On Tue, Dec 12, 2023 at 4:30 PM Siteshwar Vashisht <svashi...@redhat.com> wrote:
> Hello, > > I am writing this email to get feedback from the members of the Fedora > development community about OpenScanHub for Fedora. > > # tl;dr > > OpenScanHub does static and dynamic analysis of rpm packages and it may be > helpful in the Fedora community. Please take a look at our staging proof of > concept[4] and provide feedback. The proof of concept is in its early > stages so there may be some bugs here or there! If the feedback is positive > we may roll this out in official infrastructure and integrate with Fedora > CI and Packit. > > # What > > OpenScanHub is a service for static and dynamic analysis. It has been in > development inside Red Hat[1] for more than 12 years and was open sourced > on GitHub[2] earlier this year. You can read a brief explanation of this > service on my blog[3]. We would like to deploy this service on the Fedora > infrastructure and start scanning packages shipped in the Fedora project > through it. > > # Why > > I am sharing a prototype[4] of this service to get feedback from the > community. This prototype is running on the staging instance of the Fedora > infrastructure, so you would have to login[5] to the staging instance > before submitting any scan. If you have never logged into that account, it > may require you to do a password reset. > I have received a couple of comments[1][2] from contributors inside and outside Red Hat. There were several scans submitted by community members that can be seen on the tasks[3] page. I may bring this prototype down at some point next week. So if anyone interested in this idea missed this email earlier, please try it before I bring the prototype down. Thank you! > Once you are logged into the staging instance, you can login through the > `krb5login` button[6] on the top right corner of the homepage and submit a > scan through this form[7]. > > There are 3 different types of scans supported by OpenScanHub: > > - > > MockBuild performs a full scan of the package including downstream > patches. Example[8] mockbuild for `openssl-3.1.1-4.fc39`. > - > > DiffBuild performs a differential scan on the downstream patches. So > you can find only the defects that are introduced by the downstream > patches. Example[9] diffbuild for `openssl-3.1.1-4.fc39`. This option would > not work if the package fails to compile without patches. > - > > VersionDiffBuild performs a differential scan between 2 different > versions of the package, and you can see defects introduced by the “newer” > version of the package. Example[10] differential build between > `openssl-3.1.1-4.fc39` and `openssl-3.0.9-2.fc38`. > > All the submitted scans can be seen on the tasks[11] page. > > This prototype is running on very limited resources, so please do not > submit scan for any resource consuming package. Not all defects reported by > OpenScanHub may be actual bugs, so please avoid fixing reported defects > without careful examination. If we receive positive feedback on this > prototype, there may be a possibility of integrating this service with the > Fedora CI and Packit projects. > > This is a very early stage prototype and may behave inconsistently. Please > keep the discussion in this thread constructive. Thank you! > > [1] https://kdudka.fedorapeople.org/muni23.pdf > > [2] https://github.com/openscanhub/openscanhub > > [3] https://situ.im/posts/openscanhub > > [4] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/ > > [5] https://accounts.stg.fedoraproject.org > > [6] > https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/auth/krb5login/ > <https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/auth/krb5login/?next=/> > > [7] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/scan/new/ > > [8] > https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/task/6/log/openssl-3.1.1-4.fc39/scan-results.html > > [9] > https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/task/9/log/openssl-3.1.1-4.fc39/scan-results.html > > [10] > https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/task/7/log/added.html > [11] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/task/ > [1] https://github.com/openscanhub/openscanhub/issues/211 [2] https://github.com/openscanhub/openscanhub/issues/214 [3] https://staging-openscanhub.apps.ocp.stg.fedoraproject.org/task/
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
