[Ipmitool-devel] Checking ipmitool using Coverity?

Discussion:

Petter Reinholdtsen

2014-01-08 20:30:06 UTC

I felt inspired the other day, and had a new look at Coverity.
Discovered that the ipmitool project was already registered, and managed
to get access. Visit <URL: https://scan.coverity.com/projects/605 > if
you want access too.

Yesterday I uploaded a build of the latest CVS source, and the checker
was able to find a lot of issues. I have not had time to look at the
individual issues.

Is the Coverity scanning something that should be done regularly?
Anyone interested in spending time tracking down the issues detected by
it?

--
Happy hacking
Petter Reinholdtsen

Zdenek Styblik

2014-01-08 20:52:05 UTC

Permalink

Hello there,

Post by Petter Reinholdtsen
I felt inspired the other day, and had a new look at Coverity.
Discovered that the ipmitool project was already registered, and managed

Interesting :)

Post by Petter Reinholdtsen
to get access. Visit <URL: https://scan.coverity.com/projects/605 > if
you want access too.
Yesterday I uploaded a build of the latest CVS source, and the checker
was able to find a lot of issues. I have not had time to look at the
individual issues.

Cool.

Post by Petter Reinholdtsen
Is the Coverity scanning something that should be done regularly?

I'm not sure how good or effective Coverity is, but something is
better than nothing. Let's roll with yes then?

Post by Petter Reinholdtsen
Anyone interested in spending time tracking down the issues detected by
it?

Sadly, not right now. Month from now, probably yes and might/will.

Z.

Post by Petter Reinholdtsen
--
Happy hacking
Petter Reinholdtsen
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Ipmitool-devel mailing list
https://lists.sourceforge.net/lists/listinfo/ipmitool-devel

Petter Reinholdtsen

2014-01-08 21:35:04 UTC

Permalink

[Zdenek Styblik]

Post by Zdenek Styblik

Post by Petter Reinholdtsen
Is the Coverity scanning something that should be done regularly?

I'm not sure how good or effective Coverity is, but something is
better than nothing. Let's roll with yes then?

Coverity is said to have discovered heaps of security and stability
issues with free software like the Linux kernel, and is generaly
believed to do a very good job at finding some classes of security and
stability bugs. A quick search sent me to
<URL: http://www.linuxinsider.com/story/79071.html >,
<URL: http://www.coverity.com/library/pdf/coverity_linuxsecurity.pdf >
and
<URL: http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext > providing background information.

Just to be sure: Is the CVS the authorative source? (Time to move to
git?) How often should it be checked? There is a limit which I
believe is no more than three times a week.

I've added jman as a "contributor/member", whatever that role means.
It was the only pending request to get access to the results. So far
Sebastien Bouchard, me and jman have access to the scan result, and
Sebastien Bouchard and me can submit new builds.

--
Happy hacking
Petter Reinholdtsen

Jim Mankovich

2014-01-08 22:55:39 UTC

Permalink

Petter,

CVS is the authoritative source and I'd be perfectly happy if we moved
to git. I don't think we will need to check very often once we get the
real issues resolved and figure out how to filter out the noise. More
than once a week seems like too often to me.

Post by Petter Reinholdtsen
[Zdenek Styblik]

Post by Zdenek Styblik

Post by Petter Reinholdtsen
Is the Coverity scanning something that should be done regularly?

I'm not sure how good or effective Coverity is, but something is
better than nothing. Let's roll with yes then?

Coverity is said to have discovered heaps of security and stability
issues with free software like the Linux kernel, and is generaly
believed to do a very good job at finding some classes of security and
stability bugs. A quick search sent me to
<URL: http://www.linuxinsider.com/story/79071.html >,
<URL: http://www.coverity.com/library/pdf/coverity_linuxsecurity.pdf >
and
<URL: http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext > providing background information.
Just to be sure: Is the CVS the authorative source? (Time to move to
git?) How often should it be checked? There is a limit which I
believe is no more than three times a week.
I've added jman as a "contributor/member", whatever that role means.
It was the only pending request to get access to the results. So far
Sebastien Bouchard, me and jman have access to the scan result, and
Sebastien Bouchard and me can submit new builds.
--

Zdenek Styblik

2014-01-10 08:44:31 UTC

Permalink

Post by Petter Reinholdtsen
[Zdenek Styblik]

Post by Zdenek Styblik

Post by Petter Reinholdtsen
Is the Coverity scanning something that should be done regularly?

I'm not sure how good or effective Coverity is, but something is
better than nothing. Let's roll with yes then?

Ah, ok. It was too late and I was too lazy and tired to do any
research. Funny enough, I've read note on Coverity the other day :)

Post by Petter Reinholdtsen
Time to move to git?

Not enough man power, I guess, to do so. It depends how much fancy the
move should be. I got, sort of, scared by the fact we need, or might
be in need of, e-mails of contributors.
Anyway. You're free to take the wheel and do conversion from CVS to
Git. Or, if enough of people yell about it, I'll do it eventually. CVS
has its disadvantages.

Post by Petter Reinholdtsen
How often should it be checked? There is a limit which I
believe is no more than three times a week.

Hard to say. Once a week is more than enough?

Post by Petter Reinholdtsen
I've added jman as a "contributor/member", whatever that role means.
It was the only pending request to get access to the results. So far
Sebastien Bouchard, me and jman have access to the scan result, and
Sebastien Bouchard and me can submit new builds.

I've tried to request access, but site is sort of borked at the
moment. I guess their update is either incomplete or they still have
some pages cached. I'll try again later.

Z.

Zdenek Styblik

2014-01-10 11:45:16 UTC

Permalink

On Fri, Jan 10, 2014 at 9:44 AM, Zdenek Styblik

Post by Zdenek Styblik
I've tried to request access, but site is sort of borked at the
moment. I guess their update is either incomplete or they still have
some pages cached. I'll try again later.
Z.

Funny enough, it came through, despite the fact I've seen nothing
except error page. Therefore I'm in. But as I've said, I'll give it
look next month.

Z.

Post by Zdenek Styblik

Petter Reinholdtsen

2014-01-10 11:54:16 UTC

Permalink

[Zdenek Styblik]

Post by Zdenek Styblik
Funny enough, it came through, despite the fact I've seen nothing
except error page. Therefore I'm in. But as I've said, I'll give it
look next month.

Your request was waiting for admin approval, and I approved it earlier
today. :)

I made you an admin too.

--
Happy hacking
Petter Reinholdtsen

Petter Reinholdtsen

2014-01-10 23:02:47 UTC

Permalink

I wrote this script to build and upload a new scan to coverity, and
just used it to to a rescan:

#!/bin/sh

set -e

exec > run.log 2>&1 < /dev/null

set -x

export PATH=/opt/cov-analysis-linux-6.6.1/bin:$PATH

echo starting build
date

if [ ! -d ipmitool ] ; then
cvs -z3 -d:pserver:***@ipmitool.cvs.sourceforge.net:/cvsroot/ipmitool co -P ipmitool

fi
cd ipmitool
cvs up

./bootstrap
./configure

cov-build --dir cov-int make all check

make distclean

tar czvf ipmitool.tgz cov-int

datestr=$(date +%Y-%m-%d)
verstr="cvs-$datestr"
descstr="cvs snapshot"

curl --form project=ipmitool \
--form token=mytoken \
--form email=my-***@address \
--form file=@ipmitool.tgz \
--form version="$verstr" \
--form description="$descstr" \
http://scan5.coverity.com/cgi-bin/upload.py

echo success
date

But something is wrong. It claim lots of issues, but I am unable to
find any in the web interface. The same web interface work with the
gnash project, so there is something special about ipmitool.

--
Happy hacking
Petter Reinholdtsen

Jim Mankovich

2014-01-08 21:01:00 UTC

Permalink

I'm curious as to what issues coverity is finding, so I'll take a look
once I get
coverity approval.

Post by Petter Reinholdtsen
I felt inspired the other day, and had a new look at Coverity.
Discovered that the ipmitool project was already registered, and managed
to get access. Visit <URL: https://scan.coverity.com/projects/605 > if
you want access too.
Yesterday I uploaded a build of the latest CVS source, and the checker
was able to find a lot of issues. I have not had time to look at the
individual issues.
Is the Coverity scanning something that should be done regularly?
Anyone interested in spending time tracking down the issues detected by
it?
--