<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 18.12.17 12:57, Victor Seva wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAgy_VnSo8dZThfC1bP7wzE1duUDAghiepNhwh9A+GFAbj_i0A@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">2017-12-18 11:39 GMT+01:00
Daniel-Constantin Mierla <span dir="ltr"><<a
href="mailto:miconda@gmail.com" target="_blank"
moz-do-not-send="true">miconda@gmail.com</a>></span>:
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>It would be good to have a way that more developers
can trigger a coverity scan, but the results are only
visible to the developers that registered to coverity
site, therefore I do not think alerts/notifications to
public sr-dev mailing list are useful for the vast
majority of members. Those devs associated in the
coverity project get a notification when a new scan is
uploaded.</p>
</div>
</blockquote>
<div><br>
</div>
<div>The alerts/notifications where only due to my failing
tests. Travis will notify only if build fails, nothing
related to the coverity scan itself now that I figure out
how to integrate the build.</div>
</div>
</div>
</div>
</blockquote>
Can a coverity scan build fail if usual compilation with gcc/clang
is ok? When would be useful to know that such build failed, does it
indicate something that a developer can fix on kamailio code?<br>
<br>
<blockquote type="cite"
cite="mid:CAAgy_VnSo8dZThfC1bP7wzE1duUDAghiepNhwh9A+GFAbj_i0A@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Another aspect is that I consider automatic scans to
be inconvenient in this case, in many cases I upload
scans myself and want to keep that scan until I solve
some reported issues -- an automatic scan can
overwrite the state of an ongoing analyzis. So a new
scan should be triggered and uploaded only a specific
developer wants to do analyzis and eventually after
sync'ing with the other devs not to have a conflict.</p>
</div>
</blockquote>
<div><br>
</div>
<div>Not really sure what you mean about ongoing analysis,
AFAIK every reported issue has a CID. And it should be
unique between reports is that right? I see that info at
"Detection History". I'm assuming that new reports will
detect fixed and new issues. Am I wrong?</div>
</div>
</div>
</div>
</blockquote>
<br>
When a new scan build is uploaded, the first set of issues I look at
is those newly detected. It shows what went wrong from the previous
build. I try to make sure that any new report on core and most
important modules are fixed asap. Subsequent builds are overwriting
them, getting lost in the old ones, which were reviewed but a
solution was not found (e.g., they look like false positives).<br>
<br>
Just uploading builds without anyone reviewing the results are
useless and can end up later in using more time to look again over
the entire list.<br>
<br>
<blockquote type="cite"
cite="mid:CAAgy_VnSo8dZThfC1bP7wzE1duUDAghiepNhwh9A+GFAbj_i0A@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Should anyone have different opinions and see other
benefits by doing it in another way, I am more than
open to have the proposals discussed here.</p>
</div>
</blockquote>
<div><br>
</div>
<div>The rationale behind this change was to unify how We
build and send the report to the service, so anyone with
the required perms ( even an automated process ) can do
it easily without the need of having a special environment
or process. The code would be in the repository to review,
improve or fix it and it would be always the same ( using
the same options and environment )</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
My coverity builds are sometimes with system malloc instead of the
internal pkg, based on what needs to be troubleshooted. I said that
having an way to trigger the scan build by others can be useful, but
automatic and periodic builds are not useful at all, there must be a
developer that has interest to see the results at that moment.<br>
<br>
Based on current proposal, I am not that confident that using a
dedicated branch is convenient. I would rather have a way to trigger
the scan build from master, upon a developer request/whatever
action... not sure if that works somehow, but it would be more
useful in my opinion.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - May 14-16, 2018 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>