Coverity Scanning of the GNU C Library project
The GNU C Library project has a coverity scanning account located here:
The scanning is offered as part of Coverity's free scanning for open source projects here:
The scanning process is not exactly trivial, but follows these general steps. This assumes you have already setup an account for your project and configured the project account including the addition of as many other administrators as you need to manage the account and defect processing. Much of the submission of a new build can be automated, but for now glibc is doing this manually.
- Project releases new version.
- Download tarballs of new version.
mkdir ~/src; cd ~/src; wget http://ftp.gnu.org/gnu/glibc/glibc-2.22.tar.gz
Download the coverity analysis tooling e.g. cov-analysis-linux64-7.7.0.tar.gz for 64-bit.
Unpack e.g. mkdir ~/bin; cd bin; tar zxvf cov-analysis-linux64-7.7.0.tar.gz
- Build the project with the scanner.
Run steps you don't want to analyze e.g. mkdir ~/build/glibc-2.22; cd ~/build/glibc-2.22; ~/src/glibc-2.22/configure --prefix=/usr; make clean;
Build the project e.g. PATH=~/bin/cov-analysis-linux64-7.7.0/bin/:$PATH cov-build --dir cov-int make -j4;
Pack up the results e.g. tar czvf glibc-2.22-covscan.tgz cov-int
Upload the tarball, but keep an eye on build upload frequency limits (https://scan.coverity.com/faq#frequency):
curl --form token=095xUv5p-LtEYcj4jOMprw \ --form firstname.lastname@example.org \ --form email@example.com \ --form version="2.22" \ --form description="The GNU C Library (release)" \ https://scan.coverity.com/builds?project=GNU+C+Library+-+glibc
curl --data "project=GNU+C+Library+-+glibc&token=095xUv5p-LtEYcj4jOMprwfirstname.lastname@example.org\ &url=www.example.com/your/file/location\ &version=2.22&description=glibc-release"\ https://scan.coverity.com/builds
- Review results after upload is complete by logging into coverity and using the defect browser tool. Note that defects can be made public or only available to maintainers, contributors, or defect viewers depending on settings. The glibc coverity scan project allows anyone to view the full defect report.