[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Coverity + XenProject + Process?
Seems to me that it would make sense to condense the discussion into a concrete proposal for review and voting. Although I am not sure that all questions raised in this thread, in particular those related to "can we mark issues related to security and create a published Coverity report that excludes security risks". From what I can see, reports are only visible via https://scan.coverity.com and accessible to project members. On the other hand, we can probably get started without resolving this. I did see mentions of risk classification, but have not been able to find a publicly manual. Also, I found references (and examples) of overview reports that we could decide to publish as part of the release cycle (or at a fixed time period), if this is an advantage to the project. > Do coverity impose any restrictions on the reporting of issues they have > found, in terms of using responsible disclosure etc?
See https://scan.coverity.com/faq "Who can have access?" - but the short answer is Yes, "Our [Coverity's] approach is that of Responsible Disclosure." ... "Since projects that do not resolve their outstanding defects are leaving their users exposed to the consequences of those flaws, Coverity will work to encourage a project to resolve all of their defects. Coverity may set a deadline for the publication of all the analysis results for a project." ... not clear what this means in practice though. Coverity creates an annual report, see http://wpcme.coverity.com/wp-content/uploads/2012-Coverity-Scan-Report.pdf for last year's. This includes detailed reports for some projects. Note that Linux is part of that report and that KVM's defect density is listed as 1.54 (well above Linux average).
There is also the following note, http://en.wikipedia.org/wiki/Open-source_software_security#Coverity_scan. by which projects get classified into rungs depending on their coverity usage. The FAQ does not mention these, but the above scan report refers to a target level.
There are a few other things to note and consider, from the FAQ (everybody interested in this thread should read it) #1: "Access to the detailed analysis results for most projects is granted only to members of the open source project, to ensure that potential security defects may be resolved before the general public sees them." (section "Who Can have access?")
#2a: "Project members signing up are required to accept a click-through license." (section "Does the project or do project members have to sign an NDA (Non-disclosure agreement)?")
#2b: "You will be granted access subject to approval by project owner or Scan administrator." (section "how do I get an account?")
In other words, there are to gates and mechanism from Coverities perspective: signing the license/service agreement online and approval by scan administrator (currently Konrad). Just something to consider when we define our process.
Lars On Sat, Aug 31, 2013 at 10:50 PM, Matt Wilson <msw@xxxxxxxxx> wrote:
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |