Dear Kees, all,
we published an extension for the Coverity model that is used by the
CoverityScan setup for the Linux kernel [1]. We have been using this
extension to analyze the 6.1 kernel branch, and reported some fixes to
the upstream code base that are based on this model [2]. Feel free to
merge the pull request, and update the model in the CoverityScan setup.
We do not have access to that project to perform these updates
ourselves.
To increase the analysis coverage to aarch64, we analyzed a x86 and a
aarch64 configuration. The increased coverage is achieved by using re-
configuration and cross-compilation during the analysis build. If you
are interested in this setup we can share the Dockerfile and script we
used for this process.
To prevent regressions in backports to LTS kernels, we wondered whether
the community is interested in setting up CoverityScan projects for
older kernel releases. Would such an extension be useful to show new
defects in addition to the current release testing?
Best,
Norbert
[1] github Coverity model pull request link:
https://github.com/kees/coverity-linux/pull/1
[2] Emails for most fixes by Hagar:
https://lore.kernel.org/all/?q=f%3Ahagarhem
Amazon Web Services Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597
On Thu, May 16, 2024 at 03:28:16PM +0000, Manthey, Norbert wrote:
> Dear Kees, all,
>
> we published an extension for the Coverity model that is used by the
> CoverityScan setup for the Linux kernel [1]. We have been using this
> extension to analyze the 6.1 kernel branch, and reported some fixes to
> the upstream code base that are based on this model [2]. Feel free to
> merge the pull request, and update the model in the CoverityScan setup.
> We do not have access to that project to perform these updates
> ourselves.
>
> To increase the analysis coverage to aarch64, we analyzed a x86 and a
> aarch64 configuration. The increased coverage is achieved by using re-
> configuration and cross-compilation during the analysis build. If you
> are interested in this setup we can share the Dockerfile and script we
> used for this process.
>
> To prevent regressions in backports to LTS kernels, we wondered whether
> the community is interested in setting up CoverityScan projects for
> older kernel releases. Would such an extension be useful to show new
> defects in addition to the current release testing?
New defects yes, I would like to know that, as long as they are also
fixed already in mainline, right?
Just send us reports of that, no need to get the covertity site involved
there, I'll be glad to take them.
thanks,
greg k-h
On Thu, May 16, 2024 at 03:28:16PM +0000, Manthey, Norbert wrote:
> we published an extension for the Coverity model that is used by the
> CoverityScan setup for the Linux kernel [1]. We have been using this
> extension to analyze the 6.1 kernel branch, and reported some fixes to
> the upstream code base that are based on this model [2]. Feel free to
> merge the pull request, and update the model in the CoverityScan setup.
> We do not have access to that project to perform these updates
> ourselves.
Thanks for this! I'll get it loaded into the Linux-Next scanner.
> To increase the analysis coverage to aarch64, we analyzed a x86 and a
> aarch64 configuration. The increased coverage is achieved by using re-
> configuration and cross-compilation during the analysis build. If you
> are interested in this setup we can share the Dockerfile and script we
> used for this process.
We've only got access to the free Coverity scanner, but it would be nice
to see if there was anything specific to arm64.
> To prevent regressions in backports to LTS kernels, we wondered whether
> the community is interested in setting up CoverityScan projects for
> older kernel releases. Would such an extension be useful to show new
> defects in addition to the current release testing?
The only one we (lightly) manage right now is the linux-next scanner. If
other folks want to host scanners for -stable kernels, that would be
interesting, yes.
-Kees
--
Kees Cook
On Thu, 2024-05-16 at 12:20 -0700, Kees Cook wrote:
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you can confirm the sender
> and know the content is safe.
>
>
>
> On Thu, May 16, 2024 at 03:28:16PM +0000, Manthey, Norbert wrote:
> > we published an extension for the Coverity model that is used by
> > the
> > CoverityScan setup for the Linux kernel [1]. We have been using
> > this
> > extension to analyze the 6.1 kernel branch, and reported some fixes
> > to
> > the upstream code base that are based on this model [2]. Feel free
> > to
> > merge the pull request, and update the model in the CoverityScan
> > setup.
> > We do not have access to that project to perform these updates
> > ourselves.
>
> Thanks for this! I'll get it loaded into the Linux-Next scanner.
Nice, thanks!
>
> > To increase the analysis coverage to aarch64, we analyzed a x86 and
> > a
> > aarch64 configuration. The increased coverage is achieved by using
> > re-
> > configuration and cross-compilation during the analysis build. If
> > you
> > are interested in this setup we can share the Dockerfile and script
> > we
> > used for this process.
>
> We've only got access to the free Coverity scanner, but it would be
> nice
> to see if there was anything specific to arm64.
Yes, I understand. Can you show how that free scanner is used? We
tweaked the command we fed into the "cov-build" tool. This tool should
be part of the scanner (if I remember that correctly).
>
> > To prevent regressions in backports to LTS kernels, we wondered
> > whether
> > the community is interested in setting up CoverityScan projects for
> > older kernel releases. Would such an extension be useful to show
> > new
> > defects in addition to the current release testing?
>
> The only one we (lightly) manage right now is the linux-next scanner.
> If
> other folks want to host scanners for -stable kernels, that would be
> interesting, yes.
Can you share explain or share pointers to how the current setup works?
If I understand that better, we can think about how to process the
other kernels.
Best,
Norbert
>
> -Kees
>
> --
> Kees Cook
Amazon Web Services Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597