polkit and Coverity Scan

[evverx]

Is your feature request related to a problem? Please describe.
I went to https://scan.coverity.com/ and found https://scan.coverity.com/projects/polkit there. Looks like it hasn't been updated since 2014.

Describe the solution you'd like
It would be great to send polkit to Coverity Scan automatically by analogy with bus1/dbus-broker#316.

Describe alternatives you've considered
I can send it there manually by analogy with that I do with dbus-broker but it's not ideal.

[pwithnall]

I’m currently the only admin for that Coverity account. I’m happy to make the current maintainers of polkit also be admins there. I don’t have time to maintain or run the Coverity scans any more. Is there a canonical list of the current maintainers somewhere?

[evverx]

I think in terms of setting up a GitHub action sending data to Coverity Scan automatically it should be enough to add @mrc0mmand there to test the integration like bus1/dbus-broker#363. I don't know if @mrc0mmand has access to the repository secrets here on GitHub but I don't think it should be a problem to pass the coverity token to the maintainers with that kind of access to the repository.

[pwithnall]

@jrybar-rh, who are the current maintainers of polkit? From recent commit history it looks like just you have merge rights. I’d love to give permissions for Coverity to someone, but I want to double check I’m giving it to the right people!

[evverx]

(Just to be absolutely clear I don't need any access to Coverity. I already send polkit to another instance)

[mrc0mmand]

@pwithnall I think you can give the permissions to @jrybar-rh for now and he can then extend this to other people when needed.

[pwithnall]

I’ve invited @jrybar-rh to Coverity using their redhat.com address

[jrybar-rh]

@mrc0mmand added to the project on Coverity as maintainer. BTW polkit is tested in OSH for Fedora, just sayin'.
Frantisek, I'll leave this issue for you to close whenever you're ok with it.

[pwithnall]

Looks like you’re all set up there now. I’ll remove myself as an admin, as I’m no longer running Coverity builds :)

[pwithnall]

Hmm, I can’t see a way to remove myself as an admin. Please feel free to remove me yourselves, from https://scan.coverity.com/projects/polkit?tab=members

[jrybar-rh]

Thank you, @pwithnall.

[mrc0mmand]

@pwithnall do you want stay as a member or be removed completely from the Coverity project?

[pwithnall]

Please remove me completely :)

[mrc0mmand]

Please remove me completely :)

Done. Thanks a lot for the access to the project!

[evverx]

BTW polkit is tested in OSH for Fedora, just sayin'

I think systemd-ci-incubator#2 would still be useful because it can show newly introduced findings when PRs are opened. As far as I understand it was added to Packit to make it possible to catch things as early as possible instead of waiting for releases or "cron" builds. For the same reason I think it's useful to run dfuzzer when PRs are opened (#515). As far as I can remember some distros like openSUSE run it before releases (but I don't think they run anything under ASan/UBSan/Valgrind. I'm not sure their CI infrastructure pulled the change introduced by @mrc0mmand allowing dfuzzer to poke properties either).