Integrate code security analysis tools into Buildbot

[Samuli Seppänen]

In the ​IRC meeting on 22nd Apr 2010 it was agreed that all patches should be checked with (security) auditing tools such as Valgrind and Coverity. These tools need to be integrated into our Continuous integration server app, Buildbot.

[Samuli Seppänen]

It's not possible to integrate Coverity into Buildbot. Coverity tracks a static codebase, which in our case is also outdated.

[Samuli Seppänen]

Coverity has made some changes to their service since this ticket was last modified. It's possible that nowadays it can track a Git tree.

[Gert Döring]

Hiya. I know you have gotten coverity to check our git tree, but I think their check results are slightly stale (as lots of our code base has changed).

Is there a way to make their system forget everything it knows, and re-start with the latest git master? Then we could try to go systematically through it and fix stuff.

(Also, when I looked last time, their system didn't grok ASSERT() and gave lots of false positives. If they haven't fixed that yet, we could report it back...)

[Samuli Seppänen]

I will have a look at this again. I read that Coverity has made some changes to the source code upload process lately - that might help us here.

[Samuli Seppänen]

We now have Coverity track a special branch. This was necessary as the number of allowable builds per day is limited. Do we consider this enough to close the ticket?

[Samuli Seppänen]

Ping.

[Samuli Seppänen]

Pong.

[Samuli Seppänen]

Ping.

[Samuli Seppänen]

Pong.

[Gert Döring]

I hear that Corp wants to do the coverity scanning now?