Hi Felix, I think this is a great idea to add this to edk2 CI.
I recommend we focus initially on a full scan once a week to get started. If we see lots of escapes, we can evaluate how to enable the scan on a submitted PR. What do you need with from the community to move this proposal forward? Thanks, Mike > -----Original Message----- > From: r...@edk2.groups.io <r...@edk2.groups.io> On Behalf Of Felix Polyudov > via groups.io > Sent: Wednesday, September 1, 2021 5:53 PM > To: r...@edk2.groups.io > Subject: [edk2-rfc] RFC: Static Analysis in edk2 CI > > I would like to start a discussion regarding integration of the static > analysis (SA) into the edk2 workflow. > I assume the SA benefits are well understood, so I'll get straight to the > point; however, if anybody doubts the cause, > feel free to disagree. > Here is the high level overview on how we can integrate SA into edk2 CI. > Once we agree on a large picture, we can discuss the details. > > - Use Open Coverity SA service. The service is free for open source projects. > edk2 Open Coverity project already exists: > https://scan.coverity.com/projects/tianocore-edk2 > - Update edk2 CI scripts to run analysis once a week > (I'm not proposing running SA on every pull request since the process is > time consuming) > - Perform analysis on all the edk2 packages using package DSC files that > are used for CI build tests > (Coverity analysis is executed in the course of a specially instrumented > project build). > - SA results are uploaded to scan.coverity.com. To access them one would need > to register on the site and request > tianocore-edk2 project access. The site can be used to triage the reported > issues. Confirmed issues can be addressed using > a standard edk2 process (Bugzilla, mailing list). > > Side notes: > - Another SA option is a CLANG CodeChecker > (https://codechecker.readthedocs.io/en/latest/). However, as far as I'm aware, > no hosted CodeChecker service is available and it will be on edk2 community > to deploy one. > - It is potentially possible to run incremental Open Coverity scans on each > pull request. However, to do so we would need > to preserve build process and analyzer output files (essentially, the build > folder) across the scans. > -The information contained in this message may be confidential and > proprietary to American Megatrends (AMI). This > communication is intended to be read only by the individual or entity to whom > it is addressed or by their designee. If the > reader of this message is not the intended recipient, you are on notice that > any distribution of this message, in any > form, is strictly prohibited. Please promptly notify the sender by reply > e-mail or by telephone at 770-246-8600, and then > delete or destroy all copies of the transmission. > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83279): https://edk2.groups.io/g/devel/message/83279 Mute This Topic: https://groups.io/mt/86794468/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-