coverity.yml: Change Coverity project name to simsong/bulk_extractor

[moshekaplan]

Based on https://scan.coverity.com/projects/simsong-bulk_extractor , it appears that you registered the Coverity project as simsong/bulk_extractor . This change changes the COVERITY_PROJECT_NAME to refer to simsong/bulk_extractor .

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (1c03e46) 48.18% compared to head (ed449ad) 48.18%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #462 +/- ## ======================================= Coverage 48.18% 48.18% ======================================= Files 112 112 Lines 13249 13249 ======================================= Hits 6383 6383 Misses 6866 6866 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[simsong]

Yes. I did register, but I don’t have it working properly. It’s all a little beyond me now. I can’t quite figure out their documentation. Perhaps we can talk if this doesn’t work.

---

On Tue, Feb 20, 2024 at 3:04 PM codecov[bot] @.***> wrote:

Codecov https://app.codecov.io/gh/simsong/bulk_extractor/pull/462?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simson+L.+Garfinkel Report

All modified and coverable lines are covered by tests ✅

Comparison is base (1c03e46) https://app.codecov.io/gh/simsong/bulk_extractor/commit/1c03e4693f54e19c905c5525ae0fe259fc44a2fe?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simson+L.+Garfinkel 48.18% compared to head (ed449ad) https://app.codecov.io/gh/simsong/bulk_extractor/pull/462?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simson+L.+Garfinkel 48.18%.

Additional details and impacted files

@@ Coverage Diff @@## main #462 +/- ##

Coverage 48.18% 48.18%

Files 112 112 Lines 13249 13249

Hits 6383 6383 Misses 6866 6866

☔ View full report in Codecov by Sentry https://app.codecov.io/gh/simsong/bulk_extractor/pull/462?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simson+L.+Garfinkel . 📢 Have feedback on the report? Share it here https://about.codecov.io/codecov-pr-comment-feedback/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Simson+L.+Garfinkel .

— Reply to this email directly, view it on GitHub https://github.com/simsong/bulk_extractor/pull/462#issuecomment-1954966475, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAMFHLD2TJQTEDS2LJM75J3YUT6TVAVCNFSM6AAAAABDRYTQG2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJUHE3DMNBXGU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[moshekaplan]

The Coverity action only runs daily and it probably hasn't triggered the start time yet. For testing purposes, the easiest approach might be to trigger the Coverity workflow manually. You can do so by going to this page: https://github.com/simsong/bulk_extractor/actions/workflows/coverity.yml

And then clicking Run Workflow:

And as mentioned before, I expect the Action to fail until this PR is merged in, because it's currently pointing to the wrong Coverity project.

[simsong]

Great. Let's see what happens...

[moshekaplan]

Looks like the build was successfully analyzed by Coverity:

[simsong]

What a fascinating exercise. Yes, coverity has found lots of things. Most of them seem to be in the RAR decompression code that we had contributed. Some of the things that it "caught" are just not errors. But it's worth addressing them... I guess?

[simsong]

Is this considered "good" ?

[simsong]

(the buffer overflows are wrong, I think, because the length is checked elsewhere that coverity wasn't aware of, but I'll have to look at each.)

[moshekaplan]

Like any scanner, Coverity is definitely going to have false positives and that is one of the options for resolving a defect.

It does seem like 0.49 is a pretty good defect density, when compared to the (albeit dated) 2013 Coverity Scan Open Source report:

https://news.synopsys.com/2014-04-15-Coverity-Scan-Report-Finds-Open-Source-Software-Quality-Outpaces-Proprietary-Code-for-the-First-Time

Defect density (defects per 1,000 lines of software code) is a commonly used measurement for software quality, and a defect density of 1.0 is considered the accepted industry standard for good quality software. Coverity's analysis found an average defect density of .59 for open source C/C++ projects that leverage the Scan service, compared to an average defect density of .72 for proprietary C/C++ code developed for enterprise projects.

[simsong]

Thanks for the analysis. This is a tribute to the power of using C++ and trying to do all of the memory handling within reasonably safe and well-tested classes. We seriously considered a rewrite into Rust but decided against it, largely because of the flex scanners and the large amounts of contributed code.

One of the powers of bulk_extractor is the ability to have site-specific plugins. You or anyone else interested in this capability should contact me if there is interest.

[simsong]

Coverty is now doing daily scans whether there is a change or not. How do I stop this?

[moshekaplan]

Coverty is now doing daily scans whether there is a change or not. How do I stop this?

I did some googling and it seems like the simplest approach would be to allow the CI job to run, but only conditionally upload the file to Coverity if there were recent changes. It would look like this:

Before (always upload):

    - name: Upload the result
      run: |
          tar czvf cov-int.tgz cov-int
          curl \
            --form project=${{ env.COVERITY_PROJECT_NAME }} \
            --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \
            --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \
            --form file=@cov-int.tgz \
            https://scan.coverity.com/builds

After (only upload if there were changes in the past 24 hours):

    - name: Get count of commits in the last 24 hours
      run: echo "NEW_COMMIT_COUNT=$(git log --oneline --since '24 hours ago' | wc -l)" >> $GITHUB_ENV
    - name: Upload the result
      if: ${{ env.NEW_COMMIT_COUNT > 0 }}
      run: |
          tar czvf cov-int.tgz cov-int
          curl \
            --form project=${{ env.COVERITY_PROJECT_NAME }} \
            --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \
            --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \
            --form file=@cov-int.tgz \
            https://scan.coverity.com/builds

Would you like me to submit a PR for this?

[simsong]

That would be great! Thanks.

---

On Thu, Feb 22, 2024 at 11:27 PM Moshe Kaplan @.***> wrote:

Coverty is now doing daily scans whether there is a change or not. How do I stop this?

I did some googling and it seems like the simplest approach would be to allow the CI job to run, but only conditionally upload the file to Coverity if there were recent changes. It would look like this:

Before (always upload):

- name: Upload the result
  run: |          tar czvf cov-int.tgz cov-int          curl \            --form project=${{ env.COVERITY_PROJECT_NAME }} \            --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \            --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \            --form ***@***.*** \            https://scan.coverity.com/builds

After (only upload if there were changes in the past 24 hours):

- name: Get count of commits in the last 24 hours
  run: echo "NEW_COMMIT_COUNT=$(git log --oneline --since '24 hours ago' | wc -l)" >> $GITHUB_ENV
- name: Upload the result
  if: ${{ env.NEW_COMMIT_COUNT > 0 }}
  run: |          tar czvf cov-int.tgz cov-int          curl \            --form project=${{ env.COVERITY_PROJECT_NAME }} \            --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \            --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \            --form ***@***.*** \            https://scan.coverity.com/builds

Would you like me to submit a PR for this?

— Reply to this email directly, view it on GitHub https://github.com/simsong/bulk_extractor/pull/462#issuecomment-1960716407, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAMFHLCHNZ2D4C5YDDU4U23YVALCPAVCNFSM6AAAAABDRYTQG2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRQG4YTMNBQG4 . You are receiving this because you modified the open/close state.Message ID: @.***>