[SERVER-84924] Ensure that 7.0.0 release does not have any applicable critical or high Coverity issues Created: 31/Jul/23 Updated: 12/Jan/24 Resolved: 26/Sep/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Critical - P2 |
| Reporter: | Judah Schvimer | Assignee: | Kyle Suarez |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Sprint: | QE 2023-09-04, QE 2023-09-18, QE 2023-10-02 | ||||||||
| Participants: | |||||||||
| Description |
|
We should include a screenshot that includes the date of the check, similar to WRITING-14730, for documentation. |
| Comments |
| Comment by Salman Baset [ 22/Sep/23 ] |
|
kyle.suarez@mongodb.com I have reviewed the revised report and it looks good to me. Thank you so much for completing this. This ticket can be closed. |
| Comment by Brooke Miller [ 21/Sep/23 ] |
|
salman.baset@mongodb.com can this be considered resolved and done? kyle.suarez@mongodb.com If we don't hear back from Salman, I think this can be closed. The other doc requested (Third party dependencies validation WRITING-14730) didn't go through this review process. |
| Comment by Kyle Suarez [ 05/Sep/23 ] |
|
salman.baset@mongodb.com, any request for further changes? |
| Comment by Brooke Miller [ 18/Aug/23 ] |
|
TY. I assumed that salman.baset@mongodb.com will copy the entirety of the "Revised Report" sheet. I agree with removing the "Internal Notes" column from that sheet. |
| Comment by Kyle Suarez [ 18/Aug/23 ] |
|
Thanks brooke.miller@mongodb.com! I made some minor adjustments:
One question I have for you: is this the exact report we will give to IBM? Or are we going to just copy-paste the final values into a new report? I have a preference for the latter; maybe we need to also remove the internal notes? |
| Comment by Brooke Miller [ 18/Aug/23 ] |
|
Thanks, kyle.suarez@mongodb.com! I modified the intro of the Revised Report tab to specify the product this applies to (MongoDB Server Community) and the tool used (Coverity) and updated the format of the legend just to align exactly with the details in the http://go/ssdlc-policy. This LGTM. salman.baset@mongodb.com can you please review and comment with an LGTM by next Wednesday so that Kyle can close this out? Thanks! |
| Comment by Kyle Suarez [ 16/Aug/23 ] |
|
I went in and analyzed the 30 remaining issues:
Sending this back to review. |
| Comment by Kyle Suarez [ 15/Aug/23 ] |
|
Moving this back in progress – I will investigate the 30 issues with a missing Jira ticket. |
| Comment by Brooke Miller [ 15/Aug/23 ] |
|
Hey kyle.suarez@mongodb.com, after our review meeting today I added a new tab ("Revised Report"). A few updates:
However, I was unable to find Jira tickets for 30 Coverity issues previously marked as "Fix Committed". (29 of these issues are either High or Medium Impact). If no Jira tickets were generated for them, I assume we may need to generate Jira tickets to verify these issues indeed had a fix committed for 7.0.0, or to determine no fix is needed. Do you think that's feasible, or do you have an alternative suggestion? |
| Comment by Kyle Suarez [ 14/Aug/23 ] |
|
Legend is complete and I also did another sweep through the sheet. Moving back to review. |
| Comment by Kyle Suarez [ 11/Aug/23 ] |
|
I just noticed the comment by Salman and Brooke that
I'll move this back into Open and I'll get this done next week before the meeting. |
| Comment by Kyle Suarez [ 11/Aug/23 ] |
|
brooke.miller@mongodb.com, I misspoke, it's actually just 5 issues.
All 5 issues are "P4 - Minor" in Jira. In Coverity, four of the five issues are Impact = "Low", so those are fine. The fifth and final issue (
I added all five issues to the very bottom of the sheet. The four low-impact unresolved tickets say "Fix Pending", and the one medium-impact ticket I said "Done" since the code no longer has the defect.
I am happy to make a basic guide on how I generated this spreadsheet. (Probably best to track this with another WRITING ticket?) But if we sincerely think that we'll be moving off Coverity onto a different system, then I'd prefer not to make it super detailed if that work will eventually be obviated.
Yes, each Jira ticket title has the CID, and then I search for the CID in both the existing exported table as well as looking it up in the Coverity system itself to see what it has to say about that particular defect. |
| Comment by Brooke Miller [ 11/Aug/23 ] |
|
Thanks kyle.suarez@mongodb.com! Are those 8 Unresolved Issues attributed to a High or Medium Impact? (You mentioned Minor but I didn't follow whether that was related to the Jira Priority or Coverity's Low Impact.) I'd recommend including them for now so that we can have visibility. If they are High / Medium impact, I'd like to understand whether those issues are actively in progress and whether they will be fixed for 7.0.0? Also, sorry for this manual effort on your behalf. Can you possibly include the instructions explaining what filters you used to generate this report from Coverity so that we don't lose insight into this? Also, re: the Jira tickets: how were you able to realize which Coverity Issues mapped to the relevant Jira issue to update the correct Coverity issue ID on the first tab? Just based on the CID being included in the Jira Issue Summary? |
| Comment by Kyle Suarez [ 11/Aug/23 ] |
|
OK, updates to the sheet:
|
| Comment by Kyle Suarez [ 11/Aug/23 ] |
|
brooke.miller@mongodb.com and salman.baset@mongodb.com:
Sounds good to me and makes sense. I can write a formula to merge the two columns – my proposal is to pick Classification first, and fall back to Action if Classification=Undecided.
Agreed.
Sadly that information is outdated. Basically, when I export a Medium/High+ ticket from Coverity to Jira, the classification is generally "Pending". But when the Jira ticket is resolved, the system does not automatically go back and then update the Coverity status to "Done". Essentially, anything that wasn't a false positive or intentional can be considered "Done" except for the 8 outstanding minor tickets. I can go back and essentially mark them all as fixed but then change the 8 outstanding ones to "Pending" or "Awaiting Fix" or something of the sort. I'll have all these changes made by our meeting and we can discuss / review further. |
| Comment by Brooke Miller [ 11/Aug/23 ] |
|
Hey kyle.suarez@mongodb.com, I talked with Salman about this and we had a few takeaways. We updated the http://go/ssdlc-policy description to be more specific: To align with that:
I'll find time next week with you, Salman and Judah (optionally) to get closure on this (thanks for the ping!). |
| Comment by Kyle Suarez [ 11/Aug/23 ] |
|
salman.baset@mongodb.com, brooke.miller@mongodb.com and judah.schvimer@mongodb.com: following up on this after my vacation, is there anything else y'all need for the reports and/or the spreadsheets or is this sufficient for closeout? |
| Comment by Kyle Suarez [ 02/Aug/23 ] |
|
Adding a link to the Coverity 7.0 Report. |
| Comment by Kyle Suarez [ 02/Aug/23 ] |
|
salman.baset@mongodb.com, correct, the only issues that are outstanding in Jira are low-priority ones, and all of the high-priority ones have been fixed. |
| Comment by Salman Baset [ 02/Aug/23 ] |
|
kyle.suarez@mongodb.com thank you so much for sharing the screenshots. So if I understand correctly, for 7.0.0, Coverity is only reporting low issues that are not yet fixed, right? It would be helpful to generate a Coverity CSV list similar to this one for 6.0 |
| Comment by Kyle Suarez [ 02/Aug/23 ] |
|
salman.baset@mongodb.com, tagging you here to please review the screenshots. I figure I will also go ahead and generate the usual CSV we give to IBM and will share that with you when it is ready. |
| Comment by Kyle Suarez [ 02/Aug/23 ] |
|
In the Coverity interface itself, here are the outstanding high impact issues. There is only one issue listed, and a fix was committed as part of |
| Comment by Kyle Suarez [ 02/Aug/23 ] |
|
This screenshot verifies that we have no outstanding issues in Coverity that are severity: Major or higher: The next screenshot shows all of the remaining unresolved Coverity issues, all of which are Minor or below: This snapshot was taken on Wednesday, August 2. |