Coverity Scan model file, license, public access

Coverity Scan model file, license, public access

[Norbert Manthey]

Dear all,

I would like to work with code analysis on the Linux kernel. The
currently used Coverity setup already uses a model file [1] to improve
the precision of the analysis. To the best of my knowledge, this model
file is currently not publicly accessible. I did not find a license
attached to  [1], nor any information about licensing.

To improve the way Coverity is used, I would like to move this model
file into a public repository, and add a license. I wonder whom else I
should involve into this process. Is there a recommended place for the
location of the license? I assume the targeted license should be GPL,
and would like to understand whether that works with the way this file
is currently maintained.

Best,
Norbert

[1] https://scan.coverity.com/projects/linux-next-weekly-scan/model_file




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Re: Coverity Scan model file, license, public access

[Kroah-Hartman]

On Tue, Jul 06, 2021 at 09:45:47AM +0200, Norbert Manthey wrote:
> Dear all,
> 
> I would like to work with code analysis on the Linux kernel. The
> currently used Coverity setup already uses a model file [1] to improve
> the precision of the analysis. To the best of my knowledge, this model
> file is currently not publicly accessible. I did not find a license
> attached to  [1], nor any information about licensing.

I have no idea who wrote that thing, sorry.

> To improve the way Coverity is used, I would like to move this model
> file into a public repository, and add a license. I wonder whom else I
> should involve into this process. Is there a recommended place for the
> location of the license? I assume the targeted license should be GPL,
> and would like to understand whether that works with the way this file
> is currently maintained.

How is adding this file anywhere going to help?  Coverity is a closed
source tool that a few of us are "lucky" to be able to use, and even
then, it's tightly restricted what we can do with it.  The only real
users that this could benefit is anyone who is paying for the tool, and
if they are doing that, they are not allowed to share the results of the
output with anyone else (as per the license of the tool).  So unless you
are going to be doing this work on your own, with a paid copy of the
tool, who will use it?

thanks,

greg k-h

Re: Coverity Scan model file, license, public access

[Kroah-Hartman]

On Tue, Jul 06, 2021 at 08:34:16PM +0200, Norbert Manthey wrote:
> With respect to sharing the results: we are allowed to upstream fixes
> that we find with the tool. We contributed in that way already, e.g. [2].

Yes, that is how many companies do this and have for a long time
(Canonical does this a lot).  But that puts all the work on you, and you
can not share the results of the tool with anyone, so you are forced to
do the work to fix problems the tool reports, which feels really wrong
when you are dealing with a scan of a public source tree...

thanks,

greg k-h

Re: Coverity Scan model file, license, public access

[Kroah-Hartman]

On Tue, Jul 06, 2021 at 09:06:33PM +0200, Norbert Manthey wrote:
> Backtracking to the original problem: is there a way to figure out the
> contributors of the current model, to get an agreement on the license to
> be used?

By sending html email, you are preventing the lists from seeing this
question, so you might want to start by fixing that on your end :)

greg k-h

Re: Coverity Scan model file, license, public access

[Norbert Manthey]

On 7/6/21 6:54 PM, Kroah-Hartman wrote:
> 
> 
> On Tue, Jul 06, 2021 at 09:45:47AM +0200, Norbert Manthey wrote:
>> Dear all,
>>
>> I would like to work with code analysis on the Linux kernel. The
>> currently used Coverity setup already uses a model file [1] to improve
>> the precision of the analysis. To the best of my knowledge, this model
>> file is currently not publicly accessible. I did not find a license
>> attached to  [1], nor any information about licensing.
> 
> I have no idea who wrote that thing, sorry.

Is there anybody else who knows more about the history of the used
Coverity model? Thanks.

Best,
Norbert



Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Re: Coverity Scan model file, license, public access

[Kees Cook]

On Thu, Jul 15, 2021 at 03:12:04PM +0200, Norbert Manthey wrote:
> On 7/6/21 6:54 PM, Kroah-Hartman wrote:
> > 
> > 
> > On Tue, Jul 06, 2021 at 09:45:47AM +0200, Norbert Manthey wrote:
> >> Dear all,
> >>
> >> I would like to work with code analysis on the Linux kernel. The
> >> currently used Coverity setup already uses a model file [1] to improve
> >> the precision of the analysis. To the best of my knowledge, this model
> >> file is currently not publicly accessible. I did not find a license
> >> attached to  [1], nor any information about licensing.
> > 
> > I have no idea who wrote that thing, sorry.
> 
> Is there anybody else who knows more about the history of the used
> Coverity model? Thanks.

As far as I know, the model was written originally by Dave Jones, with
further changes from myself and, I think, Colin Ian King.

I thought it was visible through the Coverity dashboard, once you're
logged in:
https://scan.coverity.com/projects/linux-next-weekly-scan?tab=analysis_settings
(See 'Modeling file loaded [View]')

Regardless, I keep a copy in git since I'd been tweaking it (mostly to
no meaningful benefit: the model file doesn't work with macros, which is
where the bulk of the false positives in Coverity come from):
https://github.com/kees/coverity-linux

-- 
Kees Cook

Re: Coverity Scan model file, license, public access

[Norbert Manthey]

On 7/15/21 8:25 PM, Kees Cook wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
> 
> 
> 
> On Thu, Jul 15, 2021 at 03:12:04PM +0200, Norbert Manthey wrote:
>> On 7/6/21 6:54 PM, Kroah-Hartman wrote:
>>>
>>>
>>> On Tue, Jul 06, 2021 at 09:45:47AM +0200, Norbert Manthey wrote:
>>>> Dear all,
>>>>
>>>> I would like to work with code analysis on the Linux kernel. The
>>>> currently used Coverity setup already uses a model file [1] to improve
>>>> the precision of the analysis. To the best of my knowledge, this model
>>>> file is currently not publicly accessible. I did not find a license
>>>> attached to  [1], nor any information about licensing.
>>>
>>> I have no idea who wrote that thing, sorry.
>>
>> Is there anybody else who knows more about the history of the used
>> Coverity model? Thanks.
> 
> As far as I know, the model was written originally by Dave Jones, with
> further changes from myself and, I think, Colin Ian King.
> 
> I thought it was visible through the Coverity dashboard, once you're
> logged in:
> https://scan.coverity.com/projects/linux-next-weekly-scan?tab=analysis_settings
> (See 'Modeling file loaded [View]')
> 
> Regardless, I keep a copy in git since I'd been tweaking it (mostly to
> no meaningful benefit: the model file doesn't work with macros, which is
> where the bulk of the false positives in Coverity come from):
> https://github.com/kees/coverity-linux

Thanks! This repo comes with a license, so I can start from there.

Best,
Norbert



Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879

Re: Coverity Scan model file, license, public access

[Muhammad Usama Anjum]

> As far as I know, the model was written originally by Dave Jones, with
> further changes from myself and, I think, Colin Ian King.
> 
> I thought it was visible through the Coverity dashboard, once you're
> logged in:
> https://scan.coverity.com/projects/linux-next-weekly-scan?tab=analysis_settings
> (See 'Modeling file loaded [View]')
> 
I've sent the request to join the dashboard. Who is the maintainer of
this free Coverity dashboard? Can anyone use these results to fix the
bugs without the permission of anyone?

Re: Coverity Scan model file, license, public access

[Gustavo A. R. Silva]

Hi Muhammad,

On 12/17/21 13:32, Muhammad Usama Anjum wrote:
>> As far as I know, the model was written originally by Dave Jones, with
>> further changes from myself and, I think, Colin Ian King.
>>
>> I thought it was visible through the Coverity dashboard, once you're
>> logged in:
>> https://scan.coverity.com/projects/linux-next-weekly-scan?tab=analysis_settings
>> (See 'Modeling file loaded [View]')
>>
> I've sent the request to join the dashboard. Who is the maintainer of
> this free Coverity dashboard? Can anyone use these results to fix the
> bugs without the permission of anyone?
> 

Your request has been approved now.

Thanks
--
Gustavo

Re: Coverity Scan model file, license, public access

[Kroah-Hartman]

On Sat, Dec 18, 2021 at 12:32:59AM +0500, Muhammad Usama Anjum wrote:
> > As far as I know, the model was written originally by Dave Jones, with
> > further changes from myself and, I think, Colin Ian King.
> > 
> > I thought it was visible through the Coverity dashboard, once you're
> > logged in:
> > https://scan.coverity.com/projects/linux-next-weekly-scan?tab=analysis_settings
> > (See 'Modeling file loaded [View]')
> > 
> I've sent the request to join the dashboard. Who is the maintainer of
> this free Coverity dashboard? Can anyone use these results to fix the
> bugs without the permission of anyone?

Yes, no permission needed, fix away!