build icon indicating copy to clipboard operation
build copied to clipboard

Published 20 hours ago verified publisher icon nodejs

Enabling coverity on additional repositories

Open tniessen opened this issue 3 years ago • 5 comments

Some core dependencies that are under the nodejs GitHub organization are excluded from coverity scans of the core repository. I would like to enable coverity for those repositories separately. One example would be uvwasi.

Please let me know if there are any concerns.

tniessen avatar Mar 08 '22 21:03 tniessen

I would like to enable coverity for those repositories separately

@tniessen How are you proposing to do that? AFAIK (and am willing to be corrected) we can only submit one scan per day to the Node.js project on Coverity. https://scan.coverity.com/faq#frequency (yes, core has over a million lines of code).

With regards to the dependencies being excluded from the scans of the core repo, @mhdawson and I did that to start with a smaller base set of files. In principal I have no objections to re-including specific dependencies as part of the core scan if there are people willing to triage the findings. Or you could register uvwasi as a separate project from Node.js on Coverity: https://scan.coverity.com/faq#how-get-project-included-in-scan

richardlau avatar Mar 09 '22 00:03 richardlau

@richardlau I might have misunderstood Coverity's FAQ. I thought I could simply add the repositories through the "Register my GitHub project" button but it might be much more complicated than that.

tniessen avatar Mar 09 '22 01:03 tniessen

I think the goal of scanning in the upstream repo's makes sense versus just trying to scan once the code makes into deps (which we could also enable as @richardlau mentioned above).

@tniessen, maybe enabling for the deps directory is a good first step?

We might also be able to register uvwasi as it's own project but that would take extra work/ongoing management.

mhdawson avatar Mar 09 '22 19:03 mhdawson

@tniessen, maybe enabling for the deps directory is a good first step?

I think enabling it for selected deps makes sense, especially those C/C++ deps managed by the Node.js team (e.g., uvwasi). I believe we have already registered each dependency as a separate component so that should be simple.

tniessen avatar Mar 09 '22 21:03 tniessen

Since there's been no objection, I've experimentally included deps/uvwasi by setting "Ignore in analysis" to "No" for that component.

tniessen avatar Mar 11 '22 22:03 tniessen

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.

github-actions[bot] avatar Jan 06 '23 00:01 github-actions[bot]