Hi Felix,

I think this is a great idea to add this to edk2 CI.

I recommend we focus initially on a full scan once a week to get started.

If we see lots of escapes, we can evaluate how to enable the scan on a 
submitted PR.

What do you need with from the community to move this proposal forward?

Thanks,

Mike

> -----Original Message-----
> From: r...@edk2.groups.io <r...@edk2.groups.io> On Behalf Of Felix Polyudov 
> via groups.io
> Sent: Wednesday, September 1, 2021 5:53 PM
> To: r...@edk2.groups.io
> Subject: [edk2-rfc] RFC: Static Analysis in edk2 CI
> 
> I would like to start a discussion regarding integration of the static 
> analysis (SA) into the edk2 workflow.
> I assume the SA benefits are well understood, so I'll get straight to the 
> point; however, if anybody doubts the cause,
> feel free to disagree.
> Here is the high level overview on how we can integrate SA into edk2 CI.
> Once we agree on a large picture, we can discuss the details.
> 
> - Use Open Coverity SA service. The service is free for open source projects. 
> edk2 Open Coverity project already exists:
>     https://scan.coverity.com/projects/tianocore-edk2
> - Update edk2 CI scripts to run analysis once a week
>  (I'm not proposing running SA on every pull request since the process is 
> time consuming)
>   - Perform analysis on all the edk2 packages using package DSC files that 
> are used for CI build tests
>    (Coverity analysis is executed in the course of a specially instrumented 
> project build).
> - SA results are uploaded to scan.coverity.com. To access them one would need 
> to register on the site and request
> tianocore-edk2 project access. The site can be used to triage the reported 
> issues. Confirmed issues can be addressed using
> a standard edk2 process (Bugzilla, mailing list).
> 
> Side notes:
> - Another SA option is a CLANG CodeChecker 
> (https://codechecker.readthedocs.io/en/latest/). However, as far as I'm aware,
> no hosted CodeChecker service is available and it will be on edk2 community 
> to deploy one.
> - It is potentially possible to run incremental Open Coverity scans on each 
> pull request. However, to do so we would need
> to preserve build process and analyzer output files (essentially, the build 
> folder) across the scans.
> -The information contained in this message may be confidential and 
> proprietary to American Megatrends (AMI). This
> communication is intended to be read only by the individual or entity to whom 
> it is addressed or by their designee. If the
> reader of this message is not the intended recipient, you are on notice that 
> any distribution of this message, in any
> form, is strictly prohibited. Please promptly notify the sender by reply 
> e-mail or by telephone at 770-246-8600, and then
> delete or destroy all copies of the transmission.
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83279): https://edk2.groups.io/g/devel/message/83279
Mute This Topic: https://groups.io/mt/86794468/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to