[Qgis-psc] 2025 Grant: Coverity Scan cleanup final report

Nyall Dawson nyall.dawson at gmail.com
Mon Nov 10 16:16:41 PST 2025 

On Tue, 11 Nov 2025 at 00:02, Régis Haubourg <regis at qgis.org> wrote:
>
> Thanks a lot for this work Nyall.
> As regulations arise on cyber security increase, we will clearly need to
find workarounds for the GitHub actions limitations. Those regulations will
make it mandatory to prove we have automated scan running, on a regular
basis or per continuous integration processes
> Some tests have already been made with dedicated machines to see if
hosting our own runners would help.
>
> With your insights we know that static analyzers will need resources.
> Do you have rough estimates of what specifications are required for disk
space, memory and CPU so that we can run with comfort and maybe on a daily
or weekly basis?

Hmm, good question. As far as disk space goes:

- QGIS source is ~5gb
- The coverity build tool itself is ~2.5gb
- The build folder when building using coverity ends up around 30gb total
(including the cov-int internal database)
- The cov-int folder needs to be compressed before submission to coverity,
which ends up ~10gb

So we're looking for at least 50GB space on top of the base environment
(with all dependencies installed). I'd probably allow at least another 10gb
swap space there too, depending on the available memory.

On the github runner (4x CPU, 16 GB RAM) the coverity build aborts at
around the 6 hour mark, at around 75% completion. If the system had similar
CPU/memory then I'd estimate the workflow would take around 8-10 hours
total (for completion of the build, compression of the results, and
submission to Coverity). For reference, on my local machine (64GB RAM, AMD
Ryzen 9 5950X 16-Core Processor) a full Coverity build takes about 30
minutes (plus another 45 minutes to submit the 10gb compressed results to
Coverity, but that's likely just my slow internet connection! 😂).

Hope that helps!
Nyall




>
> Great work again.
> Cheers
> Régis
>
>
> Le 10 novembre 2025 02:34:59 GMT+01:00, Nyall Dawson via QGIS-PSC <
qgis-psc at lists.osgeo.org> a écrit :
>>
>> Hi PSC,
>>
>> I'd like to report the successful conclusion of the 2025 funding grant
for QEP 337: Coverity Scan
>> cleanup!
>>
>> As detailed in the original proposal, this project has seen a massive
cleanup to the QGIS code base via hundreds of fixes to issues reported by
the Coverity Scan tool.
>>
>> From the original 1075 issues identified by Coverity Scan at the start
of the project, we are now down to 145 remaining outstanding issues. All
false positive issues have been marked accordingly, and many fixes
submitted to QGIS to remedy valid issues in the QGIS code.
>>
>> The remaining issues are either non-trivial to fix (i.e. requiring large
architectural changes) or ambiguous (in that the original intention of the
code is not clear, and I'm unable to determine if the issues are valid or
working as expected). It is hoped that by clearing out the bulk of the
Coverity results, future bug fixing efforts will be able to focus attention
on these remaining issues and eventually lead to QGIS achieving "Coverity
Clean" status.
>>
>> All applicable (and safe!) fixes have been backported to stable QGIS
releases too.
>>
>> As part of this project, several downstream projects also saw fixes
submitted:
>>
>> - The MDAL library is now completely "coverity clean", with no
outstanding issues remaining. Coverity Scan is now run on the MDAL codebase
on a weekly basis, in order to quickly identify and remedy any issues in
any newly introduced code.
>> - Fixes and performance improvements have been submitted to the
laz-perf, untwine, PDAL wrench and tinygltf libraries.
>>
>> As detailed in the original proposal, an investigation was also
conducted to determine whether it is possible to automatically run the
Coverity Scan tool on a weekly basis as a GitHub action for QGIS. My
finding was that this is NOT possible to achieve via GitHub actions, as the
compilation using the coverity cov-build tool ends up exceeding the maximum
available space on the workflow runners. (see
https://github.com/nyalldawson/QGIS/tree/coverity_workflow for the
attempted workflow configuration).
>>
>> While not part of the original proposal or grant, I will continue to run
Coverity Scan on an ad-hoc basis on the QGIS codebase in order to quickly
identify and resolve any newly introduced issues.
>>
>> My thanks to the PSC and QGIS sponsors for making this work possible!
>>
>> Kind regards,
>> Nyall
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20251111/bb2deca3/attachment.htm>

More information about the QGIS-PSC mailing list