How do we submit build to Coverity Scan?
nasif
Newbie
Posts: 4
#1
2019-03-18, 03:27
Hi,

I was looking at the defect reports for Kodi on Coverity Scan as a part of my research. My goal is to track changes for the files where Coverity has detected an alert to understand how developers are responding to the alerts from static analysis tools. In short, for now, I am trying to match files on GitHub from Coverity Scan.

It would be greatly helpful if you can answer some of my queries,

1) There are multiple branches for this project. Do you test all the branches individually on Coverity Scan or do you only test the master branch?

2) While looking at Coverity Scan reports, I find some alerts whose file paths apparently don't exist on the master branch (e.g. 
cid: 1442921 - /usr/include/c++/7/bits/move.h; 
cid:1438977 - /tools/depends/xbmc-depends/x86_64-linux-gnu-debug/include/fmt/format.h).
Can you help me on where these files are located so that I can better understand how to track files on GitHub from Coverity reports?

3) Do you always run Coverity analysis on Kodi with the same configuration (for example, always analyzing the full master branch)?

If you can help me with these answers and any other suggestion on how can I track files on GitHub from the file path listed on Coverity Scan, it would be greatly helpful for me.

Thanks,
Nasif
Find
Reply
fritsch
Team-Kodi Developer
Posts: 23,551
#2
2019-03-19, 08:19
1) master
2) Those files are either depends (libfmt) or standard compiler include files, provided by e.g. libstdc++-7-dev (linux case)
3) yes

Example:
Quote:*** CID 1441972:  Memory - illegal accesses  (WRAPPER_ESCAPE)
/build/build/xbmc/CompileInfo.cpp: 69 in CCompileInfo::GetBuildDate()()

File: xbmc/CompileInfo.cpp created from: https://github.com/xbmc/xbmc/blob/master...nfo.cpp.in
First decide what functions / features you expect from a system. Then decide for the hardware. Don't waste your money on crap.
Find
Reply
fritsch
Team-Kodi Developer
Posts: 23,551
#3
2019-03-19, 08:20
And: don't forget about the separate windows scan
First decide what functions / features you expect from a system. Then decide for the hardware. Don't waste your money on crap.
Find
Reply
nasif
Newbie
Posts: 4
#4
2019-03-19, 16:27
can you elaborate "separate windows scan"?
Find
Reply
Rechi
Team-Kodi Member
Posts: 785
#5
2019-03-20, 23:27
Kodi for Linux with X11 windowing: https://scan.coverity.com/projects/kodi
Kodi for Windows: https://scan.coverity.com/projects/kodi-win32
Find
Reply
nasif
Newbie
Posts: 4
#6
2019-04-18, 21:46
Hello,

Thanks for answering my questions. I am a PhD student at North Carolina State University. As a part of our research project, we are looking at how developers respond to alerts from static analysis tools (e.g. Coverity). If anyone from Team Kodi can participate in a short survey answering how your project team monitors Coverity reports, that will help us greatly in our research.

Thanks,
Nasif
Find
Reply
nasif
Newbie
Posts: 4
#7
2019-08-21, 18:09
Hi everybody,

We finished a paper on open source projects' Coverity usage in May which will be published in ISSRE'19

Thanks for your help in giving me access to Coverity data.

I'd love to hear your feedback on this whenever you have time. 
Also, based on your experience of using static analysis tools, I'd love to hear if you have any future research suggestions.

Thanks again,
Nasif
Find
Reply

Home
Search
Help
Logout Mark Read Team Forum Stats Members Help
How do we submit build to Coverity Scan?0