Re: [TF-M] Static analysic checking & reporting - inquiry about interest - TF-M

17 Mar 2021


      Hi Anton & Ioannis,
Karl's presentation goes in detail but I just want to highlight  that TF-M
(and also TF-A) are two type of static checks:
[1] Project related static checks & cppcheck executed per-patch
[2] Coverity scan, executed daily
For 1,  other project-related static checks can be included. For 2,
coverity scan coverage is about 42 % so one community effort would be to
increase it and cover mode  code. In order to increase the latter,
'coverity needs to compile more code', which means that more
platforms/parameters should be taken into account. Check this file [3] in
case you want to participate in this effort.
[1] https://ci.trustedfirmware.org/job/tf-m-static/
[2] https://ci.trustedfirmware.org/job/tf-m-coverity/
[3]
https://git.trustedfirmware.org/ci/tf-m-ci-scripts.git/tree/script/tf-coveri...
On Wed, 17 Mar 2021 at 05:31, Anton Komlev via TF-M <
tf-m@lists.trustedfirmware.org> wrote:
...
Hi Ioannis,
Thanks for bringing up the important topic up. Believe Karl will comment
the details of it in TF-M but you could be interested watch his
presentation on Tech Forum from Feb 4th.
https://www.trustedfirmware.org/docs/tech_forum_20210204_TF-M_openCI_static_...
Forum records are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
And yes, the check we have now is not enough so any improvements are
welcome.
Hope it helps,
Anton
*From:* TF-M tf-m-bounces@lists.trustedfirmware.org *On Behalf Of *Glaropoulos,
Ioannis via TF-M
*Sent:* Wednesday, March 17, 2021 11:15 AM
*To:* tf-m@lists.trustedfirmware.org
*Subject:* [TF-M] Static analysic checking & reporting - inquiry about
interest
Hi everyone,
I would like to ask whether there is an interest in the Project for
integrating static code analysis tools with the rest of CI, on the TF-M
code base. To the best of my knowledge, this is not available today. In
short, a simple process would involve maintaining and running static
analysis checking (e.g. using Coverity or any other licensed tool) in
nightly/weekly/etc. CI runs, reporting the found issues in the Project,
triaging them, and tracking the progress of fixing the issues that are
identified as real bugs. Has this topic been raised already in the Project?
If not, is this something the project members would consider adding as part
of the TF-M Project QA/release process?
Thanks!
Ioannis Glaropoulos
Nordic Semiconductor
--
TF-M mailing list
TF-M@lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m