Coverity Open Source Defect Scan of Linux

Coverity Open Source Defect Scan of Linux

[Ben Chelf]

Hello Linux Developers,

   I'm the CTO of Coverity, Inc., a company that does static source code 
analysis to look for defects in code. You may have heard of us or of our 
technology from its days at Stanford (the "Stanford Checker"). The 
reason I'm writing is because we have set up a framework internally to 
continually scan open source projects and provide the results of our 
analysis back to the developers of those projects. Linux is one of the 
32 projects currently scanned at:

http://scan.coverity.com

   My belief is that we (Coverity) must reach out to the developers of 
these packages (you) in order to make progress in actually fixing the 
defects that we happen to find, so this is my first step in that 
mission. Of course, I think Coverity technology is great, but I want to 
hear what you think and that's why I worked with folks at Coverity to 
put this infrastructure in place. The process is simple -- it checks out 
your code each night from your repository and scans it so you can always 
see the latest results.

   Right now, we're guarding access to the actual defects that we report 
for a couple of reasons: (1) We think that you, as developers of Linux, 
should have the chance to look at the defects we find to patch them 
before random other folks get to see what we found and (2) From a 
support perspective, we want to make sure that we have the appropriate 
time to engage with those who want to use the results to fix the code. 
Because of this second point, I'd ask that if you are interested in 
really digging into the results a bit further for your project, please 
have a couple of core maintainers (or group nominated individuals) reach 
out to me to request access. As this is a new process for us and still 
involves a small number of packages, I want to make sure that I 
personally can be involved with the activity that is generated from this 
effort.

   So I'm basically asking for people who want to play around with some 
cool new technology to help make source code better. If this interests 
you, please feel free to reach out to me directly. And of course, if 
there are other packages you care about that aren't currently on the 
list, I want to know about those too.

   If this is the wrong list, my sincerest apologies and please let me 
know where would be a more appropriate forum for this type of message.

Many thanks for reading this far...

-ben

  Ben Chelf
  Chief Technology Officer
  Coverity, Inc.

Re: Coverity Open Source Defect Scan of Linux

[Dave Jones]

On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:

 >   Right now, we're guarding access to the actual defects that we report 
 > for a couple of reasons: (1) We think that you, as developers of Linux, 
 > should have the chance to look at the defects we find to patch them 
 > before random other folks get to see what we found and (2) From a 
 > support perspective, we want to make sure that we have the appropriate 
 > time to engage with those who want to use the results to fix the code. 
 > Because of this second point, I'd ask that if you are interested in 
 > really digging into the results a bit further for your project, please 
 > have a couple of core maintainers (or group nominated individuals) reach 
 > out to me to request access. As this is a new process for us and still 
 > involves a small number of packages, I want to make sure that I 
 > personally can be involved with the activity that is generated from this 
 > effort.
 > 
 >   So I'm basically asking for people who want to play around with some 
 > cool new technology to help make source code better. If this interests 
 > you, please feel free to reach out to me directly. And of course, if 
 > there are other packages you care about that aren't currently on the 
 > list, I want to know about those too.

The last time I asked about access to your bug list, I was asked to
sign the equivalent of a non-compete agreement.  Is this still in place?

		Dave

-- 
http://www.codemonkey.org.uk

Re: Coverity Open Source Defect Scan of Linux

[Adrian Bunk]

On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:

> Hello Linux Developers,


Hi Ben,


>   I'm the CTO of Coverity, Inc., a company that does static source code 
> analysis to look for defects in code. You may have heard of us or of our 
> technology from its days at Stanford (the "Stanford Checker"). The 
> reason I'm writing is because we have set up a framework internally to 
> continually scan open source projects and provide the results of our 
> analysis back to the developers of those projects. Linux is one of the 
> 32 projects currently scanned at:
> 
> http://scan.coverity.com
>...
>   Right now, we're guarding access to the actual defects that we report 
> for a couple of reasons: (1) We think that you, as developers of Linux, 
> should have the chance to look at the defects we find to patch them 
> before random other folks get to see what we found and (2) From a 
> support perspective, we want to make sure that we have the appropriate 
> time to engage with those who want to use the results to fix the code. 
> Because of this second point, I'd ask that if you are interested in 
> really digging into the results a bit further for your project, please 
> have a couple of core maintainers (or group nominated individuals) reach 
> out to me to request access. As this is a new process for us and still 
> involves a small number of packages, I want to make sure that I 
> personally can be involved with the activity that is generated from this 
> effort.
>...


It seems there is some internal communication problem inside your 
company:

This is far from being a "new process", you already offered this for 
some time at http://linuxbugsdb.coverity.com/ (with the exception that 
you stopped updating the results half a year ago).

If you as the CTO didn't know about this it is giving a very bad 
impression of your company.

Some questions regarding this move:
- can you migrate the accounts from linuxbugsdb.coverity.com?
- are the comments Linux kernel developers like me did at 
  linuxbugsdb.coverity.com migrated to scan.coverity.com or was this 
  wasted work?


Another thing you could give a small clarification about:
Your email sounds as if your offer was like a charity offer from 
Coverity, Inc.

OTOH, I remember press rumors of Coverity, Inc getting 297 000 Dollar 
for this from the Department of Homeland Security.

I'm sure you are not silently omitting that you are getting public 
fundings for what you are offering, but an official statement would be 
nice.

 
> -ben


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: Coverity Open Source Defect Scan of Linux

[Bernd Petrovitsch]

Some improvements for the next press release (of Coverty, Inc.):

On Mon, 2006-03-06 at 11:27 +0100, Adrian Bunk wrote:
> On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:
> > Hello Linux Developers,
[...]
> > analysis back to the developers of those projects. Linux is one of the 
                                                       ^^^^^
                                should have been "The Linux kernel"
[...]
> > for a couple of reasons: (1) We think that you, as developers of Linux, 
                                                                   ^^^^^
                                     should have been "the Linux kernel"
[...]
> It seems there is some internal communication problem inside your 
> company:

ACK.

> This is far from being a "new process", you already offered this for 
> some time at http://linuxbugsdb.coverity.com/ (with the exception that 
> you stopped updating the results half a year ago).
> 
> If you as the CTO didn't know about this it is giving a very bad 
> impression of your company.
[...]
	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: Coverity Open Source Defect Scan of Linux

[Michal Schmidt]

Bernd Petrovitsch wrote:
> > > analysis back to the developers of those projects. Linux is one of the 
>                                                        ^^^^^
>                                 should have been "The Linux kernel"

Why? Are you afraid of confusion with Linux the washing powder?

Michal

Re: Coverity Open Source Defect Scan of Linux

[Bernd Petrovitsch]

On Mon, 2006-03-06 at 12:03 +0100, Michal Schmidt wrote:
> Bernd Petrovitsch wrote:
> > > > analysis back to the developers of those projects. Linux is one of the 
> >                                                        ^^^^^
> >                                 should have been "The Linux kernel"
> 
> Why? Are you afraid of confusion with Linux the washing powder?

No (that's actually the cobfusion I don't fear).
The word "Linux" used as above has lots of different interpretations
depending on who you ask (from "Linux kernel" to "Linux distribution" to
"open source software" and I won't try to guess what sales people in
their average ignorance would answer).
"The Linux kernel" is not that much longer much more accurate.

Yes, directly (and only) here on LKML there is probably no problem. But
these mails are also in some mail archives on the web .....

	Bernd
-- 
Firmix Software GmbH                   http://www.firmix.at/
mobil: +43 664 4416156                 fax: +43 1 7890849-55
          Embedded Linux Development and Services

Re: Coverity Open Source Defect Scan of Linux

[Ben Chelf]

Bernd Petrovitsch wrote:
> On Mon, 2006-03-06 at 12:03 +0100, Michal Schmidt wrote:
> 
>>Bernd Petrovitsch wrote:
>>
>>>>>analysis back to the developers of those projects. Linux is one of the 
>>>
>>>                                                       ^^^^^
>>>                                should have been "The Linux kernel"
>>
>>Why? Are you afraid of confusion with Linux the washing powder?
> 
> 
> No (that's actually the cobfusion I don't fear).

Just to clarify -- I am aware (and have been since it's inception) of 
Coverity's previous work on the subject. I was one of the guys at 
Stanford who started pushing Linux through the technology years and 
years ago :) However, the "new process" piece is the fact that now we 
have the infrastructure in place to provide the results of the daily 
scans that we are performing of the kernel and other open source 
projects back to the developers and core maintainers of those projects.

Sorry about any confusion caused by my terminology with "Linux". I 
admit, form email and should have been "Linux kernel"...

-ben

Re: Coverity Open Source Defect Scan of Linux

[Gene Heskett]

On Monday 06 March 2006 06:03, Michal Schmidt wrote:
>Bernd Petrovitsch wrote:
>> > > analysis back to the developers of those projects. Linux is one
>> > > of the
>>
>>                                                        ^^^^^
>>                                 should have been "The Linux kernel"
>
>Why? Are you afraid of confusion with Linux the washing powder?
>
If there is indeed a linux washing powder, where might it be obtained?
I get a bad case of contact dermatitus when I use the regular stuff from 
M$.
 
>Michal
>-
>To unsubscribe from this list: send the line "unsubscribe
> linux-kernel" in the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at  http://www.tux.org/lkml/

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

[OT] Linux washing powder (was: Re: Coverity Open Source Defect Scan of Linux)

[Michal Schmidt]

Gene Heskett wrote:
> If there is indeed a linux washing powder, where might it be obtained?
> I get a bad case of contact dermatitus when I use the regular stuff from 
> M$.

See http://en.wikipedia.org/wiki/Linux_(washing_powder)

Re: [OT] Linux washing powder (was: Re: Coverity Open Source Defect Scan of Linux)

[Gene Heskett]

On Monday 06 March 2006 07:38, Michal Schmidt wrote:
>Gene Heskett wrote:
>> If there is indeed a linux washing powder, where might it be
>> obtained? I get a bad case of contact dermatitus when I use the
>> regular stuff from M$.
>
>See http://en.wikipedia.org/wiki/Linux_(washing_powder)

Touche`
:)
-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

Re: Coverity Open Source Defect Scan of Linux

[Dick Streefland]

Gene Heskett <gene.heskett@verizon.net> wrote:
| If there is indeed a linux washing powder, where might it be obtained?
| I get a bad case of contact dermatitus when I use the regular stuff from 
| M$.

http://www.roesch-swiss.ch/index.php?otsi=linux&tyyp_id=19

-- 
Dick Streefland                      ////                      Altium BV
dick.streefland@altium.nl           (@ @)          http://www.altium.com
--------------------------------oOO--(_)--OOo---------------------------

Re: Coverity Open Source Defect Scan of Linux

[Ben Chelf]

(sorry for not responding to all Qs in the last email)


> Some questions regarding this move:
> - can you migrate the accounts from linuxbugsdb.coverity.com?
 >

I will look into this -- I don't see any reason not to.

> - are the comments Linux kernel developers like me did at 
>   linuxbugsdb.coverity.com migrated to scan.coverity.com or was this 
>   wasted work?
> 

That may be a bit more challenging, but again, I'll look into it. The 
goal, of course, was not to waste your (or anyone's) work...

> 
> Another thing you could give a small clarification about:
> Your email sounds as if your offer was like a charity offer from 
> Coverity, Inc.
> 
> OTOH, I remember press rumors of Coverity, Inc getting 297 000 Dollar 
> for this from the Department of Homeland Security.
> 
> I'm sure you are not silently omitting that you are getting public 
> fundings for what you are offering, but an official statement would be 
> nice.
> 

Snipped from http://scan.coverity.com:

"In collaboration with Stanford University, Coverity is establishing a 
new baseline for software quality and security in open source based on 
the analysis of over 30 of the most critical and widely used open source 
projects in the world. Under a contract with the Department of Homeland 
Security, we apply the latest innovation in automated defect detection 
to uncover some of the most critical types of bugs found in software.

We are making the results of our automated analysis available to the 
maintainers within the open source community. Additional projects will 
be added over time. Through this process, our hope is that the benefits 
of the open source model are further accelerated with faster and easier 
remediation of defects in open source."

I feared my original email was a bit too long as it stood...apologies if 
anyone felt misled.

-ben

Re: Coverity Open Source Defect Scan of Linux

[Greg KH]

On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:
>   Right now, we're guarding access to the actual defects that we report 
> for a couple of reasons: (1) We think that you, as developers of Linux, 
> should have the chance to look at the defects we find to patch them 
> before random other folks get to see what we found and (2) From a 
> support perspective, we want to make sure that we have the appropriate 
> time to engage with those who want to use the results to fix the code. 

If you feel these are security related, please contact
security@kernel.org with the information (as is documented in the kernel
documentation).  If you do not feel they are security related, but just
normal bugs that don't really cause problems, feel free to just post the
information here on lkml, and cc: the maintainers of the affected areas
of code.

In other words, these should be treated like any other potential bug
report.  And I mean "potential", as your tool has had false positives in
the past :)

thanks,

greg k-h

Re: Coverity Open Source Defect Scan of Linux

[Pavel Machek]

On Ne 05-03-06 21:35:11, Ben Chelf wrote:
> Hello Linux Developers,
> 
>   I'm the CTO of Coverity, Inc., a company that does static source code 
> analysis to look for defects in code. You may have heard of us or of our 
> technology from its days at Stanford (the "Stanford Checker"). The 
> reason I'm writing is because we have set up a framework internally to 
> continually scan open source projects and provide the results of our 
> analysis back to the developers of those projects. Linux is one of the 
> 32 projects currently scanned at:
> 
> http://scan.coverity.com
> 
>   My belief is that we (Coverity) must reach out to the developers of 
> these packages (you) in order to make progress in actually fixing the 
> defects that we happen to find, so this is my first step in that 
> mission. Of course, I think Coverity technology is great, but I want

Could you just open the (kernel) results to the public? Going after
warnings from compiler (afaics that's roughly what coverity is) is
ideal janitorial job, and job where many people -- not only core
developers -- can help.
								Pavel
-- 
Web maintainer for suspend.sf.net (www.sf.net/projects/suspend) wanted...

Re: Coverity Open Source Defect Scan of Linux

[Jesper Juhl]

On 3/6/06, Pavel Machek <pavel@ucw.cz> wrote:
> On Ne 05-03-06 21:35:11, Ben Chelf wrote:
> > Hello Linux Developers,
> >
> >   I'm the CTO of Coverity, Inc., a company that does static source code
> > analysis to look for defects in code. You may have heard of us or of our
> > technology from its days at Stanford (the "Stanford Checker"). The
> > reason I'm writing is because we have set up a framework internally to
> > continually scan open source projects and provide the results of our
> > analysis back to the developers of those projects. Linux is one of the
> > 32 projects currently scanned at:
> >
> > http://scan.coverity.com
> >
> >   My belief is that we (Coverity) must reach out to the developers of
> > these packages (you) in order to make progress in actually fixing the
> > defects that we happen to find, so this is my first step in that
> > mission. Of course, I think Coverity technology is great, but I want
>
> Could you just open the (kernel) results to the public? Going after
> warnings from compiler (afaics that's roughly what coverity is) is
> ideal janitorial job, and job where many people -- not only core
> developers -- can help.
>                                                                 Pavel

I agree.

Cleaning some of this stuff up is something that I would be prepared
to work on, but I honestly can't be bothered to have to "register"
with coverity for the privilege of seeing the bug-reports...

Linux is a public project, just make the bug-reports/check results
public somewhere so we can all work on them.

--
Jesper Juhl <jesper.juhl@gmail.com>
Don't top-post  http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please      http://www.expita.com/nomime.html

Re: Coverity Open Source Defect Scan of Linux

[Mauro Carvalho Chehab]

Ben,

I'm the maintainer of V4L/DVB subsystem of the Linux Kernel
(http://linuxtv.org). I think your took may be usefull to our work.
Would you please give me an access to the tool?

Em Dom, 2006-03-05 às 21:35 -0800, Ben Chelf escreveu:
> Hello Linux Developers,
> 
>    I'm the CTO of Coverity, Inc., a company that does static source code 
> analysis to look for defects in code. You may have heard of us or of our 
> technology from its days at Stanford (the "Stanford Checker"). The 
> reason I'm writing is because we have set up a framework internally to 
> continually scan open source projects and provide the results of our 
> analysis back to the developers of those projects. Linux is one of the 
> 32 projects currently scanned at:
> 
> http://scan.coverity.com

Cheers, 
Mauro.

Re: Coverity Open Source Defect Scan of Linux

[Lee Revell]

On Sun, 2006-03-05 at 21:35 -0800, Ben Chelf wrote:
> Hello Linux Developers,
> 
>    I'm the CTO of Coverity, Inc., a company that does static source code 
> analysis to look for defects in code. You may have heard of us or of our 
> technology from its days at Stanford (the "Stanford Checker"). The 
> reason I'm writing is because we have set up a framework internally to 
> continually scan open source projects and provide the results of our 
> analysis back to the developers of those projects. Linux is one of the 
> 32 projects currently scanned at:
> 
> http://scan.coverity.com

It would be nice to run this against the userspace components of ALSA
too...

http://www.alsa-project.org

Lee