Hi,

On 7/3/19 11:15 AM, Sandrine Bailleux via TF-A wrote:

We would need help from the TF-A community for analyzing and fixing them, especially those in platform ports and drivers. Note that there might be false positives, in which case we would just triage them as such in the tool's database.

Hopefully everyone should be able to view the defects, according to the tool's settings. You might need to create an account on https://scan.coverity.com for that.

We've received a couple of requests from users to get access to the TF-A defects database in the Coverity Scan Online service. I think it's worth clarifying the different levels of access the tool offers and how we envisage the defects triaging.

In Coverity Scan Online, users can have any of the following 4 roles (in ascending order of permissions): - Observer/User: Only sees defects summary. - Defect Viewer. - Contributor/Member: Can also triage defects. - Maintainer/Owner: Also has some admin powers, like managing users and submitting builds to be analyzed.

Right now, all users should be able to see the project summary and view the defects in read-only mode so this is equivalent to the "Defect viewer" role. I suspect people still need to create an account in Coverity Scan Online and be logged in to see the data.

We would expect subsystems and platforms maintainers (i.e. people listed in docs/maintainers.rst [1]) to manage the defects in the part of the codebase they own, as they know best how to assess the severity of these defects and how to fix or triage them. As such, they need to have the "contributor/member" role in the tool. If you are such a maintainer, please feel free to create an account and request this role.

If you would like to delegate part/all of the triaging process to a peer, that is also possible. In this case, could you please send me an email to indicate who you have chosen for this task? This is just to make sure that whoever requests the "contributor/member" role has done so with the relevant maintainer's approval.

Please be aware that those with "contributor/member" role will be able to triage any defects in any part of the codebase, and not just in the subsystem/platform they maintain.

"Maintainer/Owner" role will be reserved to the main maintainers (i.e. people listed at the top of docs/maintainers.rst) for now.

Best regards, Sandrine

[1] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/mainta...