One of the prongs of our strategy to increase the quality of software throughout our developments in Product Strategy was to introduce static analysis to our code where possible. After evaluating several tools we decided that Coverity was the best tool for this, and we started figuring out how to make this work on our code bases. After a fair amount of work in pulling things together I'm happy to say we're scanning projects and processing the bugs in production now. You can see the open bugs and you can find out about what data is there.

While there were various technical issues I think one of the more interesting and difficult ones was social. How can we introduce a tool that we're restricted on distribution to a community without restrictions? It would have been very easy to create two classes of developers, those in Canonical with access to the tool and those outside that wouldn't have "all the info" about what was going on. We didn't want to do that, it's not how we work.

What we did was build a tool that would take the bugs out of the Coverity Integration Manager (CIM) and put them into Launchpad. So every time a commit happens on trunk a Coverity Scan is performed, the issues are put into CIM, and then Launchpad is updated. This includes both creating new defects in Launchpad as well as closing ones that were fixed. We also take the annotations of what branches Coverity took throughout the code and create an annotated source file and attach it to the bug.

Our sync tool is Open Source, and while it's hard to test as you'd need a license for Coverity to do so, we're happy to take patches. We want to see all the needed information to work on the bug in the Lauchpad bug. If there's something you think we need to add, come talk to us, it's a conversation we're interested in.

In the end we hope that we've created an environment that allows for Coverity to be used by everyone in our development community, on largely equal footing. Currently we're only licensed to scan Unity and the other projects it uses directly. I'm excited to see how we can use this new tool to improve the quality of PS projects as we continue to expand it to scan more projects we're licensed for, along with hopefully expanding its coverage as it shows value.

Comments: Identi.ca | Twitter


posted Feb 24, 2012 | permanent link