[GSoC] Static analysis: continuous integration
29 views
Skip to first unread message
Paras Chetal
Jul 25, 2017, 2:09:58 AM7/25/17
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
While discussing how best to have continuous static analysis for the
qubes code-base, me and @jpo have come to the conclusion that there
are three major goals we can aim for (in the order of highest
benefit:work_required ratio):
1. Integration of tools like shellcheck and scan-build in the build
process.
2. Continuous integration with travis CI using Coverity and the tools
already integrated above.
3. Custom static analysis passes to ensure that untrusted_* values are
being checked before being assigned to trusted values, and checking
what values they impact. Originally Frama-C seemed useful, but we're
not sure if it is the best tool for this task. Suggestions are welcome :
)
For no. 2, we'll need the qubes-os project(s) (individual components?)
to be registered with Coverity [1]. Should I go ahead and register? I
thought I should ask here first since the process involves "acceptance
of the Scan User Agreement" [2]. Once registered, we can then
integrate Coverity with travis-ci [3].
[1]: https://scan.coverity.com/faq#how-get-project-included-in-scan
[2]: https://scan.coverity.com/policy
[3]: https://scan.coverity.com/travis_ci
- --
Best regards,
Paras Chetal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQE0BAEBCAAeBQJZduCKFxxwYXJhcy5jaGV0YWxAZ21haWwuY29tAAoJEA4SQJU2
s0ILgUgH/1eorfCpsKfWz3Uh9MhTbu97gwUYkvWTAjKRxFsHk99LtRfc0juuhTDV
DqJCaEj5Zc0hYVR8F55vDeTxbXSP5jBz38nmD7e/iQYxrGLGEQFzg7HiOozHSJxQ
zTml/qH7pHzmjf0ZcoB7/1ESCmpfSUOun2lqQfQeORAw7rUPs+VhPkXPZtTx/AgI
Lkrn4BsW2sc0lI3o3aHayqXgvAJk92rLq07dbgzxOHIw7QftykPhoCCviEif48sR
7ajzzP3GAR+dvYqba+hgN/WJvqzTAE0cUl5390j0tQg4cRtQcw2IZ48b4oCSgxMq
tcZJZ2ejUKIZPsbRt3f4eDOUqFfCWiw=
=GHtL
-----END PGP SIGNATURE-----
Hash: SHA256
Hi,
While discussing how best to have continuous static analysis for the
qubes code-base, me and @jpo have come to the conclusion that there
are three major goals we can aim for (in the order of highest
benefit:work_required ratio):
1. Integration of tools like shellcheck and scan-build in the build
process.
2. Continuous integration with travis CI using Coverity and the tools
already integrated above.
3. Custom static analysis passes to ensure that untrusted_* values are
being checked before being assigned to trusted values, and checking
what values they impact. Originally Frama-C seemed useful, but we're
not sure if it is the best tool for this task. Suggestions are welcome :
)
For no. 2, we'll need the qubes-os project(s) (individual components?)
to be registered with Coverity [1]. Should I go ahead and register? I
thought I should ask here first since the process involves "acceptance
of the Scan User Agreement" [2]. Once registered, we can then
integrate Coverity with travis-ci [3].
[1]: https://scan.coverity.com/faq#how-get-project-included-in-scan
[2]: https://scan.coverity.com/policy
[3]: https://scan.coverity.com/travis_ci
- --
Best regards,
Paras Chetal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQE0BAEBCAAeBQJZduCKFxxwYXJhcy5jaGV0YWxAZ21haWwuY29tAAoJEA4SQJU2
s0ILgUgH/1eorfCpsKfWz3Uh9MhTbu97gwUYkvWTAjKRxFsHk99LtRfc0juuhTDV
DqJCaEj5Zc0hYVR8F55vDeTxbXSP5jBz38nmD7e/iQYxrGLGEQFzg7HiOozHSJxQ
zTml/qH7pHzmjf0ZcoB7/1ESCmpfSUOun2lqQfQeORAw7rUPs+VhPkXPZtTx/AgI
Lkrn4BsW2sc0lI3o3aHayqXgvAJk92rLq07dbgzxOHIw7QftykPhoCCviEif48sR
7ajzzP3GAR+dvYqba+hgN/WJvqzTAE0cUl5390j0tQg4cRtQcw2IZ48b4oCSgxMq
tcZJZ2ejUKIZPsbRt3f4eDOUqFfCWiw=
=GHtL
-----END PGP SIGNATURE-----
Unman
Jul 25, 2017, 6:44:55 PM7/25/17
to Paras Chetal, qubes...@googlegroups.com
Agreement. - for example, I dont want to agree to comply fully with
export laws of the US and EU, and "demonstrate compliance".
Reply all
Reply to author
Forward
0 new messages