Re: New Defects reported by Coverity Scan for ntpsec
On Feb 7, 2023 18:23, Hal Murray via devel wrote: Thanks. matthew.sel...@twosigma.com said: > No. We run the Coverity CI job weekly via a schedule, ... > I'll work on running Coverity post-merge. I agree that running it every merge is overkill. A button that says run-now would be nice if we are working on fixing Coverity problems. Can you poke it by hand? Not as such, no. But it is easy for an authorized user to trigger a scheduled run at GitLab. It's under ci > schedules on the left sidebar.How does Coverity fit into the release procedure?"Check with the buildbot reports, assure that there are no unplanned regressions on the supported platforms."Along with flawfinder and semgrep presumably.Should we schedule releases after a Coverity run? I think it probably should be.___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Yo Hal! On Tue, 07 Feb 2023 18:23:17 -0800 Hal Murray via devel wrote: > Yes, it's reasonably obvious, but only after you find the right URL. Consider it like a game of Adventure. > > I approved your account. > > Thanks. I didn't get any you-were-approved mail. > > Do I have to explicitly sign up for mail about reports? Dunno, go to the Dashboard for you options. > > No. We run the Coverity CI job weekly via a schedule, ... > > I'll work on running Coverity post-merge. > > I agree that running it every merge is overkill. > > A button that says run-now would be nice if we are working on fixing > Coverity problems. Can't object to free... > How does Coverity fit into the release procedure? It does not. > Should we schedule releases after a Coverity run? Probably. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin pgp44FLoIDo0T.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Thanks. matthew.sel...@twosigma.com said: >> Should we document that? Where? > The account creation seems self-explanatory. Or did you want to document > something else? I don't know. I was just tossing out a suggestion based on my stumbling. Yes, it's reasonably obvious, but only after you find the right URL. > Yes, Coverity is pointing at the GitHub mirror. I think it knows that it is a mirror. > I approved your account. Thanks. I didn't get any you-were-approved mail. Do I have to explicitly sign up for mail about reports? > No. We run the Coverity CI job weekly via a schedule, ... > I'll work on running Coverity post-merge. I agree that running it every merge is overkill. A button that says run-now would be nice if we are working on fixing Coverity problems. Can you poke it by hand? How does Coverity fit into the release procedure? Should we schedule releases after a Coverity run? > Do you need the ability to run Coverity offline on > your development host before you push? Not really. I expect this will all get sorted out and slip into the background before long. "before long" just takes longer if the turn around time is a week rather than an hour. I'm not in a hurry as long as I know what to expect. I have plenty of other things to work on. I got confused by misreading the report that started this thread so I was thinking that Coverity might generate a lot of reports that we would have to fix. I'm close to having -Wswitch-enum ready. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
On Mon, Feb 06, 2023 at 10:51:02PM -0800, Hal Murray via devel wrote: > > > Do you have a coverity account? > > https://scan.coverity.com > > Then go to "My Dashboard" and "Add project". > > Should we document that? Where? The account creation seems self-explanatory. Or did you want to document something else? > It looks like Coverity is running over on github. Yes, Coverity is pointing at the GitHub mirror. > Is our copy-to-github stuff documented? It's a 1-line checkbox in our GitLab repo. There's no documentation, per se. > I'm waiting for somebody to approve me. I approved your account. > >> Date: Thu, 02 Feb 2023 05:48:37 + (Wed 21:48 PST) > > It was detected on Feb 5. > > So the turn around is days rather than hours. No. We run the Coverity CI job weekly via a schedule, not on every commit since I was concerned about abusing the Coverity scanner minutes and other reasons. I think we can re-evaluate that decision since our merge rate is low enough and run Coverity on each commit, but after merging since it relies on a GitLab runner that not everyone may have access to (for reasons that I don't want to go into here). I'll work on running Coverity post-merge. Do you need the ability to run Coverity offline on your development host before you push? Thanks, -Matt ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Yo Hal! On Tue, 07 Feb 2023 14:03:50 -0800 Hal Murray via devel wrote: > I took a look at the Coverity reports for ntpsec. > There are 10 of them. 10 is a small number. We should be able to > fix them all. Good. > The Coverity report that started this thread was actually a bug. My experience is that most of them are worth a good think. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin pgpGmKK7xrYCy.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
I took a look at the Coverity reports for ntpsec. There are 10 of them. 10 is a small number. We should be able to fix them all. The Coverity report that started this thread was actually a bug. The code I had was bool once = false; if (once) return; once = true; ... I was so focused on getting the compiler warnings (-Wswitch-enum) that I missed the missing static on once. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Yo Hal! On Tue, 07 Feb 2023 13:20:38 -0800 Hal Murray via devel wrote: > >> OK, I propose to turn on -Wswitch-enum and fix all the warnings I > >> find. Then I/we fix whatever Coverity complains about. If that is > >> too painful, we can back out of -Wswitch-enum. > > Seems good to me. > > OK, I'll start working on it when I get time. No rush, they've been there a while. > > There are so many Coverity warnings about ntpd to worry about theat > > no one will notice a few more or less. > > Any chance we can fix/annotate them all? gpsd eventually crushed them all. Once you get on a roll they are mostly quick fixes. > Is there a web page that describes the /* coverity(mumble) */ stuff? No need, the "mumble" is the error you are blocking. It will be in your face when you look at that one issue. > Can I add a comment in there too, like: > /* coverity(mumble) we handle all the cases */ > Something like that might help somebody understand what's going on. The coverity descriptions are good. Use them. Too many to study,just look at the ones we trip. The decriptions will pretty much match clang. > >> > I'm waiting for somebody to approve me. > > Where? How would I see it? > > > The request was stuck in my spam folder. Looks like someone beat > > me to approving you. > > Thanks. No mail yet. I guess I'll have to go poke around. Don't expect Coverity to nag you. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin pgpzxwWc4Ima1.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
>> OK, I propose to turn on -Wswitch-enum and fix all the warnings I >> find. Then I/we fix whatever Coverity complains about. If that is >> too painful, we can back out of -Wswitch-enum. > Seems good to me. OK, I'll start working on it when I get time. > There are so many Coverity warnings about ntpd to worry about theat no one > will notice a few more or less. Any chance we can fix/annotate them all? Is there a web page that describes the /* coverity(mumble) */ stuff? Can I add a comment in there too, like: /* coverity(mumble) we handle all the cases */ Something like that might help somebody understand what's going on. >> > I'm waiting for somebody to approve me. > Where? How would I see it? > The request was stuck in my spam folder. Looks like someone beat me to > approving you. Thanks. No mail yet. I guess I'll have to go poke around. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Yo Hal! On Mon, 06 Feb 2023 22:51:02 -0800 Hal Murray wrote: > > I'm waiting for somebody to approve me. > > Where? How would I see it? The request was stuck in my spam folder. Looks like someone beat me to approving you. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin pgp658xvgo4v0.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Yo Hal! On Mon, 06 Feb 2023 22:51:02 -0800 Hal Murray wrote: > Thanks. > > > Do you have a coverity account? > > https://scan.coverity.com/ > > Then go to "My Dashboard" and "Add project". > > Should we document that? Where? The procedure changes more often than we add cverity users. > It looks like Coverity is running over on github. > Is our copy-to-github stuff documented? Dunno how it works. It just does. > I'm waiting for somebody to approve me. Where? How would I see it? > >> Date: Thu, 02 Feb 2023 05:48:37 + (Wed 21:48 PST) > > It was detected on Feb 5. > > So the turn around is days rather than hours. Yeah. > > So we tell Coverity to ignore the extra defaults. > > OK, I propose to turn on -Wswitch-enum and fix all the warnings I > find. Then I/we fix whatever Coverity complains about. If that is > too painful, we can back out of -Wswitch-enum. Seems good to me. > It may take a few iterations to make Coverity happy and we won't have > great turn-around, but it's not on the critical path. What coverity does is mostly run the code with high warning levels. So if you bump up your warnings you'll see what they see. There are so many Coverity warnings about ntpd to worry about theat no one will notice a few more or less. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can't measure it, you can't improve it." - Lord Kelvin pgpO1BdIxMLRQ.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel