+devel@edk2.groups.io

Mike

> -----Original Message-----
> From: r...@edk2.groups.io <r...@edk2.groups.io> On Behalf Of Felix Polyudov 
> via groups.io
> Sent: Monday, June 13, 2022 10:48 AM
> To: r...@edk2.groups.io
> Cc: Kinney, Michael D <michael.d.kin...@intel.com>
> Subject: [edk2-rfc] RFC v2: Static Analysis in edk2 CI
> 
> This is version 2 of the proposal that provides additional details regarding 
> the bring up process.
> 
> The initial version is at https://edk2.groups.io/g/rfc/message/696
> 
> The goal of the proposal is integration of the static analysis (SA) into the 
> edk2 workflow.
> 
> - Use Open Coverity SA service to scan edk2 repository. The service is free 
> for open source projects.
>     edk2 Open Coverity project: 
> https://scan.coverity.com/projects/tianocore-edk2
> - Update edk2 CI scripts to run analysis once a week
>    - Perform analysis on all the edk2 packages using package DSC files that 
> are used for CI build tests
>    (Coverity analysis is executed in the course of a specially instrumented 
> project build).
>    - SA results are uploaded to scan.coverity.com. To access them one would 
> need to register on the site and request tianocore-
> edk2 project access. The site can be used to triage the reported issues. 
> Confirmed issues can be addressed using a standard edk2
> process (Bugzilla, mailing list).
> - During the initial bring up period, access to the SA results is restricted 
> to stewards, maintainers, and members of the
> TianoCore InfoSec group, who are encouraged to review reported issues with 
> the primary goal of identifying security-related
> issues. All such issues should be handled in accordance with the following 
> guidelines:
>   
> https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues
> - The initial bring up period ends when embargo for all the identified 
> security issues ends or after 30 days if no security
> issues have been identified
> - Once brig up period is over, SA results access is open to everybody.
> - The package maintainers should monitor weekly scan results for a newly 
> reported issues and reach back to original patch
> submitters to resolve them. Package maintainers can revert the patch if no 
> action is taken by the submitter.
> 
> -The information contained in this message may be confidential and 
> proprietary to American Megatrends (AMI). This communication
> is intended to be read only by the individual or entity to whom it is 
> addressed or by their designee. If the reader of this
> message is not the intended recipient, you are on notice that any 
> distribution of this message, in any form, is strictly
> prohibited. Please promptly notify the sender by reply e-mail or by telephone 
> at 770-246-8600, and then delete or destroy all
> copies of the transmission.
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90489): https://edk2.groups.io/g/devel/message/90489
Mute This Topic: https://groups.io/mt/91733673/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to