[COVERITY ACCESS] for Embedded/Automotive team

[COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello

I would like to request access to Coverity Scan project. Hereby, I:
 - agree to follow the security response process.
 - undertake to report security issues discovered to the security team
(security@xenproject.org) within 3 days of discovery.
 - agree to disclose the issue only to the security team and not to
any other third party
 - waive their (security team) right to select the disclosure time
line. Discoveries will follow the default time lines given in the
policy.

We work with Xen on ARM since 2012. Our primary goal is to introduce
Xen for embedded and in particular in automotive SW domains. Our
current activities are: ARM-based SoCs support (Renesas, TI, etc.), PV
drivers development (audio, video, input, etc.), co-processors support
and trusted environment support through OP-TEE integration. All of our
work is public and published in OSS mailing lists. We would like to
contribute in stability of Xen overall and Xen on ARM in particular
since this is absolutely critical for most of embedded applications.

Best regards,
Artem Mygaiev
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.5.2
Comment: https://www.mailvelope.com

wsFcBAEBCAAQBQJYLwPFCRBNzzYYJgaZIAAAk9oP/0A3r08qWawNKfjQO/AQ
GE3MH13ZdzCI853XQlThVMZ6nBto1wmRXBzcySwjg6fb/J0E5e69ZB46c+LE
DeXeFRT5uHAUO0Jl8dDUD+N2pZrX4V98IbES3BZlEeVfS2oy3nFys1Q764vv
vK1Dhh26vW/ryk++ysyzc5ngo7yP2FqL5b6qhJ3LgmlFBE68yxpE9+LVijVP
E5VzSJWcQicJdJ0dtHga8vP3+TMCMEnlUXERZTdMPKeHjLhmX8azfK9TRAaU
KHXtlUuF5M0nfX1NynKJ4Z8aTMaHtF/fjyWfw9LeuhvEHu1oM/L5uOfnLA1O
SmXkGJqvLM6PZ2sgowyhFOXgMpewMdZovAZE6KqUPndsBwEX/rT49kFR29j+
Wo6thMDSg3IFWjHPdnizmHBZ5bJ5K7YTJJiW6RSoL1ngtCT69LXA0KaBuGjX
qSld1p2bOLKQVG/uhUT3/x0Hxd/lrJi+hPO7OwP47CqAHLGwqJaxWDUmPCIj
EImyxcsUJ0dHbqwHK1LZhnK+N0TF+DlrEGWwNRXQMwtALpL+97HRyIiPQwsD
lHwkcwAz0mtqmIPFhoe1xaYdBmr5ZXO2dhIPratASS1NqQFpVpMBG1XxzGSF
7aAZwtKqXaBxv6KWl65BmsUweL35zZW4BOR/aaEVlYi5/eOjy8L58uERPCJL
F83h
=6eKi
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Andrew Cooper]

On 18/11/16 13:36, Artem Mygaiev wrote:
> Hello
>
> I would like to request access to Coverity Scan project. Hereby, I:
>  - agree to follow the security response process.
>  - undertake to report security issues discovered to the security team
> (security@xenproject.org) within 3 days of discovery.
>  - agree to disclose the issue only to the security team and not to
> any other third party
>  - waive their (security team) right to select the disclosure time
> line. Discoveries will follow the default time lines given in the
> policy.
>
> We work with Xen on ARM since 2012. Our primary goal is to introduce
> Xen for embedded and in particular in automotive SW domains. Our
> current activities are: ARM-based SoCs support (Renesas, TI, etc.), PV
> drivers development (audio, video, input, etc.), co-processors support
> and trusted environment support through OP-TEE integration. All of our
> work is public and published in OSS mailing lists. We would like to
> contribute in stability of Xen overall and Xen on ARM in particular
> since this is absolutely critical for most of embedded applications.

I don't have an objection in principle.  However, I doubt you will find
access useful.

Because of the restriction of only being permitted a single Coverity
stream, it is only the x86 build which is submitted for analysis.  To
submit builds for separate architectures, we need alternative streams. 
I already requested this but the request was denied.

~Andrew


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Konrad Rzeszutek Wilk]

On Fri, Nov 18, 2016 at 01:56:38PM +0000, Andrew Cooper wrote:
> On 18/11/16 13:36, Artem Mygaiev wrote:
> > Hello
> >
> > I would like to request access to Coverity Scan project. Hereby, I:
> >  - agree to follow the security response process.
> >  - undertake to report security issues discovered to the security team
> > (security@xenproject.org) within 3 days of discovery.
> >  - agree to disclose the issue only to the security team and not to
> > any other third party
> >  - waive their (security team) right to select the disclosure time
> > line. Discoveries will follow the default time lines given in the
> > policy.
> >
> > We work with Xen on ARM since 2012. Our primary goal is to introduce
> > Xen for embedded and in particular in automotive SW domains. Our
> > current activities are: ARM-based SoCs support (Renesas, TI, etc.), PV
> > drivers development (audio, video, input, etc.), co-processors support
> > and trusted environment support through OP-TEE integration. All of our
> > work is public and published in OSS mailing lists. We would like to
> > contribute in stability of Xen overall and Xen on ARM in particular
> > since this is absolutely critical for most of embedded applications.
> 
> I don't have an objection in principle.  However, I doubt you will find
> access useful.
> 
> Because of the restriction of only being permitted a single Coverity
> stream, it is only the x86 build which is submitted for analysis.  To
> submit builds for separate architectures, we need alternative streams. 
> I already requested this but the request was denied.

Perhaps Artem doing it - along with linking to this thread could
sway their minds? (Hi Coverity folks!)

+1 on the request.
> 
> ~Andrew
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Julien Grall]

Hello,

On 18/11/2016 09:28, Konrad Rzeszutek Wilk wrote:
> On Fri, Nov 18, 2016 at 01:56:38PM +0000, Andrew Cooper wrote:
>> On 18/11/16 13:36, Artem Mygaiev wrote:
>>> Hello
>>>
>>> I would like to request access to Coverity Scan project. Hereby, I:
>>>  - agree to follow the security response process.
>>>  - undertake to report security issues discovered to the security team
>>> (security@xenproject.org) within 3 days of discovery.
>>>  - agree to disclose the issue only to the security team and not to
>>> any other third party
>>>  - waive their (security team) right to select the disclosure time
>>> line. Discoveries will follow the default time lines given in the
>>> policy.
>>>
>>> We work with Xen on ARM since 2012. Our primary goal is to introduce
>>> Xen for embedded and in particular in automotive SW domains. Our
>>> current activities are: ARM-based SoCs support (Renesas, TI, etc.), PV
>>> drivers development (audio, video, input, etc.), co-processors support
>>> and trusted environment support through OP-TEE integration. All of our
>>> work is public and published in OSS mailing lists. We would like to
>>> contribute in stability of Xen overall and Xen on ARM in particular
>>> since this is absolutely critical for most of embedded applications.
>>
>> I don't have an objection in principle.  However, I doubt you will find
>> access useful.
>>
>> Because of the restriction of only being permitted a single Coverity
>> stream, it is only the x86 build which is submitted for analysis.  To
>> submit builds for separate architectures, we need alternative streams.
>> I already requested this but the request was denied.
>
> Perhaps Artem doing it - along with linking to this thread could
> sway their minds? (Hi Coverity folks!)

Coverity has been proven useful on x86 to catch some bugs. A such things 
would be nice for ARM too. Is there anything we can do to get coverity 
testing ARM? (CC Lars).

>
> +1 on the request.

In the current state and regardless whether coverity supports ARM, I 
would lean towards -1 on the request.

I would prefer to give coverity access to developer that have 
established contribution on Xen ARM upstream.

Artem, in the mail subject you mentioned "Embedded/Automotive team". 
Does it mean you are requesting coverity access for all the team?

Regards,

[1] https://www.xenproject.org/developers/teams/embedded-and-automotive.html

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Lars Kurth]

On 18/11/2016 20:55, "Julien Grall" <julien.grall@arm.com> wrote:

>Hello,
>
>On 18/11/2016 09:28, Konrad Rzeszutek Wilk wrote:
>> On Fri, Nov 18, 2016 at 01:56:38PM +0000, Andrew Cooper wrote:
>>> On 18/11/16 13:36, Artem Mygaiev wrote:
>>>> Hello
>>>>
>>>> I would like to request access to Coverity Scan project. Hereby, I:
>>>>  - agree to follow the security response process.
>>>>  - undertake to report security issues discovered to the security team
>>>> (security@xenproject.org) within 3 days of discovery.
>>>>  - agree to disclose the issue only to the security team and not to
>>>> any other third party
>>>>  - waive their (security team) right to select the disclosure time
>>>> line. Discoveries will follow the default time lines given in the
>>>> policy.
>>>>
>>>> We work with Xen on ARM since 2012. Our primary goal is to introduce
>>>> Xen for embedded and in particular in automotive SW domains. Our
>>>> current activities are: ARM-based SoCs support (Renesas, TI, etc.), PV
>>>> drivers development (audio, video, input, etc.), co-processors support
>>>> and trusted environment support through OP-TEE integration. All of our
>>>> work is public and published in OSS mailing lists. We would like to
>>>> contribute in stability of Xen overall and Xen on ARM in particular
>>>> since this is absolutely critical for most of embedded applications.
>>>
>>> I don't have an objection in principle.  However, I doubt you will find
>>> access useful.
>>>
>>> Because of the restriction of only being permitted a single Coverity
>>> stream, it is only the x86 build which is submitted for analysis.  To
>>> submit builds for separate architectures, we need alternative streams.
>>> I already requested this but the request was denied.
>>
>> Perhaps Artem doing it - along with linking to this thread could
>> sway their minds? (Hi Coverity folks!)
>
>Coverity has been proven useful on x86 to catch some bugs. A such things
>would be nice for ARM too. Is there anything we can do to get coverity
>testing ARM? (CC Lars).

Coverity does static code analysis. It analyses our entire tree, although
I don't know whether we updated it to point it to new repos such as the
mini-os one. 

>> +1 on the request.
>
>In the current state and regardless whether coverity supports ARM, I
>would lean towards -1 on the request.
>
>I would prefer to give coverity access to developer that have
>established contribution on Xen ARM upstream.
>
>Artem, in the mail subject you mentioned "Embedded/Automotive team".
>Does it mean you are requesting coverity access for all the team?
>
>Regards,
>
>[1] 
>https://www.xenproject.org/developers/teams/embedded-and-automotive.html
>
>-- 
>Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

On 18.11.16 22:55, Julien Grall wrote:
> Coverity has been proven useful on x86 to catch some bugs. A such
> things would be nice for ARM too. Is there anything we can do to get
> coverity testing ARM? (CC Lars).
This is exactly what we want to do - update model files (if needed),
prepare some reference ARM build and run static analysis with Coverity Scan.
> I would prefer to give coverity access to developer that have
> established contribution on Xen ARM upstream.
If there is anyone else who wants to lead this - we will be happy to help.
> Artem, in the mail subject you mentioned "Embedded/Automotive team".
> Does it mean you are requesting coverity access for all the team?
> [1]
> https://www.xenproject.org/developers/teams/embedded-and-automotive.html
Right now it is only for me - to set up environment and create coverage
build.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Julien Grall]

Hi Lars,

On 19/11/16 16:53, Lars Kurth wrote:
> On 18/11/2016 20:55, "Julien Grall" <julien.grall@arm.com> wrote:
>>
>> Coverity has been proven useful on x86 to catch some bugs. A such things
>> would be nice for ARM too. Is there anything we can do to get coverity
>> testing ARM? (CC Lars).
>
> Coverity does static code analysis. It analyses our entire tree, although
> I don't know whether we updated it to point it to new repos such as the
> mini-os one.

I thought coverity was hooking into the build system by replacing the 
compiler, right?

If so, how does coverity analyze xen/arch/arm?

Cheers,
-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Lars Kurth]

On 22/11/2016 11:51, "Julien Grall" <julien.grall@arm.com> wrote:

>Hi Lars,
>
>On 19/11/16 16:53, Lars Kurth wrote:
>> On 18/11/2016 20:55, "Julien Grall" <julien.grall@arm.com> wrote:
>>>
>>> Coverity has been proven useful on x86 to catch some bugs. A such
>>>things
>>> would be nice for ARM too. Is there anything we can do to get coverity
>>> testing ARM? (CC Lars).
>>
>> Coverity does static code analysis. It analyses our entire tree,
>>although
>> I don't know whether we updated it to point it to new repos such as the
>> mini-os one.
>
>I thought coverity was hooking into the build system by replacing the
>compiler, right?
>
>If so, how does coverity analyze xen/arch/arm?

I guess that is a question for someone else who is more familiar with the
set-up. But there shouldn't be any technical reason which prevents
Coverity scan from running on any CPU specific code.

Lars

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

Coverity Scan does static analysis only, but hooks into the build system
in order to track compilation process and build map of source code to
analyze.

In addition to connecting the build process, user of Scan needs to
provide a) filters to specify particular components for analysis and b)
model that implements "library" functions like synchronization, memory
allocation, etc.

[1] http://www.coverity.com/products/coverity-save/

On 22.11.16 13:55, Lars Kurth wrote:
> On 22/11/2016 11:51, "Julien Grall" <julien.grall@arm.com> wrote:
>
>> Hi Lars,
>>
>> On 19/11/16 16:53, Lars Kurth wrote:
>>> On 18/11/2016 20:55, "Julien Grall" <julien.grall@arm.com> wrote:
>>>> Coverity has been proven useful on x86 to catch some bugs. A such
>>>> things
>>>> would be nice for ARM too. Is there anything we can do to get coverity
>>>> testing ARM? (CC Lars).
>>> Coverity does static code analysis. It analyses our entire tree,
>>> although
>>> I don't know whether we updated it to point it to new repos such as the
>>> mini-os one.
>> I thought coverity was hooking into the build system by replacing the
>> compiler, right?
>>
>> If so, how does coverity analyze xen/arch/arm?
> I guess that is a question for someone else who is more familiar with the
> set-up. But there shouldn't be any technical reason which prevents
> Coverity scan from running on any CPU specific code.
>
> Lars
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Andrew Cooper]

On 22/11/16 11:55, Lars Kurth wrote:
>
> On 22/11/2016 11:51, "Julien Grall" <julien.grall@arm.com> wrote:
>
>> Hi Lars,
>>
>> On 19/11/16 16:53, Lars Kurth wrote:
>>> On 18/11/2016 20:55, "Julien Grall" <julien.grall@arm.com> wrote:
>>>> Coverity has been proven useful on x86 to catch some bugs. A such
>>>> things
>>>> would be nice for ARM too. Is there anything we can do to get coverity
>>>> testing ARM? (CC Lars).
>>> Coverity does static code analysis. It analyses our entire tree,
>>> although
>>> I don't know whether we updated it to point it to new repos such as the
>>> mini-os one.
>> I thought coverity was hooking into the build system by replacing the
>> compiler, right?
>>
>> If so, how does coverity analyze xen/arch/arm?
> I guess that is a question for someone else who is more familiar with the
> set-up. But there shouldn't be any technical reason which prevents
> Coverity scan from running on any CPU specific code.

There is no technical problem with using Coverity for ARM.  Coverity, as
a product, is capable of doing this.

The problem is that Coverity Scan only offers us one stream for the Xen
Project, and we cannot mix architectures within a single stream.  (Not
that we physically can't, but that the change tracking of defects would
be meaningless).

The only way we could scan for ARM is if we could be given multiple
different streams (one per arch) to use, and Coverity have already said
no to this request.  This is a politics problem, not a technical problem.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

On 22.11.16 15:42, Andrew Cooper wrote:
> On 22/11/16 11:55, Lars Kurth wrote:
>> On 22/11/2016 11:51, "Julien Grall" <julien.grall@arm.com> wrote:
>>
>>> Hi Lars,
>>>
>>> On 19/11/16 16:53, Lars Kurth wrote:
>>>> On 18/11/2016 20:55, "Julien Grall" <julien.grall@arm.com> wrote:
>>>>> Coverity has been proven useful on x86 to catch some bugs. A such
>>>>> things
>>>>> would be nice for ARM too. Is there anything we can do to get coverity
>>>>> testing ARM? (CC Lars).
>>>> Coverity does static code analysis. It analyses our entire tree,
>>>> although
>>>> I don't know whether we updated it to point it to new repos such as the
>>>> mini-os one.
>>> I thought coverity was hooking into the build system by replacing the
>>> compiler, right?
>>>
>>> If so, how does coverity analyze xen/arch/arm?
>> I guess that is a question for someone else who is more familiar with the
>> set-up. But there shouldn't be any technical reason which prevents
>> Coverity scan from running on any CPU specific code.
> There is no technical problem with using Coverity for ARM.  Coverity, as
> a product, is capable of doing this.
>
> The problem is that Coverity Scan only offers us one stream for the Xen
> Project, and we cannot mix architectures within a single stream.  (Not
> that we physically can't, but that the change tracking of defects would
> be meaningless).
>
> The only way we could scan for ARM is if we could be given multiple
> different streams (one per arch) to use, and Coverity have already said
> no to this request.  This is a politics problem, not a technical problem.

Andrew, I understand, thanks.

Would it be still possible to get Scan model files for us? We would like
to update them for use with ARM. BTW, we could set up ARM build Coverity
Scan with GitHub/Travis only limited by amount of runs per week
(depending on number LOC number).

BR, Artem


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Lars Kurth]

On 22/11/2016 13:54, "Artem Mygaiev" <artem_mygaiev@epam.com> wrote:

>On 22.11.16 15:42, Andrew Cooper wrote:
>>
>>
>> The only way we could scan for ARM is if we could be given multiple
>> different streams (one per arch) to use, and Coverity have already said
>> no to this request.  This is a politics problem, not a technical
>>problem.
>
>Andrew, I understand, thanks.

Andrew, thanks for the clarification.

>Would it be still possible to get Scan model files for us? We would like
>to update them for use with ARM. BTW, we could set up ARM build Coverity
>Scan with GitHub/Travis only limited by amount of runs per week
>(depending on number LOC number).

Artem, just to clarify.

I am assuming you have a license for Coverity that would allow you to run
it on a different configuration: Correct?
And there are some constraints on how frequently this could be run?
And you would be willing to run this on behalf of the project for an ARM
configuration?

Regards
Lars


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

[-- Attachment #1.1: Type: text/plain, Size: 2273 bytes --]

On 28.11.16 12:27, Lars Kurth wrote:
> On 22/11/2016 13:54, "Artem Mygaiev" <artem_mygaiev@epam.com> wrote:
>> On 22.11.16 15:42, Andrew Cooper wrote:
>>> The only way we could scan for ARM is if we could be given multiple
>>> different streams (one per arch) to use, and Coverity have already said
>>> no to this request.  This is a politics problem, not a technical
>>> problem.
>> Andrew, I understand, thanks.
> Andrew, thanks for the clarification.
>> Would it be still possible to get Scan model files for us? We would like
>> to update them for use with ARM. BTW, we could set up ARM build Coverity
>> Scan with GitHub/Travis only limited by amount of runs per week
>> (depending on number LOC number).
> Artem, just to clarify.
>
> I am assuming you have a license for Coverity that would allow you to run
> it on a different configuration: Correct?
I have just applied for Coverity Scan with project application. It is
yet to be approved (usually takes couple business days).
> And there are some constraints on how frequently this could be run?
Yes, there are constraints [1]:
   - Up to 12 builds per week, with a maximum of 3 builds per day, for
projects with fewer than 100K lines of code
   - Up to   8 builds per week, with a maximum of 2 builds per day, for
projects with 100K to 500K lines of code
   - Up to   4 builds per week, with a maximum of 1 build per day, for
projects with 500K to 1 million lines of code
   - Up to   2 builds per week, with a maximum of 1 build per day, for
projects with more than 1 million lines of code
For Xen on ARM I have got a build with 29,340 LOC so I guess 12
builds/week, 3 builds/day

> And you would be willing to run this on behalf of the project for an ARM
> configuration?
Well, I would like to start with ensuring we actually have full coverage
of ARM build, and it is possible to run xen mainline scans without any
changes or hacks in Travis configuration and Scan script. If so, we
could maintain this on behalf of the project, unless there are
objections (I guess Julien mentioned that someone with established
contribution on Xen ARM upstream could be driving this).

Of course, we will also use Scan for testing any patches we are
preparing to upstream.

------
[1] https://scan.coverity.com/faq#frequency

[-- Attachment #1.2: Type: text/html, Size: 4208 bytes --]

[-- Attachment #2: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

[-- Attachment #1.1: Type: text/plain, Size: 2517 bytes --]

Lars, the project is approved by Coverity. Scan has found some issues in
xen/arch/arm on master, part of them are false positives.


On 28.11.16 13:01, Artem Mygaiev wrote:
> On 28.11.16 12:27, Lars Kurth wrote:
>> On 22/11/2016 13:54, "Artem Mygaiev" <artem_mygaiev@epam.com> wrote:
>>> On 22.11.16 15:42, Andrew Cooper wrote:
>>>> The only way we could scan for ARM is if we could be given multiple
>>>> different streams (one per arch) to use, and Coverity have already said
>>>> no to this request.  This is a politics problem, not a technical
>>>> problem.
>>> Andrew, I understand, thanks.
>> Andrew, thanks for the clarification.
>>> Would it be still possible to get Scan model files for us? We would like
>>> to update them for use with ARM. BTW, we could set up ARM build Coverity
>>> Scan with GitHub/Travis only limited by amount of runs per week
>>> (depending on number LOC number).
>> Artem, just to clarify.
>>
>> I am assuming you have a license for Coverity that would allow you to run
>> it on a different configuration: Correct?
> I have just applied for Coverity Scan with project application. It is
> yet to be approved (usually takes couple business days).
>> And there are some constraints on how frequently this could be run?
> Yes, there are constraints [1]:
>    - Up to 12 builds per week, with a maximum of 3 builds per day, for
> projects with fewer than 100K lines of code
>    - Up to   8 builds per week, with a maximum of 2 builds per day,
> for projects with 100K to 500K lines of code
>    - Up to   4 builds per week, with a maximum of 1 build per day, for
> projects with 500K to 1 million lines of code
>    - Up to   2 builds per week, with a maximum of 1 build per day, for
> projects with more than 1 million lines of code
> For Xen on ARM I have got a build with 29,340 LOC so I guess 12
> builds/week, 3 builds/day
>
>> And you would be willing to run this on behalf of the project for an ARM
>> configuration?
> Well, I would like to start with ensuring we actually have full
> coverage of ARM build, and it is possible to run xen mainline scans
> without any changes or hacks in Travis configuration and Scan script.
> If so, we could maintain this on behalf of the project, unless there
> are objections (I guess Julien mentioned that someone with established
> contribution on Xen ARM upstream could be driving this).
>
> Of course, we will also use Scan for testing any patches we are
> preparing to upstream.
>
> ------
> [1] https://scan.coverity.com/faq#frequency


[-- Attachment #1.2: Type: text/html, Size: 4843 bytes --]

[-- Attachment #2: Type: text/plain, Size: 127 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Julien Grall]

Hi Artem,

On 29/11/16 14:21, Artem Mygaiev wrote:
> Lars, the project is approved by Coverity. Scan has found some issues in
> xen/arch/arm on master, part of them are false positives.

Perfect. It would be interesting to know the list of issues so we can 
categorize them (i.e are they security issue) and address them.

Cheers,

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Lars Kurth]

Please don't post them to xen-devel@ though: as a one-off, you may want to
send to Julien and maybe Stefano
Longer term, we ought to find a way to send the output to a safe place, as
for x86
Lars

On 29/11/2016 14:27, "Julien Grall" <julien.grall@arm.com> wrote:

>Hi Artem,
>
>On 29/11/16 14:21, Artem Mygaiev wrote:
>> Lars, the project is approved by Coverity. Scan has found some issues in
>> xen/arch/arm on master, part of them are false positives.
>
>Perfect. It would be interesting to know the list of issues so we can
>categorize them (i.e are they security issue) and address them.
>
>Cheers,
>
>-- 
>Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

Hi Julien

On 29.11.16 16:27, Julien Grall wrote:
> Hi Artem,
>
> On 29/11/16 14:21, Artem Mygaiev wrote:
>> Lars, the project is approved by Coverity. Scan has found some issues in
>> xen/arch/arm on master, part of them are false positives.
>
> Perfect. It would be interesting to know the list of issues so we can
> categorize them (i.e are they security issue) and address them.

Let me clean up the build scripts a bit and I will send you invite to
Coverity Scan project

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Julien Grall]

On 29/11/16 15:09, Artem Mygaiev wrote:
> Hi Julien
>
> On 29.11.16 16:27, Julien Grall wrote:
>> Hi Artem,
>>
>> On 29/11/16 14:21, Artem Mygaiev wrote:
>>> Lars, the project is approved by Coverity. Scan has found some issues in
>>> xen/arch/arm on master, part of them are false positives.
>>
>> Perfect. It would be interesting to know the list of issues so we can
>> categorize them (i.e are they security issue) and address them.
>
> Let me clean up the build scripts a bit and I will send you invite to
> Coverity Scan project
>

Thank you!

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Stefano Stabellini]

On Tue, 29 Nov 2016, Artem Mygaiev wrote:
> Hi Julien
> 
> On 29.11.16 16:27, Julien Grall wrote:
> > Hi Artem,
> >
> > On 29/11/16 14:21, Artem Mygaiev wrote:
> >> Lars, the project is approved by Coverity. Scan has found some issues in
> >> xen/arch/arm on master, part of them are false positives.
> >
> > Perfect. It would be interesting to know the list of issues so we can
> > categorize them (i.e are they security issue) and address them.
> 
> Let me clean up the build scripts a bit and I will send you invite to
> Coverity Scan project

I would like access too if possible, thanks!

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

Hi Lars


On 29.11.16 17:04, Lars Kurth wrote:
> Please don't post them to xen-devel@ though: as a one-off, you may want to
> send to Julien and maybe Stefano
> Longer term, we ought to find a way to send the output to a safe place, as
> for x86
> Lars

I have added Julien, Stefano and you as members, so you can view, triage
and edit defects.
For now this is based on custom Travis build script and our xen repo
mirror on GitHub.
>
> On 29/11/2016 14:27, "Julien Grall" <julien.grall@arm.com> wrote:
>
>> Hi Artem,
>>
>> On 29/11/16 14:21, Artem Mygaiev wrote:
>>> Lars, the project is approved by Coverity. Scan has found some issues in
>>> xen/arch/arm on master, part of them are false positives.
>> Perfect. It would be interesting to know the list of issues so we can
>> categorize them (i.e are they security issue) and address them.
>>
>> Cheers,
>>
>> -- 
>> Julien Grall


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

Done


On 29.11.16 20:19, Stefano Stabellini wrote:
> On Tue, 29 Nov 2016, Artem Mygaiev wrote:
>> Hi Julien
>>
>> On 29.11.16 16:27, Julien Grall wrote:
>>> Hi Artem,
>>>
>>> On 29/11/16 14:21, Artem Mygaiev wrote:
>>>> Lars, the project is approved by Coverity. Scan has found some issues in
>>>> xen/arch/arm on master, part of them are false positives.
>>> Perfect. It would be interesting to know the list of issues so we can
>>> categorize them (i.e are they security issue) and address them.
>> Let me clean up the build scripts a bit and I will send you invite to
>> Coverity Scan project
> I would like access too if possible, thanks!


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Stefano Stabellini]

Thank you!

On Wed, 30 Nov 2016, Artem Mygaiev wrote:
> Done
> 
> 
> On 29.11.16 20:19, Stefano Stabellini wrote:
> > On Tue, 29 Nov 2016, Artem Mygaiev wrote:
> >> Hi Julien
> >>
> >> On 29.11.16 16:27, Julien Grall wrote:
> >>> Hi Artem,
> >>>
> >>> On 29/11/16 14:21, Artem Mygaiev wrote:
> >>>> Lars, the project is approved by Coverity. Scan has found some issues in
> >>>> xen/arch/arm on master, part of them are false positives.
> >>> Perfect. It would be interesting to know the list of issues so we can
> >>> categorize them (i.e are they security issue) and address them.
> >> Let me clean up the build scripts a bit and I will send you invite to
> >> Coverity Scan project
> > I would like access too if possible, thanks!
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Andrew Cooper]

On 29/11/16 15:09, Artem Mygaiev wrote:
> Hi Julien
>
> On 29.11.16 16:27, Julien Grall wrote:
>> Hi Artem,
>>
>> On 29/11/16 14:21, Artem Mygaiev wrote:
>>> Lars, the project is approved by Coverity. Scan has found some issues in
>>> xen/arch/arm on master, part of them are false positives.
>> Perfect. It would be interesting to know the list of issues so we can
>> categorize them (i.e are they security issue) and address them.
> Let me clean up the build scripts a bit and I will send you invite to
> Coverity Scan project

Can I get an invite as well please?

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [COVERITY ACCESS] for Embedded/Automotive team

[Artem Mygaiev]

On 30.11.16 21:21, Andrew Cooper wrote:
> On 29/11/16 15:09, Artem Mygaiev wrote:
>> Hi Julien
>>
>> On 29.11.16 16:27, Julien Grall wrote:
>>> Hi Artem,
>>>
>>> On 29/11/16 14:21, Artem Mygaiev wrote:
>>>> Lars, the project is approved by Coverity. Scan has found some issues in
>>>> xen/arch/arm on master, part of them are false positives.
>>> Perfect. It would be interesting to know the list of issues so we can
>>> categorize them (i.e are they security issue) and address them.
>> Let me clean up the build scripts a bit and I will send you invite to
>> Coverity Scan project
> Can I get an invite as well please?
>
> ~Andrew
Sent

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel