Static code analysis with Coverity Scan service
- Artem Naluzhnyy
Coverity Scan results
Repository | Coverity Scan status & results | Jenkins job (see also |
|---|---|---|
| ||
| ||
| ||
| ||
| ||
| Golang support will be ported from commercial Coverity tool to Coverity Scan service later. | |
| ||
| ||
| ||
| ||
| ||
| ||
| ||
| ||
|
How To
Register a new ONAP project on Coverity Scan service
See also
Fill the following info:
Project Name (e.g.
"onap-so")onap-[a-z0-9-]+(avoid using"/")the project name will be used as a parameter for appropriate Jenkins job to submit build results
Role - set it to
"Maintainer/Ovner"Language (e.g.
"Java")Repository URL (e.g.
"https://git.onap.org/so/")License (e.g.
"Apache")Homepage URL (e.g.
"https://www.onap.org/")Reference URL
proof of your association with the project, e.g. link to your commit
optional but highly recommended
Additional information (e.g.
"SO is a component of Open Networking Automation Platform - an open source networking project hosted by the Linux Foundation.")optional
Project will be created immediately. We can send builds for analysis. However, access to defects report should be unlocked after the project verification by Coverity Scan admins (it usually takes a couple of working days).
To configure a Jenkins job for automated build submission we need a Project Token. It can be found on "Project Settings" tab:
Setup a Jenkins job for the component.
Setup Jenkins to submit builds for Coverity Scan evaluation periodically
Add the following job project to appropriate yaml config. E.g. for SO (https://git.onap.org/ci-management/tree/jjb/so/so.yaml):
- project:
name: 'so-coverity'
jobs:
- 'onap-gerrit-maven-coverity'
cron: '@daily'
build-node: 'ubuntu1604-builder-4c-4g'
project: 'so'
project-name: 'so'
branch: 'master'
mvn-settings: 'so-settings'
mvn-params: '-Dmaven.test.skip=true'
coverity-project-name: 'onap-so'
coverity-token: 'SrGGJp9T1n1lhJn2sF72XQ'
coverity-user-email: 'artem.naluzhnyy@gmail.com'Access defect details
Open Coverity Scan page for your project. You can either use Coverity Scan projects search or find a direct link on appropriate Jenkins job page:
If you have not been added to the project on Coverity Scan service yet:
Click on "Add me to project" and fill the form:
Wait till the project administrators grant you appropriate permissions.
Click on "View Defects":
Reference Coverity defect ID in commit message
Coverity-scan: CID-12345, CID-67890Reduce amount of defects
Disable analysis of specific files
See how to define software components. You can find a list of all files analysed by Coverity Scan service for a project here.
Mark Coverity defect as false positive
Go to "Triage" section on the right panel of "View Defects" page.
Set "Action" to "Ignore" and "Apply".
Disable Findbugs defects
If you have "Maintainer/Owner" permissions for a project:
Go to "Project Setting" tab on project page and click "Edit".
Check "Exclude Findbugs Defects" .
Disable tests analysis
Modify "mvn-params" attribute of appropriate Jenkins job to skip build of the tests:
- project:
name: 'so-coverity'
mvn-params: '-Dmaven.test.skip=true'
...List all files of a project analysed by Coverity Scan
See "cov-int/coverity-scan-analysed-files.txt.gz" file in archived Jenkins build artifacts.
Overview Coverity Scan build logs
See "cov-int/build-log.txt.gz" file in archived Jenkins build artifacts.
See also
CIMAN-260: Add Jenkins job for static code analysis by Coverity Scan serviceIn Progress
A couple of Coverity related topics explained on ONAP Security Best Practices page.
Supported programming languages: C/C++, Java, C#, JavaScript, TrueScript, PHP, Python, Ruby, VB, Scala, Swift (at the moment we have a Jenkins job template for components built by maven only, however, other language sources in the repo can be also analysed using
"coverity-search-paths"project parameter in JJB template).