Versions Compared

Old Version 38

changes.mady.by.user Stephen Terrill

Saved on

compared with

New Version 39

changes.mady.by.user Amy Zwarico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Prelimary Decision: Coverity Scan https://scan.coverity.com/

<< Include a motivation >>

DescriptionMotivation: Coverity Scan is a service by which Synopsys provides the results of analysis on open source coding projects to open source code developers that have registered their products with Coverity Scan. Coverity Scan is powered by Coverity® Quality Advisor. Coverity Quality Advisor surfaces defects identified by the Coverity Static Analysis Verification Engine (Coverity SAVE®). Synopsys offers the results of the analysis completed by Coverity Quality Advisor on registered projects at no charge to registered open source developers. Coverity is integrated into OPNFV and other Open Source projects and operating successfully. The Linux Foundation recommends the use of the tool.

Current Activity: In conversations with Coverity to understand the definition of “project” – does it refer to ONAP or the projects under an ONAP release to ensure that the limitation on free scans does not lead to bottlenecks in submissions and commits.

...

Languages supported: C/C++, C#, Java, Javascript, Python, Ruby

Question: How to trigger the code scan from Jenkins?

→ Jenkis plug in?

→ what API does Coverity offerThe scanning process can be triggered from Jenkins. OPNFV is currently using a basic gerrit plug in for some basic scans.

Question: What about Go? which versions of PhythonPython.

Comment: Add some motivation of why Coverity is a good idea.

Comment: We need to catch the commitment now. 

Comment: OPNFV also has a basic gerrit plug in for some basic scans.  This can be brought in.

Bring in Bring in a few prposals to the TSC.

...

In Either case, propose that MS-4 and Release criteria includes static code scan analysis. 

3.4 Recommendation

The recommended tool is: xxxx

The recommendation from the security sub-committee is:



  • Use Coverity Scan https://scan.coverity.com/ to perform static code scans on all ONAP code.
  • Automate scanning by enabling Jenkins to trigger weekly scans with Coverity Scan.
  • Deliver scan reports to the PTLs for each project PTLs will be responsible for getting the vulnerabilities resolved (fixed or designated as false positive).
  • All projects in a release must have the high vulnerabilities resolved by MS-3.
  • All projects in a release must have the high and medium vulnerabilities resolved by MS-4.
  • The Security Committee will host session to help projects walk through the scanning process and reports.
  • xyz
  • MS-4 and release criteria includes static code scan analysis. 


4. CII Badging process Learnings for ONAP.

...