-
Notifications
You must be signed in to change notification settings - Fork 851
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request: Add project to Coverity Scan or similar #1110
Comments
I fully agree with using Coverity, unfortunately only people with write access to this repo can setup Coverity. @kazuho Is there any chance you could setup Coverity? I could start going through bugs found and start fixing them but you or someone else with write access would have to do the original setup. If you need help using Coverity I can help. |
@hbowden If I gave you write permission, would you be willing to work on automating Coverity Scan of H2O using Travis CI? Reading https://scan.coverity.com/travis_ci my understanding is that it is possible. Thank you in advance. PS. the reason I am referring to Travis integration is because we will need a repeatable build process for scanning. |
@kazuho Yea I could setup Travis CI to use Coverity. However Coverity only allows a limited amount of scans per week. Below is a snippet from their site showing the limits.
I could set up a separate branch and we could merge into it whenever we want to scan h2o with Coverity. This is actually what the Coverity docs suggest. Does that work for you? |
Sounds great! Thank you very much. I've sent you an invitation that adds write privilege to the repo. Please feel free to create a dedicated branch for coverity scanning and make changes there. |
Thanks, I will add a pull request when I have it working. |
So I got Coverity integrated with Travis CI on this branch: https://github.com/hbowden/h2o/tree/coverity_scan I wasn't able to add the main h2o repo to travis ci because it says I don't have admin rights. You could just use the config below and sign in to Coverity using your github account and add h2o as a project. Make sure to set the issues as private, for some reason it defaults to public. Click submit build and then go to the Configure Travis CI tab. Half way down the page will be an example config, grab the key on the language: cpp
env:
global:
# The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
# via the "travis encrypt" command using the project repo's public key
- secure: "DW71w2slPUijF0OvlHvR3I6Hr1NoBTvGeQdaUTMfYLvNxZDCs9TlHv0ovcdiJnKLUPTBAqM9KHpPLdA36bflWAEZx1ZjFrtjFXnn1V1uQ9v+pP0w8DbbYjMBgncGKFDGJKmTSWXvtYaTz+OYWw2dQSu6dmPLUJx9zs+CYraelBAc7zCl9UidmGw4Cbd0RDY940+Dbkppp/pLKIOPKiXX4gxl34t1pwhBaLHs4smR+QoXzmqESvDSt30wQIugmUxg9GOKaWP75rbUD/PzawHIKKRI12fmLqfbR1f8di0EFeeofHLKfZJMqJ40UFul6yc0IECjBzRvaRcQPRVMeO6ioDURfNK86g/l3Aldtve/w53NolpruaMRok5MOafOd7kuskVS9OyUfBEp9BJxRXWBGcdPswhn/7epe2kHsVRBRjTp2ez7F+J8VRGYzVUkEGjMJJ02ILAkYk49bgcJz053Zrn0ejQD0eDTrIEF1p1JwP4GNtWyHlvSAynnJO6hbPPXM2H9DHqP9Bl8JFUeZiVumKhmqDW5mzfjNadUiJz4F8FMqgyajOj/4lAZkBm+5BvB3YDuxI/tV8q7vHBtsQaUL7uy+fBDKlV6lUtCc4qUoiU6XtLI/PMS7pfD+rG1JUqklZOZ4dQ5t405y/E4zMIHzuv+wceMId+P/Jyzqzc1RjA="
compiler:
- gcc
addons:
hosts:
- 127.0.0.1.xip.io
- alternate.127.0.0.1.xip.io
coverity_scan:
project:
name: "h2o/h2o"
description: "H2O - the optimized HTTP/1, HTTP/2 server https://h2o.examp1e.net"
notification_email: kazuho@natadeco.co
build_command_prepend: "mkdir build && cd build && cmake .."
build_command: "cd build && make"
branch_pattern: coverity_scan
before_install:
# upgrade g++ and libstdc++ to build nghttp2
- echo -n | openssl s_client -connect scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sudo tee -a /etc/ssl/certs/ca-
- sudo add-apt-repository --yes ppa:ubuntu-toolchain-r/test
- sudo apt-add-repository --yes ppa:smspillaz/cmake-2.8.12
- sudo apt-get --yes update
- sudo apt-get install --yes cmake cmake-data g++-4.8 libstdc++-4.8-dev php5-cgi wget
- if [ "$CXX" = "g++" ]; then export CXX="g++-4.8"; fi
- $CXX --version
# for speed, pre-install deps installed in `before_script` section as ubuntu packages
- sudo apt-get install -qq cpanminus libipc-signal-perl liblist-moreutils-perl libwww-perl libio-socket-ssl-perl zlib1g-dev
before_script:
# install libuv >= 1.0.0 (optionally required for building / testing libh2o)
- curl -L https://github.com/libuv/libuv/archive/v1.0.0.tar.gz | tar xzf -
- (cd libuv-1.0.0 && ./autogen.sh && ./configure --prefix=/usr && make && sudo make install)
# install perl modules (mandatory for testing)
- misc/install-perl-module.pl Net::EmptyPort
- misc/install-perl-module.pl Scope::Guard
- misc/install-perl-module.pl Plack
- misc/install-perl-module.pl FCGI
- misc/install-perl-module.pl FCGI::ProcManager
- misc/install-perl-module.pl Starlet
- misc/install-perl-module.pl JSON
- misc/install-perl-module.pl Path::Tiny
- misc/install-perl-module.pl Test::Exception
# install the `ab` command (a.k.a. ApacheBench; optionally required for running some of the tests)
- sudo apt-get install -qq apache2-utils
# install nghttp2 with `--enable-app` (optionally required for running HTTP/2 tests)
- sudo apt-get install -qq libev-dev
- curl -L https://github.com/tatsuhiro-t/nghttp2/releases/download/v1.4.0/nghttp2-1.4.0.tar.gz | tar xzf -
- (cd nghttp2-1.4.0 && ./configure --prefix=/usr --disable-threads --enable-app && make && sudo make install)
- curl -L https://curl.haxx.se/download/curl-7.50.0.tar.gz | tar xzf -
- (cd curl-7.50.0 && ./configure --prefix=/usr --with-nghttp2 --disable-shared && make && sudo make install)
script:
- cmake -DWITH_MRUBY=ON .
- make all
- make check
- sudo make check-as-root
|
@hbowden could you add me to the project? I would like to help with the bug fixing, if possible. Thanks! |
@deweerdt I can send you an invitation to my repo so you can get access to the coverity results. A lot of the bugs appear to be in h2o dependencies. |
@deweerdt You should be able to see the results now, let me know if it doesn't work for you. |
@hbowden it works, thank you |
@hbowden Thank you very much for all your help! I've created a branch named I've also set project access rights to requires Maintainer approval, thank you for pointing that out. I also sent an invitation that adds you as the owner of h2o/h2o project on scan.coverity.com; the fact that the project already existed (without giving you the appropriate rights there) might have been the cause of your being unable to access the settings. |
@kazuho So it looks like Coverity got the build correctly, but it looks like the Travis CI script failed. So at least the Coverity integration is working but I'm not sure why the script failed. For some reason Coverity doesn't give you access to bugs for a day or two, if you want access before then I can give you access to them here: https://scan.coverity.com/projects/hbowden-h2o?tab=overview |
@hbowden Thank you for looking into the issue. I believe that is because I removed the In c62f81f, I have added a |
@deweerdt Yea I will have Coverity exclude bugs in the dependencies. Some of the 'medium' bugs are still kinda nasty and I found a few that weren't false positives. As for the false positives we can report them to Coverity and they can fix Coverity so it dosen't issue them anymore. I also think we should fix the bugs found in the dependencies after we fix all the bugs found in h2o it's self, they are still bugs that get compiled into h2o. I will exclude the dependencies bugs for now and lets re include them when we have the other bugs cleaned up. |
Good to know, I'll do a pass on those today.
👍 |
I've finished a pass on the remainder 'Medium' and 'Low' bugs in h2o's code. I've submitted #1172, this seemed to be the only semi-urgent fix. AFAICT all other bugs are relatively minor, I'll take a stab at them as time permits. |
@hbowden @deweerdt Thank you for your efforts. https://scan.coverity.com/projects/h2o-h2o is now open and you are both given admin rights there. And thank you to @deweerdt for triaging some of the issues reported there. Regarding how to exclude the dependencies, we might consider installing openssl 1.0.2 separately (so that the bundled libressl would not get built under Coverity), and also disable mruby for the coverity_scan branch. Please let me know if you find any issue that should be considered as an vulnerability. I haven't seen such one yet, but I might be missing something. |
I like H2O a lot, but C makes me nervous given how easy it is to have exploitable memory bugs. Would you consider putting H2O on Coverity Scan so that at least some of those kinds of bugs can be detected more easily? It's free for open-source projects.
It would also be helpful to have a documented strategy for avoiding typical C security holes (buffer and memory bugs, mostly). Neverbleed is brilliant, and lower level code analysis tools like Coverity or the different sanitizers in clang/llvm would be a good combination with it.
The text was updated successfully, but these errors were encountered: