...
Tools that have been assessed: Coverity Scan (LF evaluation), HP Fortify (AT&T evaluation), Checkmarx (AT&T evaluation), Bandit (AT&T evaluation)
Prelimary Preliminary Decision: Coverity Scan https://scan.coverity.com/
Description: Coverity Scan is a service by which Synopsys provides the results of analysis on open source coding projects to open source code developers that have registered their products with Coverity Scan. Coverity Scan is powered by Coverity® Quality Advisor. Coverity Quality Advisor surfaces defects identified by the Coverity Static Analysis Verification Engine (Coverity SAVE®). Synopsys offers the results of the analysis completed by Coverity Quality Advisor on registered projects at no charge to registered open source developers.
Open Source use: 4000+ open source projects use Coverity Scan
Languages supported: C/C++, C#, Java, Javascript, Python, Ruby
Current Activity: In conversations with Coverity to understand the definition of “project” – does it refer to ONAP or the projects under an ONAP release to ensure that the limitation on free scans does not lead to bottlenecks in submissions and commits.
Open Source use: 4000+ open source projects use Coverity Scan
...
(Coverity response included below)
Coverity Scanning Process:
Coverity static analysis works by instrumenting through build capture. The components which make up the ONAP project can be managed a number of ways:
- If the ONAP project can be built from source in a single command, then Coverity can to create component maps.
- If the separate components are built individually, then each component can be submitted as a separate project.
- Coverity recommends storing the projects in a hierarchical structure in Github with the ONAP parent project referring to the project (i.e. ONAP/component_name). There are a few projects already in SCAN which follow this structure.
Restrictions on builds: (from https://scan.coverity.com/)
Maximum Lines of Code in Project | Frequency of scans |
|---|---|
| <100K lines of code | Up to 28 builds per week, with a maximum of 4 builds per day |
...
| 100K to 500K lines of code | Up to 21 builds per week, with a maximum of 3 builds per day |
...
| 500K to 1 million lines of code | Up to 14 builds per week, with a maximum of 2 build per day |
...
| >1 million lines of code |
...
| Up to 7 builds per week, with a maximum of 1 build per day |
...
Once a project reaches the maximum builds per week, additional build requests will be rejected. You will The submitter will be able to re-submit the build request the following week.Languages supported: C/C++, C#, Java, Javascript, Python, Ruby
SCAN is self-service: Coverity provides the analysis infrastructure and results, but the onus is on the submitter to provide the instrumented artifacts to analysis. Scan provides integration with TravisCI/Github. To use Scan, the submitters will have to create an account and submit their project at https://scan.coverity.com/projects
Coverity requires a code contributor to submit a project because of their responsible disclosure process for issues the tool may identify within the code.
Next Steps:
- Identify an open source project actively using Coverity Scan to get their feedback on the integration of Scan with their code development lifecycle
- Determine whether or not the restrictions on scan frequency will cause a problem for any of the ONAP projects
- Identify an ONAP project willing to test Scan (possibly CLAMP since they are also going through CII badging)
- Integrate Scan with ONAP code development (if Scan is determined to be a viable product)