On Tue, Jul 25, 2017 at 11:39:25AM +0530, Paras Chetal wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi, > > While discussing how best to have continuous static analysis for the > qubes code-base, me and @jpo have come to the conclusion that there > are three major goals we can aim for (in the order of highest > benefit:work_required ratio): > > 1. Integration of tools like shellcheck and scan-build in the build > process. > > 2. Continuous integration with travis CI using Coverity and the tools > already integrated above. > > 3. Custom static analysis passes to ensure that untrusted_* values are > being checked before being assigned to trusted values, and checking > what values they impact. Originally Frama-C seemed useful, but we're > not sure if it is the best tool for this task. Suggestions are welcome : > ) > > > For no. 2, we'll need the qubes-os project(s) (individual components?) > to be registered with Coverity [1]. Should I go ahead and register? I > thought I should ask here first since the process involves "acceptance > of the Scan User Agreement" [2]. Once registered, we can then > integrate Coverity with travis-ci [3]. > > > [1]: https://scan.coverity.com/faq#how-get-project-included-in-scan > [2]: https://scan.coverity.com/policy > [3]: https://scan.coverity.com/travis_ci > > > - -- > Best regards, > Paras Chetal > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQE0BAEBCAAeBQJZduCKFxxwYXJhcy5jaGV0YWxAZ21haWwuY29tAAoJEA4SQJU2 > s0ILgUgH/1eorfCpsKfWz3Uh9MhTbu97gwUYkvWTAjKRxFsHk99LtRfc0juuhTDV > DqJCaEj5Zc0hYVR8F55vDeTxbXSP5jBz38nmD7e/iQYxrGLGEQFzg7HiOozHSJxQ > zTml/qH7pHzmjf0ZcoB7/1ESCmpfSUOun2lqQfQeORAw7rUPs+VhPkXPZtTx/AgI > Lkrn4BsW2sc0lI3o3aHayqXgvAJk92rLq07dbgzxOHIw7QftykPhoCCviEif48sR > 7ajzzP3GAR+dvYqba+hgN/WJvqzTAE0cUl5390j0tQg4cRtQcw2IZ48b4oCSgxMq > tcZJZ2ejUKIZPsbRt3f4eDOUqFfCWiw= > =GHtL > -----END PGP SIGNATURE-----
For my part, I would never subscribe to coverity because of the User Agreement. - for example, I dont want to agree to comply fully with export laws of the US and EU, and "demonstrate compliance". -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170725224452.ylr5mgncjcaqkj66%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
