Coverity Scanning of the GNU C Library project
- As of the recent update to covscan we can only attain 13% coverage of glibc, it seems because of our use of pipes to output syscall wrappers has resulted in the coverage metric being very low with the most recent release. The open source scanner won't accept any project with less than 85% coverage. This is really a shame since the syscall wrappers are just assembly run through the compiler to get access to cpp. Either way we can no longer upload glibc results as of 2018-10-01 until we work around this issue.
The GNU C Library project has a coverity scanning account located here:
The scanning is offered as part of Coverity's free scanning for open source projects here:
The scanning process is not exactly trivial, but follows these general steps. This assumes you have already setup an account for your project and configured the project account including the addition of as many other administrators as you need to manage the account and defect processing. Much of the submission of a new build can be automated, but for now glibc is doing this manually.
- Project releases new version.
- Download tarballs of new version.
mkdir ~/src; cd ~/src; wget http://ftp.gnu.org/gnu/glibc/glibc-2.28.tar.gz
Download the coverity analysis tooling e.g. cov-analysis-linux64-2017.07.tar.gz for 64-bit GNU/Linux.
Unpack e.g. mkdir ~/bin; cd bin; tar zxvf cov-analysis-linux64-2017.07.tar.gz
- Build the project with the scanner.
Run steps you don't want to analyze e.g. mkdir ~/build/glibc-2.28; cd ~/build/glibc-2.28; ~/src/glibc-2.28/configure --prefix=/usr; make clean;
Build the project e.g. PATH=~/bin/cov-analysis-linux64-2017.07/bin/:$PATH cov-build --dir cov-int make -j4;
Pack up the results e.g. tar czvf glibc-2.28-covscan.tgz cov-int
Upload the tarball, but keep an eye on build upload frequency limits (https://scan.coverity.com/faq#frequency):
curl --form token=095xUv5p-LtEYcj4jOMprw \ --form firstname.lastname@example.org \ --form email@example.com \ --form version="2.28" \ --form description="The GNU C Library (release)" \ https://scan.coverity.com/builds?project=GNU+C+Library+-+glibc
curl --data "project=GNU+C+Library+-+glibc&token=095xUv5p-LtEYcj4jOMprwfirstname.lastname@example.org\ &url=www.example.com/your/file/location\ &version=2.28&description=glibc-release"\ https://scan.coverity.com/builds
- Review results after upload is complete by logging into coverity and using the defect browser tool. Note that defects can be made public or only available to maintainers, contributors, or defect viewers depending on settings. The glibc coverity scan project allows anyone to view the full defect report.