Closed shefty closed 1 year ago
Sean, how high a priority is this? I'm assuming this is a new static code checker that RHEL is using?
I wouldn't consider it a high-priority myself. It may be worth scanning over and seeing if any significant issues are being identified.
I don't have details on the checker, but I assume it's basically the same as what we have with coverity. Only with coverity, we've already analyzed false positives and marked them as such. There are only a couple open coverity issues.
From what I have been able to find, covscan is the tool used to preform the scan which is part of the Coverity Scan's Tool Suite. That being said, the coverity scan for ofiwg/libfabric does not appear to be scanning all providers:
See all the providers with "0" lines of code...
Correct - we've only enabled the scan for some providers. We can add more if the maintainers will respond to the issues, and coverity can build it..
Hmm, that's odd. When I added the Travis config, I thought I enabled it for all providers. Where is the opt-in list? The analysis settings isn't ignoring any component from what I can tell.
Can coverity build the other providers? E.g. usnic, verbs, psm/2 require external libraries.
We build in the Travis environment and just push results to Coverity. The Travis environment pulls in rdma-core and libnl, so in principle verbs/EFA/usnic should at least compile: https://github.com/ofiwg/libfabric/blob/main/.travis.yml#L10 https://github.com/ofiwg/libfabric/commit/b083456944f020a0d81241144b5dc381911afe8c
Maybe configure is silently dropping the providers, given the coverity build uses vanilla configure options. I can take a closer look later today.
Thanks - I'm trying to figure this out too. I would have thought the other providers would have at least built and have a valid report. I don't think psm3 requires external libraries.
Like I mentioned in the call today, I couldn't figure out why some of them are not getting scanned. Looking at the list of providers that are being skipped, my suspicion is still that the configure is silently disabling them, so there's nothing to feed into the static analyzer. I'll send up a PR to explicitly enable providers that we can build in Travis and see if that does it. Unfortunately, we would have to merge that to main before we can see results.
This issue is stale because it has been open 360 days with no activity. Remove stale label or comment, otherwise it will be closed in 7 days.
I just checked the last covarity can here: https://scan.coverity.com/projects/ofiwg-libfabric
PSM2 is not being scanned, Opx is. There isn't much development going on with PSM2 atm, but eventually we should add it to things being scanned, as it will still be supported for some time.
I can add it to the scan if someone will focus on fixing the issues.
This issue is stale because it has been open 360 days with no activity. Remove stale label or comment, otherwise it will be closed in 7 days.