I connect Travis to my own personal fork of Metron so that the CI builds run on my own branches before I submit PRs. Thinking you could do the same with this. Maybe I'm wrong.
On Tue, May 31, 2016 at 1:06 PM, zeo...@gmail.com <zeo...@gmail.com> wrote: > To register project on Coverity Scan, you must be contributor or maintainer > of the project. > > It may also be worth mentioning that there are a ton of Apache projects > already registered, including Ambari, Drill, Flume, Hadoop, HBase, NiFi, > Oozie, Ranger, Sqoop, Spark, Storm, Tez, etc. See > https://scan.coverity.com/projects?page=2 > > Jon > > On Tue, May 31, 2016 at 12:52 PM Nick Allen <n...@nickallen.org> wrote: > > > You could set it up on your own fork of Metron in Github. Then you can > > tell us if it is useful at all. > > > > On Sat, May 28, 2016 at 2:36 PM, zeo...@gmail.com <zeo...@gmail.com> > > wrote: > > > > > So I did a bit of digging today and I found a few op > > > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my > > > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. > I've > > > never used this product before, so I'm not exactly sure what to expect, > > but > > > I guess anyone can kick off a scan of an open source project and get > > > results within 48 hours. I was in the process of registering Metron to > > be > > > scanned but I found some things in their scan user agreement which I > > wasn't > > > sure everybody would be in line with (see below for the excerpts - > note I > > > did NOT read the entire document and IANAL). > > > > > > Here's the TL;DR of what Coverity Scan is: > > > > > > Coverity Scan <http://scan.coverity.com/> is a free static code > analysis > > > tool for Java, C, C++, C# and JavaScript. > > > > > > This addon leverages the Travis-CI infrastructure to automatically run > > code > > > analysis on your GitHub projects. > > > > > > Coverity Scan is a service by which Coverity provides the results of > > > analysis on open source coding projects to open source code developers > > that > > > have registered their products with Coverity Scan. > > > > > > Some examples of defects and vulnerabilities found by Coverity Quality > > > Advisor include: > > > > > > - resources leaks > > > - dereferences of NULL pointers > > > - incorrect usage of APIs > > > - use of uninitialized data > > > - memory corruptions > > > - buffer overruns > > > - control flow issues > > > - error handling issues > > > - incorrect expressions > > > - concurrency issues > > > - insecure data handling > > > - unsafe use of signed values > > > - use of resources that have been freed > > > > > > Register your project with Coverity Scan by completing the project > > > registration form found at scan.coverity.com. Upon your completion of > > > project registration (including acceptance of the Scan User Agreement) > > and > > > your receipt of confirmation of registration of your project, you will > be > > > able to download the Software required to submit a build of your code > for > > > analysis by Coverity Scan. You may then download the Software, > complete a > > > build and submit your Registered Project build for analysis and review > in > > > Coverity Scan. Coverity Scan is only available for use with open source > > > projects that are registered with Coverity Scan. > > > Here are some interesting snippets from their scan user agreement: > > > > > > Your use of our software is acceptance of our Terms > > > <https://scan.coverity.com/policy> > > > > > > You will not disassemble, decompile, reverse engineer, modify or create > > > derivative works of Our Service, software products or documentation nor > > > permit any third party to do so, except to the extent such restrictions > > are > > > prohibited by applicable mandatory local law > > > > > > You will not disclose to any third party any comparison of the results > of > > > operation of Our Service or software products with other services or > > > products, except as expressly permitted by this Agreement > > > > > > You will not publish any findings regarding or resulting from use of > the > > > Service or the Software > > > > > > You agree that We may use Your name and logo (in a form approved by > You) > > > and Registered Product information to identify You and such project as > a > > > participant of Our Scan Program on Our website or in Our marketing or > > > publicity materials or in any filings made in connection with state or > > > federal securities laws. > > > > > > Additionally, upon execution of this Agreement, the parties will use > > > commercially reasonable efforts to issue mutually agreed upon joint > press > > > releases or other public communications announcing Your entry into this > > > Agreement. > > > > > > At Our written request, You will furnish Us with (a) a certification > > signed > > > by an officer of Your company providing user or access information that > > > identifies whether the Service and the Software is being used in > > accordance > > > with the terms of this Agreement, and (b) log files from any License > > > Manager. Upon at least thirty (30) days prior written notice, We may > > > engage, at Our expense, an independent auditor to audit Your use of the > > > Service and the Software to ensure that You are in compliance with the > > > terms of this Agreement. ... You will provide the auditor with access > to > > > the relevant records and facilities. > > > > > > Jon > > > > > > On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com <zeo...@gmail.com> > > > wrote: > > > > > > > There's nothing built-in with Travis, but we could install a tool to > do > > > > this as part of the installation of tools on the build box. I'm > gonna > > > > reach out to people in my local circle who specialize in secure code > > > > analysis and see what all of the options are. > > > > > > > > Jon > > > > > > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <n...@nickallen.org> > wrote: > > > > > > > >> I completely agree that we will need some focus on this. > > > >> > > > >> What could Travis do for us? I wasn't aware that they offered > > security > > > >> scanning. > > > >> > > > >> Are you aware of any security scan services that offer free support > to > > > >> open > > > >> source projects? > > > >> > > > >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com <zeo...@gmail.com > > > > > >> wrote: > > > >> > > > >> > So I've never done anything like this before in Travis but I have > > done > > > >> IDE > > > >> > plugins and pre prod scans in the past at large companies which > > worked > > > >> > well. I floated the idea past a friend working at Travis and she > > said > > > >> if > > > >> > we go that route she would assist. > > > >> > > > > >> > I just think that if this is integrated from the beginning and > fail > > > >> builds > > > >> > on critical issues (to start), this could be a big differentiator, > > > >> > especially because we're talking about a security platform that > > > >> centralizes > > > >> > tons of sensitive information, tries to parse almost anything > that's > > > >> thrown > > > >> > at it (think of what's been happening to AV products recently), > and > > is > > > >> open > > > >> > source for bad guys to dig into much more easily. > > > >> > > > > >> > Jon > > > >> > > > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <n...@nickallen.org> > wrote: > > > >> > > > > >> > > I am not aware of any discussions around this, Jon. What are > you > > > >> > thinking? > > > >> > > > > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com < > > zeo...@gmail.com > > > > > > > >> > > wrote: > > > >> > > > > > >> > > > I was just wondering if there is any sort of static (or even > > > >> dynamic) > > > >> > > code > > > >> > > > analysis, or penetrating testing/vulnerability assessment, > > > >> occurring at > > > >> > > any > > > >> > > > point on the metron code. Has there been any discussion of > > > >> installing > > > >> > > > something along those lines on the Travis build server (if it > > > isn't > > > >> > there > > > >> > > > already)? Thanks, > > > >> > > > > > > >> > > > Jon > > > >> > > > -- > > > >> > > > > > > >> > > > Jon > > > >> > > > > > > >> > > > > > >> > > > > > >> > > > > > >> > > -- > > > >> > > Nick Allen <n...@nickallen.org> > > > >> > > > > > >> > -- > > > >> > > > > >> > Jon > > > >> > > > > >> > > > >> > > > >> > > > >> -- > > > >> Nick Allen <n...@nickallen.org> > > > >> > > > > -- > > > > > > > > Jon > > > > > > > -- > > > > > > Jon > > > > > > > > > > > -- > > Nick Allen <n...@nickallen.org> > > > -- > > Jon > -- Nick Allen <n...@nickallen.org>
