Bug 1738598 - sunset Coverity in Firefox.

Differential Revision: https://phabricator.services.mozilla.com/D129779

.cron.yml

@@ -145,16 +145,6 @@ jobs:
               mozilla-esr91: [{hour: 10, minute: 0}]
               elm: [{hour: 10, minute: 0}]
 
-    - name: coverity-tree-analysis
-      job:
-          type: decision-task
-          treeherder-symbol: CoverityTA
-          target-tasks-method: coverity_static_analysis_full
-      run-on-projects:
-          - mozilla-central
-      when:
-          - {hour: 10, minute: 0}
-
     - name: linux64-clang-trunk-perf
       job:
           type: decision-task

docs/code-quality/index.rst

@@ -38,11 +38,6 @@ In this document, we try to list these all tools.
      - `bug 712350 <https://bugzilla.mozilla.org/show_bug.cgi?id=712350>`__
      -
      - https://clang-analyzer.llvm.org/
-   * - Coverity
-     -
-     - `bug 1230156 <https://bugzilla.mozilla.org/show_bug.cgi?id=1230156>`__
-     -
-     -
    * - cpp virtual final
      -
      -
@@ -166,4 +161,3 @@ In this document, we try to list these all tools.
      -
      -
      - https://github.com/adrienverge/yamllint
-

docs/code-quality/static-analysis/existing.rst

@@ -31,9 +31,6 @@ integrating this process with Phabricator and mach. A list of some
 checkers that are used during automated scan can be found
 `here <https://searchfox.org/mozilla-central/source/tools/clang-tidy/config.yaml>`__.
 
-We are also running Coverity at review phase and a few times per day
-(when autoland is merged into mozilla-central).
-
 Static analysis at review phase
 -------------------------------
 

python/mozbuild/mozbuild/code_analysis/mach_commands.py

@@ -4,7 +4,6 @@
 from __future__ import absolute_import, print_function, unicode_literals
 
 import concurrent.futures
-import io
 import logging
 import json
 import multiprocessing
@@ -16,7 +15,6 @@ import re
 import sys
 import subprocess
 import shutil
-import tarfile
 import tempfile
 import xml.etree.ElementTree as ET
 import yaml
@@ -184,11 +182,6 @@ _format_include_extensions = (".cpp", ".c", ".cc", ".h", ".m", ".mm")
 # File contaning all paths to exclude from formatting
 _format_ignore_file = ".clang-format-ignore"
 
-# List of file extension to consider (should start with dot)
-_check_syntax_include_extensions = (".cpp", ".c", ".cc", ".cxx")
-
-_cov_config = None
-
 # (TOOLS) Function return codes
 TOOLS_SUCCESS = 0
 TOOLS_FAILED_DOWNLOAD = 1
@@ -412,591 +405,13 @@ def check(
         if output is not None:
             output_manager.write(output, format)
 
-    if rc != 0:
-        return rc
-    # if we are building firefox for android it might be nice to
-    # also analyze the java code base
-    if command_context.substs["MOZ_BUILD_APP"] == "mobile/android":
-        rc = check_java(command_context, source, jobs, strip, verbose, skip_export=True)
     return rc
 
 
-@StaticAnalysisSubCommand(
-    "static-analysis",
-    "check-coverity",
-    "Run coverity static-analysis tool on the given files. "
-    "Can only be run by automation! "
-    "It's result is stored as an json file on the artifacts server.",
-)
-@CommandArgument(
-    "source",
-    nargs="*",
-    default=[],
-    help="Source files to be analyzed by Coverity Static Analysis Tool. "
-    "This is ran only in automation.",
-)
-@CommandArgument(
-    "--output",
-    "-o",
-    default=None,
-    help="Write coverity output translated to json output in a file",
-)
-@CommandArgument(
-    "--coverity_output_path",
-    "-co",
-    default=None,
-    help="Path where to write coverity results as cov-results.json. "
-    "If no path is specified the default path from the coverity working "
-    "directory, ~./mozbuild/coverity is used.",
-)
-@CommandArgument(
-    "--outgoing",
-    default=False,
-    action="store_true",
-    help="Run coverity on outgoing files from mercurial or git repository",
-)
-@CommandArgument(
-    "--full-build",
-    default=False,
-    action="store_true",
-    help="Run a full build for coverity analisys.",
-)
-def check_coverity(
-    command_context,
-    source=[],
-    output=None,
-    coverity_output_path=None,
-    outgoing=False,
-    full_build=False,
-    verbose=False,
-):
-    command_context._set_log_level(verbose)
-    command_context.activate_virtualenv()
-    command_context.log_manager.enable_unstructured()
-
-    if "MOZ_AUTOMATION" not in os.environ:
-        command_context.log(
-            logging.INFO,
-            "static-analysis",
-            {},
-            "Coverity based static-analysis cannot be ran outside automation.",
-        )
-        return
-
-    if full_build and outgoing:
-        command_context.log(
-            logging.INFO,
-            "static-analysis",
-            {},
-            "Coverity full build cannot be associated with outgoing.",
-        )
-        return
-
-    # Use outgoing files instead of source files
-    if outgoing:
-        repo = get_repository_object(command_context.topsrcdir)
-        files = repo.get_outgoing_files()
-        source = get_abspath_files(command_context, files)
-
-    # Verify that we have source files or we are dealing with a full-build
-    if len(source) == 0 and not full_build:
-        command_context.log(
-            logging.ERROR,
-            "static-analysis",
-            {},
-            "ERROR: There are no files that coverity can use to scan.",
-        )
-        return 0
-
-    # Load the configuration file for coverity static-analysis
-    # For the moment we store only the reliability index for each checker
-    # as the rest is managed on the https://github.com/mozilla/release-services side.
-    cov_config = _get_cov_config(command_context)
-
-    rc, cov = setup_coverity(command_context)
-    if rc != 0:
-        return rc
-
-    # First run cov-run-desktop --setup in order to setup the analysis env
-    # We need this in both cases, per patch analysis or full tree build
-    cmd = [cov.cov_run_desktop, "--setup"]
-    if run_cov_command(command_context, cmd, cov.cov_path):
-        # Avoiding a bug in Coverity where snapshot is not identified
-        # as beeing built with the current analysis binary.
-        if not full_build:
-            return 1
-
-    # Run cov-configure for clang, javascript and python
-    langs = ["clang", "javascript", "python"]
-    for lang in langs:
-        cmd = [cov.cov_configure, "--{}".format(lang)]
-
-        if run_cov_command(command_context, cmd):
-            return 1
-
-    if full_build:
-        # 1. Build the model file that is going to be used for analysis
-        model_path = mozpath.join("tools", "coverity", "model.cpp")
-        cmd = [cov.cov_make_library, "-sf", cov.cov_lic_path, model_path]
-
-        if run_cov_command(command_context, cmd):
-            return 1
-
-        # 2. Run cov-build
-
-        # Add cov_build command
-        cmd = [cov.cov_build, "--dir", "cov-int"]
-        # Add fs capture search paths for languages that are not nuilt
-        cmd += [
-            "--fs-capture-search={}".format(path) for path in cov.cov_capture_search
-        ]
-
-        # Add the exclude criteria for test cases
-        cmd += [
-            "--fs-capture-search-exclude-regex",
-            ".*/test",
-            "./mach",
-            "--log-no-times",
-            "build",
-        ]
-        if run_cov_command(command_context, cmd):
-            return 1
-
-        # 3. Run cov-analyze and exclude disabled checkers
-        cmd = [
-            cov.cov_analyze,
-            "--dir",
-            "cov-int",
-            "--all",
-            "--enable-virtual",
-            "--strip-path={}".format(command_context.topsrcdir),
-            "-sf",
-            cov.cov_lic_path,
-        ]
-
-        cmd += [
-            "--disable={}".format(key)
-            for key, checker in cov_config["coverity_checkers"].items()
-            if checker.get("publish", True) is False
-        ]
-
-        if run_cov_command(command_context, cmd):
-            return 1
-
-        # 4. Run cov-commit-defects
-        protocol = "https" if cov.cov_server_ssl else "http"
-        server_url = "{0}://{1}:{2}".format(protocol, cov.cov_url, cov.cov_port)
-        cmd = [
-            cov.cov_commit_defects,
-            "--auth-key-file",
-            cov.cov_auth_path,
-            "--stream",
-            cov.cov_stream,
-            "--dir",
-            "cov-int",
-            "--url",
-            server_url,
-            "-sf",
-            cov.cov_lic_path,
-        ]
-
-        if run_cov_command(command_context, cmd):
-            return 1
-
-        return 0
-
-    # TEMP Fix for Case# 00847671
-    cmd = [
-        cov.cov_configure,
-        "--delete-compiler-config",
-        "template-clangcc-config-0",
-        "coverity_config.xml",
-    ]
-    if run_cov_command(command_context, cmd):
-        return 1
-
-    cmd = [
-        cov.cov_configure,
-        "--delete-compiler-config",
-        "template-clangcxx-config-0",
-        "coverity_config.xml",
-    ]
-    if run_cov_command(command_context, cmd):
-        return 1
-
-    cmd = [
-        cov.cov_configure,
-        "--clang",
-        "--xml-option",
-        "append_arg:--ppp_translator",
-        "--xml-option",
-        "append_arg:replace/\{([a-zA-Z]+::None\(\))\}/=$1",
-    ]
-    if run_cov_command(command_context, cmd):
-        return 1
-    # End for Case# 00847671
-
-    rc, compile_db, compilation_commands_path = _build_compile_db(
-        command_context, verbose=verbose
-    )
-    rc = rc or _build_export(command_context, jobs=2, verbose=verbose)
-
-    if rc != 0:
-        return rc
-
-    commands_list = get_files_with_commands(command_context, compile_db, source)
-    if len(commands_list) == 0:
-        command_context.log(
-            logging.INFO,
-            "static-analysis",
-            {},
-            "There are no files that need to be analyzed.",
-        )
-        return 0
-
-    # For each element in commands_list run `cov-translate`
-    for element in commands_list:
-
-        def transform_cmd(cmd):
-            # Coverity Analysis has a problem translating definitions passed as:
-            # '-DSOME_DEF="ValueOfAString"', please see Bug 1588283.
-            return [re.sub(r'\'-D(.*)="(.*)"\'', r'-D\1="\2"', arg) for arg in cmd]
-
-        build_command = element["command"].split(" ")
-
-        cmd = [cov.cov_translate, "--dir", cov.cov_idir_path] + transform_cmd(
-            build_command
-        )
-
-        if run_cov_command(command_context, cmd, element["directory"]):
-            return 1
-
-    if coverity_output_path is None:
-        cov_result = mozpath.join(cov.cov_state_path, "cov-results.json")
-    else:
-        cov_result = mozpath.join(coverity_output_path, "cov-results.json")
-
-    # Once the capture is performed we need to do the actual Coverity Desktop analysis
-    cmd = [
-        cov.cov_run_desktop,
-        "--json-output-v6",
-        cov_result,
-        "--analyze-captured-source",
-    ]
-
-    if run_cov_command(command_context, cmd, cov.cov_state_path):
-        return 1
-
-    if output is not None:
-        dump_cov_artifact(command_context, cov_config, cov_result, source, output)
-
-
 def get_abspath_files(command_context, files):
     return [mozpath.join(command_context.topsrcdir, f) for f in files]
 
 
-def run_cov_command(command_context, cmd, path=None):
-    if path is None:
-        # We want to run it in topsrcdir
-        path = command_context.topsrcdir
-
-    command_context.log(logging.INFO, "static-analysis", {}, "Running " + " ".join(cmd))
-
-    rc = command_context.run_process(
-        args=cmd, cwd=path, pass_thru=True, ensure_exit_code=False
-    )
-
-    if rc != 0:
-        command_context.log(
-            logging.ERROR,
-            "static-analysis",
-            {},
-            "ERROR: Running " + " ".join(cmd) + " failed!",
-        )
-        return rc
-    return 0
-
-
-def get_reliability_index_for_cov_checker(command_context, cov_config, checker_name):
-    if cov_config is None:
-        command_context.log(
-            logging.INFO,
-            "static-analysis",
-            {},
-            "Coverity config file not found, "
-            "using default-value 'reliablity' = medium. for checker {}".format(
-                checker_name
-            ),
-        )
-        return "medium"
-
-    checkers = cov_config["coverity_checkers"]
-    if checker_name not in checkers:
-        command_context.log(
-            logging.INFO,
-            "static-analysis",
-            {},
-            "Coverity checker {} not found to determine reliability index. "
-            "For the moment we shall use the default 'reliablity' = medium.".format(
-                checker_name
-            ),
-        )
-        return "medium"
-
-    if "reliability" not in checkers[checker_name]:
-        # This checker doesn't have a reliability index
-        command_context.log(
-            logging.INFO,
-            "static-analysis",
-            {},
-            "Coverity checker {} doesn't have a reliability index set, "
-            "field 'reliability is missing', please cosinder adding it. "
-            "For the moment we shall use the default 'reliablity' = medium.".format(
-                checker_name
-            ),
-        )
-        return "medium"
-
-    return checkers[checker_name]["reliability"]
-
-
-def dump_cov_artifact(command_context, cov_config, cov_results, source, output):
-    # Parse Coverity json into structured issues
-
-    with open(cov_results) as f:
-        result = json.load(f)
-
-        # Parse the issues to a standard json format
-        issues_dict = {"files": {}}
-
-        files_list = issues_dict["files"]
-
-        def build_element(issue):
-            # We look only for main event
-            event_path = next(
-                (event for event in issue["events"] if event["main"] is True), None
-            )
-
-            dict_issue = {
-                "line": issue["mainEventLineNumber"],
-                "flag": issue["checkerName"],
-                "message": event_path["eventDescription"],
-                "reliability": get_reliability_index_for_cov_checker(
-                    command_context, cov_config, issue["checkerName"]
-                ),
-                "extra": {
-                    "category": issue["checkerProperties"]["category"],
-                    "stateOnServer": issue["stateOnServer"],
-                    "stack": [],
-                },
-            }
-
-            # Embed all events into extra message
-            for event in issue["events"]:
-                dict_issue["extra"]["stack"].append(
-                    {
-                        "file_path": build_repo_relative_path(
-                            event["strippedFilePathname"], command_context.topsrcdir
-                        ),
-                        "line_number": event["lineNumber"],
-                        "path_type": event["eventTag"],
-                        "description": event["eventDescription"],
-                    }
-                )
-
-            return dict_issue
-
-        for issue in result["issues"]:
-            path = build_repo_relative_path(
-                issue["strippedMainEventFilePathname"], command_context.topsrcdir
-            )
-            # Skip clang diagnostic messages
-            if issue["checkerName"].startswith("RW.CLANG"):
-                continue
-
-            if path is None:
-                # Since we skip a result we should log it
-                command_context.log(
-                    logging.INFO,
-                    "static-analysis",
-                    {},
-                    "Skipping CID: {0} from file: {1} since it's not related "
-                    "with the current patch.".format(
-                        issue["stateOnServer"]["cid"],
-                        issue["strippedMainEventFilePathname"],
-                    ),
-                )
-                continue
-            if path in files_list:
-                files_list[path]["warnings"].append(build_element(issue))
-            else:
-                files_list[path] = {"warnings": [build_element(issue)]}
-
-        with open(output, "w") as f:
-            json.dump(issues_dict, f)
-
-
-def get_coverity_secrets(command_context):
-    from gecko_taskgraph.util.taskcluster import get_root_url
-
-    secret_name = "project/relman/coverity"
-    secrets_url = "{}/secrets/v1/secret/{}".format(get_root_url(True), secret_name)
-
-    command_context.log(
-        logging.INFO,
-        "static-analysis",
-        {},
-        'Using symbol upload token from the secrets service: "{}"'.format(secrets_url),
-    )
-
-    import requests
-
-    res = requests.get(secrets_url)
-    res.raise_for_status()
-    secret = res.json()
-    cov_config = secret["secret"] if "secret" in secret else None
-
-    cov = SimpleNamespace()
-
-    if cov_config is None:
-        command_context.log(
-            logging.ERROR,
-            "static-analysis",
-            {},
-            "ERROR: Ill formatted secret for Coverity. Aborting analysis.",
-        )
-        return 1, cov
-
-    cov.cov_analysis_url = cov_config.get("package_url")
-    cov.cov_package_name = cov_config.get("package_name")
-    cov.cov_url = cov_config.get("server_url")
-    cov.cov_server_ssl = cov_config.get("server_ssl", True)
-    # In case we don't have a port in the secret we use the default one,
-    # for a default coverity deployment.
-    cov.cov_port = cov_config.get("server_port", 8443)
-    cov.cov_auth = cov_config.get("auth_key")
-    cov.cov_package_ver = cov_config.get("package_ver")
-    cov.cov_lic_name = cov_config.get("lic_name")
-    cov.cov_capture_search = cov_config.get("fs_capture_search", None)
-    cov.cov_full_stack = cov_config.get("full_stack", False)
-    cov.cov_stream = cov_config.get("stream", False)
-
-    return 0, cov
-
-
-def download_coverity(command_context, cov):
-    if (
-        cov.cov_url is None
-        or cov.cov_port is None
-        or cov.cov_analysis_url is None
-        or cov.cov_auth is None
-    ):
-        command_context.log(
-            logging.ERROR,
-            "static-analysis",
-            {},
-            "ERROR: Missing Coverity secret on try job!",
-        )
-        return 1
-
-    COVERITY_CONFIG = """
-    {
-        "type": "Coverity configuration",
-        "format_version": 1,
-        "settings": {
-        "server": {
-            "host": "%s",
-            "ssl" : true,
-            "port": %s,
-            "on_new_cert" : "trust",
-            "auth_key_file": "%s"
-        },
-        "stream": "Firefox",
-        "cov_run_desktop": {
-            "build_cmd": [],
-            "clean_cmd": []
-        }
-        }
-    }
-    """
-    # Generate the coverity.conf and auth files
-    cov.cov_auth_path = mozpath.join(cov.cov_state_path, "auth")
-    cov_setup_path = mozpath.join(cov.cov_state_path, "coverity.conf")
-    cov_conf = COVERITY_CONFIG % (cov.cov_url, cov.cov_port, cov.cov_auth_path)
-
-    def download(artifact_url, target):
-        import requests
-
-        command_context.log_manager.enable_unstructured()
-        resp = requests.get(artifact_url, verify=False, stream=True)
-        command_context.log_manager.disable_unstructured()
-        resp.raise_for_status()
-
-        # Extract archive into destination
-        with tarfile.open(fileobj=io.BytesIO(resp.content)) as tar:
-            tar.extractall(target)
-
-    download(cov.cov_analysis_url, cov.cov_state_path)
-
-    with open(cov.cov_auth_path, "w") as f:
-        f.write(cov.cov_auth)
-
-    # Modify it's permission to 600
-    os.chmod(cov.cov_auth_path, 0o600)
-
-    with open(cov_setup_path, "a") as f:
-        f.write(cov_conf)
-
-
-def setup_coverity(command_context, force_download=True):
-    rc, config, _ = _get_config_environment(command_context)
-    if rc != 0:
-        return rc, None
-
-    rc, cov = get_coverity_secrets(command_context)
-    if rc != 0:
-        return rc, cov
-
-    # Create a directory in mozbuild where we setup coverity
-    cov.cov_state_path = mozpath.join(
-        command_context._mach_context.state_dir, "coverity"
-    )
-
-    if force_download is True and os.path.exists(cov.cov_state_path):
-        shutil.rmtree(cov.cov_state_path)
-
-    os.mkdir(cov.cov_state_path)
-
-    # Download everything that we need for Coverity from out private instance
-    download_coverity(command_context, cov)
-
-    cov.cov_path = mozpath.join(cov.cov_state_path, cov.cov_package_name)
-    cov.cov_run_desktop = mozpath.join(cov.cov_path, "bin", "cov-run-desktop")
-    cov.cov_configure = mozpath.join(cov.cov_path, "bin", "cov-configure")
-    cov.cov_make_library = mozpath.join(cov.cov_path, "bin", "cov-make-library")
-    cov.cov_build = mozpath.join(cov.cov_path, "bin", "cov-build")
-    cov.cov_analyze = mozpath.join(cov.cov_path, "bin", "cov-analyze")
-    cov.cov_commit_defects = mozpath.join(cov.cov_path, "bin", "cov-commit-defects")
-    cov.cov_translate = mozpath.join(cov.cov_path, "bin", "cov-translate")
-    cov.cov_configure = mozpath.join(cov.cov_path, "bin", "cov-configure")
-    cov.cov_work_path = mozpath.join(cov.cov_state_path, "data-coverity")
-    cov.cov_idir_path = mozpath.join(cov.cov_work_path, cov.cov_package_ver, "idir")
-    cov.cov_lic_path = mozpath.join(
-        cov.cov_work_path, cov.cov_package_ver, "lic", cov.cov_lic_name
-    )
-
-    if not os.path.exists(cov.cov_path):
-        command_context.log(
-            logging.ERROR,
-            "static-analysis",
-            {},
-            "ERROR: Missing Coverity in {}".format(cov.cov_path),
-        )
-        return 1, cov
-
-    return 0, cov
-
-
 def get_files_with_commands(command_context, compile_db, source):
     """
     Returns an array of dictionaries having file_path with build command
@@ -1031,24 +446,6 @@ def get_clang_tidy_config(command_context):
     return ClangTidyConfig(command_context.topsrcdir)
 
 
-def _get_cov_config(command_context):
-    try:
-        file_handler = open(
-            mozpath.join(command_context.topsrcdir, "tools", "coverity", "config.yaml")
-        )
-        config = yaml.safe_load(file_handler)
-    except Exception:
-        command_context.log(
-            logging.ERROR,
-            "static-analysis",
-            {},
-            "ERROR: Looks like config.yaml is not valid, we are going to use default"
-            " values for the rest of the analysis for coverity.",
-        )
-        return None
-    return config
-
-
 def _get_required_version(command_context):
     version = get_clang_tidy_config(command_context).version
     if version is None:

taskcluster/ci/source-test/coverity.yml

@@ -1,95 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
----
-job-defaults:
-    # Run only on try and code-review tasks
-    # to avoid running Coverity SA on the whole codebase
-    run-on-projects: []
-    platform: linux64/debug
-    worker-type: t-linux-xlarge-source
-    worker:
-        docker-image: {in-tree: debian11-amd64-build}
-        max-run-time: 5400
-    treeherder:
-        kind: other
-        tier: 2
-    run:
-        using: run-task
-        tooltool-downloads: public
-    fetches:
-        toolchain:
-            - linux64-clang-10
-            - linux64-rust
-            - linux64-cbindgen
-            - linux64-nasm
-            - linux64-node
-            - sysroot-x86_64-linux-gnu
-            - sysroot-wasm32-wasi
-    when:
-        # Extension list from https://hg.mozilla.org/mozilla-central/file/default/python/mozbuild/mozbuild/mach_commands.py#l1664
-        files-changed:
-            - '**/*.c'
-            - '**/*.cpp'
-            - '**/*.cc'
-            - '**/*.cxx'
-            - '**/*.m'
-            - '**/*.mm'
-            - '**/*.h'
-            - '**/*.hh'
-            - '**/*.hpp'
-            - '**/*.hxx'
-
-coverity:
-    description: Run static-analysis (Coverity) on C/C++ patches
-    attributes:
-        code-review: true
-    treeherder:
-        symbol: cpp(coverity)
-    run:
-        cwd: '{checkout}'
-        command: >-
-            source taskcluster/scripts/misc/source-test-clang-setup.sh &&
-            ./mach --log-no-times static-analysis check-coverity --outgoing --output $HOME/coverity.json
-    scopes:
-        - secrets:get:project/relman/coverity
-    worker:
-        artifacts:
-            - type: file
-              name: public/code-review/coverity.json
-              path: /builds/worker/coverity.json
-            - type: file
-              name: public/code-review/coverity-orig.json
-              path: /builds/worker/workspace/coverity/cov-results.json
-
-coverity-full-analysis:
-    description: Run Coverity based static-analysis on the entire Gecko repo
-    treeherder:
-        symbol: Static-Analysis(coverity-full-analysis)
-    worker-type:
-        by-platform:
-            linux64.*: b-linux-xlarge
-    run-on-projects: []
-    run:
-        cwd: '{checkout}'
-        command: >-
-            source taskcluster/scripts/misc/source-test-clang-setup.sh &&
-            ./mach --log-no-times static-analysis check-coverity --full-build
-    scopes:
-        - secrets:get:project/relman/coverity
-    worker:
-        max-run-time: 14400
-    when:
-        files-changed:
-            - '**/*.c'
-            - '**/*.cpp'
-            - '**/*.cc'
-            - '**/*.cxx'
-            - '**/*.m'
-            - '**/*.mm'
-            - '**/*.h'
-            - '**/*.hh'
-            - '**/*.hpp'
-            - '**/*.hxx'
-            - '**/*.py'
-            - '**/*.js'

taskcluster/ci/source-test/kind.yml

@@ -19,7 +19,6 @@ kind-dependencies:
 jobs-from:
     - clang.yml
     - codeql.yml
-    - coverity.yml
     - cram.yml
     - doc.yml
     - file-metadata.yml

taskcluster/gecko_taskgraph/target_tasks.py

@@ -976,13 +976,6 @@ def target_tasks_searchfox(full_task_graph, parameters, graph_config):
     ]
 
 
-# Run Coverity Static Analysis once daily.
-@_target_task("coverity_static_analysis_full")
-def target_tasks_coverity_full(full_task_graph, parameters, graph_config):
-    """Select tasks required to run Coverity Static Analysis"""
-    return ["source-test-coverity-coverity-full-analysis"]
-
-
 # Run build linux64-plain-clang-trunk/opt on mozilla-central/beta with perf tests
 @_target_task("linux64_clang_trunk_perf")
 def target_tasks_build_linux64_clang_trunk_perf(

tools/coverity/config.yaml

@@ -1,508 +0,0 @@
----
-# It is used by 'mach static-analysis check-coverity' and
-# 'phabricator static-analysis bot', on automation, in order to determine
-# how prone to false-positive a checker is.
-#
-# In order to update this file please do the following:
-# 1. Obtain the coverity-analysis package.
-# 2. Run cov-analyze `./cov-analyze --list-checkers.
-# 3. Add the new checker(s) from step 2. to the list.
-# 4. Depending on the reliability of the checker please set `reliability` field,
-#    otherwise `medium` will be used as an reliability index.
-coverity_checkers:
-  COPY_PASTE_ERROR:
-    reliability: low
-  DEADCODE:
-    reliability: low
-  FORWARD_NULL:
-    reliability: high
-  IDENTICAL_BRANCHES:
-    reliability: high
-  CONSTANT_EXPRESSION_RESULT:
-    reliability: high
-  UNREACHABLE:
-    reliability: low
-  REVERSE_INULL:
-    reliability: high
-  UNEXPECTED_CONTROL_FLOW:
-    reliability: medium
-  NESTING_INDENT_MISMATCH:
-    reliability: high
-  STRAY_SEMICOLON:
-    publish: false
-    reliability: medium
-  RESOURCE_LEAK:
-    reliability: medium
-  NULL_RETURNS:
-    reliability: medium
-  DIVIDE_BY_ZERO:
-    reliability: medium
-  OVERFLOW_BEFORE_WIDEN:
-    reliability: high
-  UNINTENDED_INTEGER_DIVISION:
-    reliability: medium
-  SWAPPED_ARGUMENTS:
-    reliability: low
-  NO_EFFECT:
-    reliability: medium
-  BAD_SHIFT:
-    reliability: low
-  INFINITE_LOOP:
-    reliability: medium
-  MISSING_RESTORE:
-    reliability: low
-  UNUSED_VALUE:
-    reliability: medium
-  USELESS_CALL:
-    reliability: low
-  MISSING_BREAK:
-    reliability: low
-  CHECKED_RETURN:
-    reliability: low
-  PROPERTY_MIXUP:
-    reliability: medium
-  CALL_SUPER:
-    reliability: medium
-  IDENTIFIER_TYPO:
-    reliability: medium
-  USE_AFTER_FREE:
-    reliability: low
-  ALLOC_FREE_MISMATCH:
-    reliability: medium
-  ARRAY_VS_SINGLETON:
-    reliability: low
-  ASSERT_SIDE_EFFECT:
-    reliability: medium
-  BAD_ALLOC_ARITHMETIC:
-    reliability: medium
-  BAD_ALLOC_STRLEN:
-    reliability: medium
-  BAD_COMPARE:
-    reliability: medium
-  BAD_FREE:
-    reliability: medium
-  BAD_SIZEOF:
-    reliability: medium
-  CHAR_IO:
-    reliability: low
-  EVALUATION_ORDER:
-    reliability: medium
-  INCOMPATIBLE_CAST:
-    reliability: medium
-  MISSING_COMMA:
-    reliability: high
-  MISSING_RETURN:
-    reliability: medium
-  NEGATIVE_RETURNS:
-    reliability: low
-  OVERRUN:
-    reliability: low
-  PASS_BY_VALUE:
-    reliability: high
-  PRINTF_ARGS:
-    reliability: medium
-  READLINK:
-    reliability: medium
-  RETURN_LOCAL:
-    reliability: low
-  REVERSE_NEGATIVE:
-    reliability: medium
-  SIGN_EXTENSION:
-    reliability: low
-  SIZEOF_MISMATCH:
-    reliability: low
-  UNINIT:
-    reliability: high
-  VARARGS:
-    reliability: medium
-  INVALIDATE_ITERATOR:
-    reliability: medium
-  BAD_LOCK_OBJECT:
-    reliability: medium
-  GUARDED_BY_VIOLATION:
-    reliability: medium
-  LOCK_EVASION:
-    reliability: medium
-  MISSING_THROW:
-    reliability: medium
-  NON_STATIC_GUARDING_STATIC:
-    reliability: medium
-  VOLATILE_ATOMICITY:
-    reliability: medium
-  OVERLAPPING_COPY:
-    reliability: medium
-  BAD_OVERRIDE:
-    reliability: medium
-  CTOR_DTOR_LEAK:
-    reliability: low
-  DELETE_ARRAY:
-    reliability: low
-  DELETE_VOID:
-    reliability: medium
-  MISMATCHED_ITERATOR:
-    reliability: medium
-  MISSING_MOVE_ASSIGNMENT:
-    reliability: low
-  STREAM_FORMAT_STATE:
-    reliability: medium
-  UNCAUGHT_EXCEPT:
-    reliability: medium
-  UNINIT_CTOR:
-    reliability: high
-  VIRTUAL_DTOR:
-    reliability: medium
-  WRAPPER_ESCAPE:
-    reliability: low
-  BAD_EQ:
-    reliability: medium
-  BAD_EQ_TYPES:
-    reliability: medium
-  LOCK_INVERSION:
-    reliability: medium
-  BAD_CHECK_OF_WAIT_COND:
-    reliability: medium
-  DC.DANGEROUS:
-    reliability: medium
-  DC.DEADLOCK:
-    reliability: medium
-  HIBERNATE_BAD_HASHCODE:
-    reliability: medium
-  ORM_LOAD_NULL_CHECK:
-    reliability: medium
-  ORM_UNNECESSARY_GET:
-    reliability: medium
-  REGEX_CONFUSION:
-    reliability: medium
-  SERVLET_ATOMICITY:
-    reliability: medium
-  SINGLETON_RACE:
-    reliability: medium
-  WRONG_METHOD:
-    reliability: medium
-  PATH_MANIPULATION:
-    reliability: medium
-  SQLI:
-    reliability: medium
-  HARDCODED_CREDENTIALS:
-    reliability: medium
-  SENSITIVE_DATA_LEAK:
-    reliability: medium
-  SCRIPT_CODE_INJECTION:
-    reliability: medium
-  REGEX_INJECTION:
-    reliability: medium
-  BAD_CERT_VERIFICATION:
-    reliability: medium
-  COM.BAD_FREE:
-    reliability: medium
-  COM.BSTR.CONV:
-    reliability: medium
-  EXPLICIT_THIS_EXPECTED:
-    reliability: medium
-  UNINTENDED_GLOBAL:
-    reliability: medium
-  OS_CMD_INJECTION:
-    reliability: medium
-  XSS:
-    reliability: medium
-  WEAK_PASSWORD_HASH:
-    reliability: medium
-  UNSAFE_DESERIALIZATION:
-    reliability: medium
-  OPEN_REDIRECT:
-    reliability: medium
-  CSRF:
-    reliability: medium
-  UNSAFE_REFLECTION:
-    reliability: medium
-  BLACKLIST_FOR_AUTHN:
-    reliability: medium
-  DYNAMIC_OBJECT_ATTRIBUTES:
-    reliability: medium
-  RAILS_DEFAULT_ROUTES:
-    reliability: medium
-  RAILS_DEVISE_CONFIG:
-    reliability: medium
-  RAILS_MISSING_FILTER_ACTION:
-    reliability: medium
-  REGEX_MISSING_ANCHOR:
-    reliability: medium
-  RUBY_VULNERABLE_LIBRARY:
-    reliability: medium
-  SESSION_MANIPULATION:
-    reliability: medium
-  UNSAFE_BASIC_AUTH:
-    reliability: medium
-  UNSAFE_SESSION_SETTING:
-    reliability: medium
-  XPATH_INJECTION:
-    reliability: medium
-  RISKY_CRYPTO:
-    reliability: medium
-  UNENCRYPTED_SENSITIVE_DATA:
-    reliability: medium
-  XML_EXTERNAL_ENTITY:
-    reliability: medium
-  CONFIG.ATS_INSECURE:
-    reliability: medium
-  CUSTOM_KEYBOARD_DATA_LEAK:
-    reliability: medium
-  INSECURE_COMMUNICATION:
-    reliability: medium
-  INSECURE_MULTIPEER_CONNECTION:
-    reliability: medium
-  WEAK_BIOMETRIC_AUTH:
-    reliability: medium
-  BUFFER_SIZE:
-    reliability: high
-  CHROOT:
-    reliability: medium
-  DC.PREDICTABLE_KEY_PASSWORD:
-    reliability: medium
-    publish: !!bool no
-  DC.STREAM_BUFFER:
-    reliability: medium
-    publish: !!bool no
-  DC.WEAK_CRYPTO:
-    reliability: low
-    publish: !!bool no
-  OPEN_ARGS:
-    reliability: medium
-  STRING_NULL:
-    reliability: medium
-  STRING_OVERFLOW:
-    reliability: low
-  STRING_SIZE:
-    reliability: medium
-  TAINTED_SCALAR:
-    reliability: low
-  TAINTED_STRING:
-    reliability: medium
-  TOCTOU:
-    reliability: low
-  SECURE_TEMP:
-    reliability: medium
-  UNSAFE_XML_PARSE_CONFIG:
-    reliability: medium
-  ATOMICITY:
-    reliability: medium
-  LOCK:
-    reliability: medium
-  MISSING_LOCK:
-    reliability: medium
-  ORDER_REVERSAL:
-    reliability: medium
-  SLEEP:
-    reliability: medium
-  ASSIGN_NOT_RETURNING_STAR_THIS:
-    reliability: medium
-  COPY_WITHOUT_ASSIGN:
-    reliability: medium
-  MISSING_COPY_OR_ASSIGN:
-    reliability: medium
-  SELF_ASSIGN:
-    reliability: medium
-  WEAK_GUARD:
-    reliability: medium
-  AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK:
-    reliability: medium
-  DC.STRING_BUFFER:
-    reliability: medium
-    publish: !!bool no
-  ENUM_AS_BOOLEAN:
-    reliability: medium
-  INTEGER_OVERFLOW:
-    reliability: low
-  MISRA_CAST:
-    reliability: medium
-  MIXED_ENUMS:
-    reliability: low
-  STACK_USE:
-    reliability: medium
-  USER_POINTER:
-    reliability: medium
-  PARSE_ERROR:
-    reliability: low
-  FLOATING_POINT_EQUALITY:
-    reliability: medium
-  ORM_LOST_UPDATE:
-    reliability: medium
-  HFA:
-    reliability: medium
-  COM.ADDROF_LEAK:
-    reliability: medium
-  COM.BSTR.ALLOC:
-    reliability: medium
-  COM.BSTR.BAD_COMPARE:
-    reliability: medium
-  COM.BSTR.NE_NON_BSTR:
-    reliability: medium
-  VCALL_IN_CTOR_DTOR:
-    reliability: medium
-  INSECURE_DIRECT_OBJECT_REFERENCE:
-    reliability: medium
-  UNESCAPED_HTML:
-    reliability: medium
-  SECURE_CODING:
-    reliability: medium
-    publish: !!bool no
-  SIZECHECK:
-    reliability: medium
-  MISSING_AUTHZ:
-    reliability: medium
-  NOSQL_QUERY_INJECTION:
-    reliability: medium
-  HEADER_INJECTION:
-    reliability: medium
-  INSECURE_RANDOM:
-    reliability: medium
-  CONFIG.DYNAMIC_DATA_HTML_COMMENT:
-    reliability: medium
-  LDAP_INJECTION:
-    reliability: medium
-  UNLOGGED_SECURITY_EXCEPTION:
-    reliability: medium
-  UNRESTRICTED_DISPATCH:
-    reliability: medium
-  UNSAFE_NAMED_QUERY:
-    reliability: medium
-  TAINT_ASSERT:
-    reliability: medium
-  UNKNOWN_LANGUAGE_INJECTION:
-    reliability: medium
-  URL_MANIPULATION:
-    reliability: medium
-  TAINTED_ENVIRONMENT_WITH_EXECUTION:
-    reliability: medium
-  ASPNET_MVC_VERSION_HEADER:
-    reliability: medium
-  CONFIG.ASPNET_VERSION_HEADER:
-    reliability: medium
-  CONFIG.ASP_VIEWSTATE_MAC:
-    reliability: medium
-  CONFIG.CONNECTION_STRING_PASSWORD:
-    reliability: medium
-  CONFIG.COOKIES_MISSING_HTTPONLY:
-    reliability: medium
-  CONFIG.DEAD_AUTHORIZATION_RULE:
-    reliability: medium
-  CONFIG.ENABLED_DEBUG_MODE:
-    reliability: medium
-  CONFIG.ENABLED_TRACE_MODE:
-    reliability: medium
-  CONFIG.MISSING_CUSTOM_ERROR_PAGE:
-    reliability: medium
-  PREDICTABLE_RANDOM_SEED:
-    reliability: medium
-  ATTRIBUTE_NAME_CONFLICT:
-    reliability: medium
-  CONFIG.DUPLICATE_SERVLET_DEFINITION:
-    reliability: medium
-  CONFIG.DWR_DEBUG_MODE:
-    reliability: medium
-  CONFIG.HTTP_VERB_TAMPERING:
-    reliability: medium
-  CONFIG.JAVAEE_MISSING_HTTPONLY:
-    reliability: medium
-  CONFIG.MISSING_GLOBAL_EXCEPTION_HANDLER:
-    reliability: medium
-  CONFIG.MISSING_JSF2_SECURITY_CONSTRAINT:
-    reliability: medium
-  CONFIG.SPRING_SECURITY_DEBUG_MODE:
-    reliability: medium
-  CONFIG.SPRING_SECURITY_DISABLE_AUTH_TAGS:
-    reliability: medium
-  CONFIG.SPRING_SECURITY_HARDCODED_CREDENTIALS:
-    reliability: medium
-  CONFIG.SPRING_SECURITY_REMEMBER_ME_HARDCODED_KEY:
-    reliability: medium
-  CONFIG.SPRING_SECURITY_SESSION_FIXATION:
-    reliability: medium
-  CONFIG.STRUTS2_CONFIG_BROWSER_PLUGIN:
-    reliability: medium
-  CONFIG.STRUTS2_DYNAMIC_METHOD_INVOCATION:
-    reliability: medium
-  CONFIG.STRUTS2_ENABLED_DEV_MODE:
-    reliability: medium
-  CONFIG.UNSAFE_SESSION_TIMEOUT:
-    reliability: medium
-  EL_INJECTION:
-    reliability: medium
-  JAVA_CODE_INJECTION:
-    reliability: medium
-  JCR_INJECTION:
-    reliability: medium
-  JSP_DYNAMIC_INCLUDE:
-    reliability: medium
-  JSP_SQL_INJECTION:
-    reliability: medium
-  OGNL_INJECTION:
-    reliability: medium
-  SESSION_FIXATION:
-    reliability: medium
-  TRUST_BOUNDARY_VIOLATION:
-    reliability: medium
-  UNSAFE_JNI:
-    reliability: medium
-  CONFIG.HANA_XS_PREVENT_XSRF_DISABLED:
-    reliability: medium
-  CONFIG.SEQUELIZE_ENABLED_LOGGING:
-    reliability: medium
-  COOKIE_INJECTION:
-    reliability: medium
-  CSS_INJECTION:
-    reliability: medium
-  DOM_XSS:
-    reliability: medium
-  INSECURE_SALT:
-    reliability: medium
-  INSUFFICIENT_LOGGING:
-    reliability: medium
-  LOCALSTORAGE_MANIPULATION:
-    reliability: medium
-  MISSING_IFRAME_SANDBOX:
-    reliability: medium
-  SESSIONSTORAGE_MANIPULATION:
-    reliability: medium
-  TEMPLATE_INJECTION:
-    reliability: medium
-  UNCHECKED_ORIGIN:
-    reliability: medium
-  UNRESTRICTED_MESSAGE_TARGET:
-    reliability: medium
-  ANGULAR_EXPRESSION_INJECTION:
-    reliability: medium
-  CONFIG.SYMFONY_CSRF_PROTECTION_DISABLED:
-    reliability: medium
-  SYMFONY_EL_INJECTION:
-    reliability: medium
-  LOG_INJECTION:
-    reliability: medium
-  SQL_NOT_CONSTANT:
-    reliability: medium
-  XML_INJECTION:
-    reliability: medium
-  INSECURE_COOKIE:
-    reliability: medium
-  ANGULAR_BYPASS_SECURITY:
-    reliability: medium
-  ANGULAR_ELEMENT_REFERENCE:
-    reliability: medium
-  LOCALSTORAGE_WRITE:
-    reliability: medium
-  ANDROID_CAPABILITY_LEAK:
-    reliability: medium
-  ANDROID_DEBUG_MODE:
-    reliability: medium
-  EXPOSED_PREFERENCES:
-    reliability: medium
-  IMPLICIT_INTENT:
-    reliability: medium
-  MISSING_PERMISSION_FOR_BROADCAST:
-    reliability: medium
-  MISSING_PERMISSION_ON_EXPORTED_COMPONENT:
-    reliability: medium
-  MOBILE_ID_MISUSE:
-    reliability: medium
-  UNRESTRICTED_ACCESS_TO_FILE:
-    reliability: medium

tools/coverity/model.cpp

@@ -1,29 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
-Coverity model file in order to avoid false-positive
-*/
-
-// In Bug 1248897 we've seen that Coverity thinks that json-cpp allocates
-// memmory for the strings that are used as indexes, this is wrong and this
-// model of CZString fixes this.
-namespace Json {
-class Value {
- private:
-  class CZString {
-   private:
-    char const* cstr_;
-
-   public:
-    ~CZString() {
-      // Don't do anything since most of the time cstr_ only stores address of
-      // str
-      __coverity_escape__(static_cast<void*>(cstr_));
-    }
-  };
-};
-}  // namespace Json

tools/moz.build

@@ -13,9 +13,6 @@ with Files("code-coverage/**"):
 with Files("compare-locales/mach_commands.py"):
     BUG_COMPONENT = ("Localization Infrastructure and Tools", "compare-locales")
 
-with Files("coverity/**"):
-    BUG_COMPONENT = ("Firefox Build System", "Source Code Analysis")
-
 with Files("github-sync/**"):
     BUG_COMPONENT = ("Core", "Graphics")