Jump to: navigation, search

Triquetrum/Coverity Scan

Summary

Coverity Scan is a static analysis tool.

Currently we are running Coverity Scan by hand on Triquetrum on a non-Eclipse Foundation machine.

Hudson FindBugs vs Coverity Scan FindBugs

Oddly, Hudson (https://hudson.eclipse.org/triquetrum/job/triquetrum/findbugs) reports 70 FindBugs issues where as Coverity is only reporting 16 FindBugs issues. The difference is that Coverity Scan is reporting issues for the code that is compiled with "mvn verify".

How to update

The Triquetrum project settings on the Coverity Scan site has a code that is used for the update. The code is put into $HOME/.coverityTriqToken.

Below is the script that is used for the update with the code removed.

#!/bin/sh                                                                                                                                   
# Upload stats to coverity.                                                                                                                 

TRIQ_TOKEN_FILE=$HOME/.coverityTriqToken
if [ ! -f $TRIQ_TOKEN_FILE ]; then
    echo "$0: Exiting. The Coverity Triquetrum Token file is not present."
    exit 2
fi

cd $HOME/src/triquetrum/triquetrum

rm -rf reports/cov-int
mkdir -p reports/cov-int

mvn clean

# Use --fs-capture-search so that we get JavaScript and Java.  See https://scan.coverity.com/download?tab=other                             
$HOME/src/cov-analysis-linux64/bin/cov-build --dir reports/cov-int --fs-capture-search ./ mvn verify

(cd reports; tar czvf myproject.tgz cov-int)

VERSION="Triquetrum0.0.1`date +%Y%M%d`"

curl --form token=`cat $TRIQ_TOKEN_FILE` \
  --form email=cxh@eecs.berkeley.edu \
  --form file=@reports/myproject.tgz \
  --form version="$VERSION" \
  --form description="nightly" \
  https://scan.coverity.com/builds?project=Triquetrum

Hudson, Jenkins, Coverity Scan Notes

Note that the Hudson and Jenkins Coverity Plug-ins do not work with Coverity Scan. Those plugins are for use with the Coverity Integrity Manager Instances, which are not available as part of Coverity Scan for OSS.

To invoke Coverity Scan on the Eclipse Hudson Instances, we would need to

  1. Have the Coverity tools installed, see https://scan.coverity.com/download?tab=java, which probably requires a free account.
  2. Know where those tools are
  3. Be able to invoke a shell script such as the above script

See Also