From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Uodw=IY=linuxfoundation.org=gregkh@kernel.org>
Received: from mail.kernel.org ([198.145.29.99])
	by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
	(Exim 4.80)
	(envelope-from <SRS0=Uodw=IY=linuxfoundation.org=gregkh@kernel.org>)
	id 1fQVzm-0005D4-0N
	for speck@linutronix.de; Wed, 06 Jun 2018 12:48:50 +0200
Date: Wed, 6 Jun 2018 12:48:19 +0200
From: Greg KH <gregkh@linuxfoundation.org>
Subject: [MODERATED] Re: spectrev1+
Message-ID: <20180606104819.GA4497@kroah.com>
References: <20180601212952.GA7354@char.us.oracle.com>
 <20180604153815.GU12198@hirez.programming.kicks-ass.net>
 <nycvar.YFH.7.76.1806041740050.27054@cbobk.fhfr.pm>
 <20180605175837.ry5tx3widl6hj5ob@treble>
 <nycvar.YFH.7.76.1806052355440.6203@cbobk.fhfr.pm>
 <alpine.LFD.2.21.999.1806051511320.13286@i7.lan>
 <nycvar.YFH.7.76.1806060017090.6203@cbobk.fhfr.pm>
 <alpine.LFD.2.21.999.1806051543540.13286@i7.lan>
 <nycvar.YFH.7.76.1806060154240.6203@cbobk.fhfr.pm>
 <66ffcda6-4976-e918-3d84-10ace6eef3e6@amazon.de>
MIME-Version: 1.0
In-Reply-To: <66ffcda6-4976-e918-3d84-10ace6eef3e6@amazon.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
To: speck@linutronix.de
List-ID: <speck.linutronix.de>

On Wed, Jun 06, 2018 at 11:50:04AM +0200, speck for Norbert Manthey wrote:
> Given the static code analysis efforts, I wonder whether we should also
> make use of Coverity wrt Spectre vulnerabilities. Synopsis announced
> they somewhat support this [1].

Yeah, but the results are crap :(

> Unfortunately, I do not have access to the Linux project on Coverity
> Scan [2].

I can give you access, but it's not much there to see.  Apply for the
project and I'll be sure to add you.  Last round I saw there was only
about a 10% valid hit rate.  I don't think things have changed since
those early results.

> Does anybody on this list have access to that project there
> and can make sure the new scanner is enabled as well, or at least
> enabled in some kind of beta phase so that we can judge the usefulness
> of the reported defects. This way, we could consume the output and
> compare it to the upgraded version of smatch.

So far, what we have seen is smatch is much better.  I think this is due
to some of the people who were originally working on the spectre rules
leaving Coverity recently, so our contacts dried up and now no one seems
to know what to do with regards to making these rules better.  Or at
least _I_ don't know who to pester about these issues there anymore.

thanks,

greg k-h