-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
While discussing how best to have continuous static analysis for the
qubes code-base, me and @jpo have come to the conclusion that there
are three major goals we can aim for (in the order of highest
benefit:work_required ratio):
1. Integration of tools like shellcheck and scan-build in the build
process.
2. Continuous integration with travis CI using Coverity and the tools
already integrated above.
3. Custom static analysis passes to ensure that untrusted_* values are
being checked before being assigned to trusted values, and checking
what values they impact. Originally Frama-C seemed useful, but we're
not sure if it is the best tool for this task. Suggestions are welcome :
)
For no. 2, we'll need the qubes-os project(s) (individual components?)
to be registered with Coverity [1]. Should I go ahead and register? I
thought I should ask here first since the process involves "acceptance
of the Scan User Agreement" [2]. Once registered, we can then
integrate Coverity with travis-ci [3].
[1]:
https://scan.coverity.com/faq#how-get-project-included-in-scan
[2]:
https://scan.coverity.com/policy
[3]:
https://scan.coverity.com/travis_ci
- --
Best regards,
Paras Chetal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQE0BAEBCAAeBQJZduCKFxxwYXJhcy5jaGV0YWxAZ21haWwuY29tAAoJEA4SQJU2
s0ILgUgH/1eorfCpsKfWz3Uh9MhTbu97gwUYkvWTAjKRxFsHk99LtRfc0juuhTDV
DqJCaEj5Zc0hYVR8F55vDeTxbXSP5jBz38nmD7e/iQYxrGLGEQFzg7HiOozHSJxQ
zTml/qH7pHzmjf0ZcoB7/1ESCmpfSUOun2lqQfQeORAw7rUPs+VhPkXPZtTx/AgI
Lkrn4BsW2sc0lI3o3aHayqXgvAJk92rLq07dbgzxOHIw7QftykPhoCCviEif48sR
7ajzzP3GAR+dvYqba+hgN/WJvqzTAE0cUl5390j0tQg4cRtQcw2IZ48b4oCSgxMq
tcZJZ2ejUKIZPsbRt3f4eDOUqFfCWiw=
=GHtL
-----END PGP SIGNATURE-----