• CoverityPrevent

Coverity

The FreeBSD Project uses the Synopsys Coverity Scan service for static analysis of FreeBSD source code to identify security vulnerabilities and other code quality issues.

Getting Access

• Browse to FreeBSD Coverity Project Homepage

• Click Sign Up

• Note 1: At this time, we only provide access to view scan results to FreeBSD developers.
  Note 2: If you are a FreeBSD developer, please register using your FreeBSD.org email address

Using Coverity Scan

• When fixing a Coverity issue:

  1. Check Bugzilla or Phabricator for existing issues or reports and assign yourself to them

     1. If an issue exists, ensure you include PR: <issue-id> in commit log messages

  2. Ensure you include Coverity ID: <CIDXXXXX> in the commit log message

  3. Ensure all relevant stable/releng branches receive the change (MFC)

Improving Result Quality

Static code analysis has some limitations in its ability to understand certain dynamic operations. This limitation may result in falsely detecting defects. Since most false-positive defects are caused by few functions in your code base, Coverity allows you to tell the analysis engine to treat these functions differently. This is called a Modeling File. By providing a modeling file, most projects reduce their false-positive rate to the ballpark of 10%.

Modeling

• https://scan.coverity.com/Coverity Modeling Reference (This link is broken)

• Models and Annotations

• Synopsys: How to write a function model to eliminate a false positive in a C application

Modeling File Examples

• Python: Misc/coverity_model.c

• libgit2: script/user_model.c

• qemu: scripts/coverity-model.c

• qemu_rocker_pbf: scripts/coverity-model.c

• Xen: misc/coverity/model.c

• FFmpeg: tools/coverity.c

• Apache Trafficserver: ci/coverity-model.cpp

• NeoVim: src/coverity-model.c

• ghc: utils/coverity/model.c

TODO

TAILQ Macro model

It seems that the TAILQ macros confuse Coverity. For example TAILQ_FIRST() seems to trigger a use after free error in <list>.tqh_first when entries are removed in a loop (loop by hand or with FOREACH). In particular, it does not recognize that TAILQ_REMOVE puts a new pointer in place and the pointer which previously aliases the tqh_first is not aliasing anymore, but is the only valid pointer.

Such cases should be marked as XXX (at the moment marked as IGNORE until we determine if it should be marked as a FALSE or if this should stay as IGNORE until a custom model is developed for this).

TODO: Model for TAILQ macros added to Modelling File

UMA Model

References

• CPython DevGuide: Coverity

Contact

Coverity Administrators:

• KubilayKocak

• UlrichSpoerlein

• Email: <coverity-admin AT FreeBSD DOT org>

CategoryServices CategorySecurity