+devel@edk2.groups.io Mike
> -----Original Message----- > From: r...@edk2.groups.io <r...@edk2.groups.io> On Behalf Of Felix Polyudov > via groups.io > Sent: Monday, June 13, 2022 10:48 AM > To: r...@edk2.groups.io > Cc: Kinney, Michael D <michael.d.kin...@intel.com> > Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI > > This is version 2 of the proposal that provides additional details regarding > the bring up process. > > The initial version is at https://edk2.groups.io/g/rfc/message/696 > > The goal of the proposal is integration of the static analysis (SA) into the > edk2 workflow. > > - Use Open Coverity SA service to scan edk2 repository. The service is free > for open source projects. > edk2 Open Coverity project: > https://scan.coverity.com/projects/tianocore-edk2 > - Update edk2 CI scripts to run analysis once a week > - Perform analysis on all the edk2 packages using package DSC files that > are used for CI build tests > (Coverity analysis is executed in the course of a specially instrumented > project build). > - SA results are uploaded to scan.coverity.com. To access them one would > need to register on the site and request tianocore- > edk2 project access. The site can be used to triage the reported issues. > Confirmed issues can be addressed using a standard edk2 > process (Bugzilla, mailing list). > - During the initial bring up period, access to the SA results is restricted > to stewards, maintainers, and members of the > TianoCore InfoSec group, who are encouraged to review reported issues with > the primary goal of identifying security-related > issues. All such issues should be handled in accordance with the following > guidelines: > > https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues > - The initial bring up period ends when embargo for all the identified > security issues ends or after 30 days if no security > issues have been identified > - Once brig up period is over, SA results access is open to everybody. > - The package maintainers should monitor weekly scan results for a newly > reported issues and reach back to original patch > submitters to resolve them. Package maintainers can revert the patch if no > action is taken by the submitter. > > -The information contained in this message may be confidential and > proprietary to American Megatrends (AMI). This communication > is intended to be read only by the individual or entity to whom it is > addressed or by their designee. If the reader of this > message is not the intended recipient, you are on notice that any > distribution of this message, in any form, is strictly > prohibited. Please promptly notify the sender by reply e-mail or by telephone > at 770-246-8600, and then delete or destroy all > copies of the transmission. > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90489): https://edk2.groups.io/g/devel/message/90489 Mute This Topic: https://groups.io/mt/91733673/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-