lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 May 2024 18:15:05 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: "Manthey, Norbert" <nmanthey@...zon.de>
Cc: "keescook@...omium.org" <keescook@...omium.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"Woodhouse, David" <dwmw@...zon.co.uk>,
	"Stieger, Andreas" <astieger@...zon.de>,
	"linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
	"Hemdan, Hagar Gamal Halim" <hagarhem@...zon.de>
Subject: Re: Extending Linux' Coverity model and also cover aarch64

On Thu, May 16, 2024 at 03:28:16PM +0000, Manthey, Norbert wrote:
> Dear Kees, all,
> 
> we published an extension for the Coverity model that is used by the
> CoverityScan setup for the Linux kernel [1]. We have been using this
> extension to analyze the 6.1 kernel branch, and reported some fixes to
> the upstream code base that are based on this model [2]. Feel free to
> merge the pull request, and update the model in the CoverityScan setup.
> We do not have access to that project to perform these updates
> ourselves.
> 
> To increase the analysis coverage to aarch64, we analyzed a x86 and a
> aarch64 configuration. The increased coverage is achieved by using re-
> configuration and cross-compilation during the analysis build. If you
> are interested in this setup we can share the Dockerfile and script we
> used for this process.
> 
> To prevent regressions in backports to LTS kernels, we wondered whether
> the community is interested in setting up CoverityScan projects for
> older kernel releases. Would such an extension be useful to show new
> defects in addition to the current release testing?

New defects yes, I would like to know that, as long as they are also
fixed already in mainline, right?

Just send us reports of that, no need to get the covertity site involved
there, I'll be glad to take them.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ