Re: Xen FuSa meeting tomorrow Tue 17 November

[Norbert Manthey <nmanthey@xxxxxxxxx>]

Hi all,

On 11/20/20 9:33 AM, Bertrand Marquis wrote:
> CAUTION: This email originated from outside of the organization. Do not click 
> links or open attachments unless you can confirm the sender and know the 
> content is safe.
>
>
>
> Hi Stefano,
>
>> On 19 Nov 2020, at 20:20, Stefano Stabellini <stefano.stabellini@xxxxxxxxxx> 
>> wrote:
>>
>> Hi Artem, Francesco, and all,
>>
>> I think we should come up with a shortlist of potential candidates. As
>> we discussed during the last two calls, aside from price, the important
>> parameters are:
>>
>> - completeness of the MISRAC checks
>> - ability of being called automatically as part of the CI-loop
>>    - availability of a remote API
>>    - OR a license that allows for headless invocations
>> - ability to take as input a list of deviations maintained together with
>>  the source code (so that can we have different deviations for each Xen
>>  branch)
>>
>> Does this set of criteria seem reasonable?
> I think an important one is the ability to share the results of the tool.
> If the results are protected by some kind of license we will end up having
> to fix all problems without an opportunity to share the tool results on the
> mailing list for example if the CI loop can (and I think it is critical that 
> it does)
> be executed on pushes to the mailing list before they are merged in staging.

We can run the Coverity analysis locally, so that would fix the "run on
mailing list contributions" requirement. Next, we process the output of
the command, and extract relevant information (introduced defects, their
trace, fixed/dropped defects, ...) and format that into notifications of
the relevant style (we have scripts for Coverity similarly to what we
did for Infer, Fortify, CBMC, CppCheck, ... in
https://github.com/awslabs/one-line-scan).

I am not a license expert, so I cannot tell what would be required to be
allowed to share the results of email contributions back. This
requirement should certainly be brought up early to select an
appropriate tool.

Best,
Norbert

>
> Cheers
> Bertrand
>
>>
>> On Thu, 19 Nov 2020, Artem Mygaiev wrote:
>>> Hello all
>>>
>>> Using Coverity for MISRA was considered some time ago at the very first 
>>> days of FuSa SIG. Coverity indeed supports MISRA but there's a catch: Open 
>>> Source version of Coverity (Coverity Scan) does not support MISRA.
>>>
>>> BR,
>>> -- Artem
>>>
>>> -----Original Message-----
>>> From: Fusa-sig <fusa-sig-bounces@xxxxxxxxxxxxxxxxxxxx> On Behalf Of Julien 
>>> Grall
>>> Sent: четверг, 19 ноября 2020 г. 12:27
>>> To: Stefano Stabellini <stefano.stabellini@xxxxxxxxxx>
>>> Cc: David Ward <david.ward@xxxxxxxxxxxxxxx>; Francesco Brancati 
>>> <francesco.brancati@xxxxxxxxxxxxx>; pserwa@xxxxxxxxx; 
>>> mszczepankiewicz@xxxxxxxxx; fusa-sig@xxxxxxxxxxxxxxxxxxxx; Manthey, Norbert 
>>> <nmanthey@xxxxxxxxx>
>>> Subject: Re: Xen FuSa meeting tomorrow Tue 17 November
>>>
>>> (+Norbert)
>>>
>>> On 18/11/2020 19:15, Julien Grall wrote:
>>>>>> So you have enough data from coverity to provide some meaningful
>>>>>> information.
>>>>>> :) I don't know whether this is based on just parsing e-mails or
>>>>>> tools coverity may provide in a paid version.
>>>>> Excellent. Yeah, that is the kind of level of integration that we need.
>>>> I have asked the person in charge if he could provide more details how
>>>> this was setup and the complexity to get it working. I will let you
>>>> know when I have an answer.
>>> I have CCed Norbert who worked on the integration of coverity. @Stefano, 
>>> feel free to ask more details on the setup.
>>>
>>> Cheers,
>>>
>>> --
>>> Julien Grall
>>>



Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879