mrc0mmand
commented
1 year ago Just linking the respective coverity.yml and coverity.sh. IIRC I synced them between the dfuzzer and systemd repos so it should be more or less the same stuff, sans the build dependencies, project name, and the actual build command.
The systemd version also sets the email address for the scan notification to a pre-defined one (which is currently my email) contrary to the dfuzzer version which uses email address from the latest commit. I did that in systemd to make sure I'll get notified on any possible fails (and because I think the scan notification is usually useless for people not involved in whole Coverity stuff).
evverx
It's mostly prompted by https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538/comments/5.
and I agree with @eslerm here.
It should be possible to borrow the action from
systemdordfuzzerto run that cron job daily on GitHub but to get it to work a secret namedCOVERITY_SCAN_TOKENshould be added to the repository: https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository. The token can be found at https://scan.coverity.com/projects/dbus-broker?tab=project_settings.Since Ubuntu is used on GHActions the AppArmor stuff should start being analyzed automagically too. Currently it's missing there.
In theory
dbus-brokercan be integrated as is and false positives can be suppressed manually there but it would be better to help coverity a bit with, say,c_assertand add#ifdef __COVERITY__.cc @mrc0mmand.