made
|
||
a comeback.
|
||
|
||
### Alternatives
|
||
|
||
There’s also clang’s scan-build, which is fully open-source, and
|
||
finds different issues. As such, it’s less of an alternative and more
|
||
of a complement.
|
||
|
||
There’s a regular run of that for coreboot but not for the other projects
|
||
hosted at coreboot.org.
|
||
|
||
One downside is that it emits a bunch of HTML to report on issues,
|
||
but there’s no interactivity (e.g. marking issues solved), no way
|
||
to merge multiple builds (e.g. multiple board builds of a single tree)
|
||
or a simple way to extract burndown charts and the like from that.
|
||
|
||
#### Looking for a project?
|
||
|
||
On the upside, it can emit the data in a machine readable format, so if
|
||
anybody needs a project, a scan-build web-frontend like Coverity Scan would
|
||
be feasible without having to go through scan-build’s guts, just by parsing
|
||
text files - plus all the stateful and web parts to build on top.
|
||
|
||
## Logging into Coverity Scan
|
||
|
||
Coverity Scan needs an account. It supports its own accounts and GitHub
|
||
OAuth.
|
||
|
||
Access to the dashboards needs approval: Request and you shall receive.
|
||
|
||
## coreboot & friends and Coverity Scan
|
||
|
||
coreboot, flashrom, Chromium EC and other projects of that family have
|
||
been made Coverity aware, that is, their build systems support building
|
||
with a custom compiler configuration passed in “just right” to enable
|
||
Coverity to add its hooks.
|
||
|
||
The public coreboot CI system at
|
||
[https://qa.coreboot.org/](https://qa.coreboot.org/) regularly does
|
||
builds with Coverity and sends them off to Coverity Scan.
|
||
|
||
Specifically, it covers:
|
||
|
||
* Chromium EC: [Coverity Scan site][crECCoverity] ([build job][crECBuildJob])
|
||
* coreboot: [Coverity Scan site][corebootCoverity] ([build job][corebootBuildJob]), [scan-build output][corebootScanBuild] ([build job][corebootScanBuildJob])
|
||
* em100: [Coverity Scan site][em100Coverity] ([build job][em100BuildJob])
|
||
* fcode-utils: [Coverity Scan site][fcodeUtilsCoverity] ([build job][fcodeUtilsBuildJob])
|
||
* flashrom: [Coverity Scan site][flashromCoverity] ([build job][flashromBuildJob])
|
||
* memtest86+: [Coverity Scan site][memtestCoverity] ([build job][memtestBuildJob])
|
||
* vboot: [Coverity Scan site][vbootCoverity] ([build job][vbootBuildJob])
|
||
|
||
[crECCoverity]: https://scan.coverity.com/projects/chromium-ec
|
||
[corebootCoverity]: https://scan.coverity.com/projects/coreboot
|
||
[em100Coverity]: https://scan.coverity.com/projects/em100
|
||
[fcodeUtilsCoverity]: https://scan.coverity.com/projects/fcode-utils
|
||
[flashromCoverity]: https://scan.coverity.com/projects/flashrom
|
||
[memtestCoverity]: https://scan.coverity.com/projects/memtest86
|
||
[vbootCoverity]: https://scan.coverity.com/projects/vboot
|
||
|
||
[corebootScanBuild]: https://www.coreboot.org/scan-build/
|
||
|
||
[crECBuildJob]: https://qa.coreboot.org/view/coverity/job/ChromeEC-Coverity/
|
||
[corebootBuildJob]: https://qa.coreboot.org/view/coverity/job/coreboot-coverity/
|
||
[corebootScanBuildJob]: https://qa.coreboot.org/view/coverity/job/coreboot_scanbuild/
|
||
[em100BuildJob]: https://qa.coreboot.org/view/coverity/job/em100-coverity/
|
||
[fcodeUtilsBuildJob]: https://qa.coreboot.org/view/coverity/job/fcode-utils-coverity/
|
||
[flashromBuildJob]: https://qa.coreboot.org/view/coverity/job/flashrom-coverity/
|
||
[memtestBuildJob]: https://qa.coreboot.org/view/coverity/job/memtest86plus-coverity/
|
||
[vbootBuildJob]: https://qa.coreboot.org/view/coverity/job/vboot-coverity/
|
||
|
||
Some projects (e.g. Chromium EC) build a different subset of boards on
|
||
each run, ensuring that everything is analyzed eventually. The downside
|
||
is that coverity issues pop up and disappear somewhat randomly as they
|
||
are discovered and go unnoticed in a later build.
|
||
|
||
More projects that are hosted on review.coreboot.org (potentially as a
|
||
mirror, like vboot and EC) could be served through that pipeline. Reach
|
||
out to {stepan,patrick,martin}@coreboot.org.
|