Open evverx opened 1 year ago
Just linking the respective coverity.yml and coverity.sh. IIRC I synced them between the dfuzzer and systemd repos so it should be more or less the same stuff, sans the build dependencies, project name, and the actual build command.
The systemd version also sets the email address for the scan notification to a pre-defined one (which is currently my email) contrary to the dfuzzer version which uses email address from the latest commit. I did that in systemd to make sure I'll get notified on any possible fails (and because I think the scan notification is usually useless for people not involved in whole Coverity stuff).
contrary to the dfuzzer version which uses email address from the latest commit
That would be yours too I believe :-)
I've just sent dbus-broker with https://github.com/bus1/dbus-broker/commit/af6bf48ba27408725d14378e4a11139106506f3b included and Coverity confirmed that it's gone :-)
Anyway the scripts are ready. I can keep running it manually from time to time until the secret is added to the repository.
It's mostly prompted by https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/comments/5.
and I agree with @eslerm here.
It should be possible to borrow the action from
systemd
ordfuzzer
to run that cron job daily on GitHub but to get it to work a secret namedCOVERITY_SCAN_TOKEN
should be added to the repository: https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository. The token can be found at https://scan.coverity.com/projects/dbus-broker?tab=project_settings.Since Ubuntu is used on GHActions the AppArmor stuff should start being analyzed automagically too. Currently it's missing there.
In theory
dbus-broker
can be integrated as is and false positives can be suppressed manually there but it would be better to help coverity a bit with, say,c_assert
and add#ifdef __COVERITY__
.cc @mrc0mmand.