Coverity Scanning

The Xen Project uses Coverity Scan to run static analysis on the Xen hypervisor source code (xen.git). Coverity can find bugs that are difficult to catch through testing, including potential security issues.

Accessing the Coverity database

Community members can request access to the Coverity results for the Xen Project:

  1. Create an account at https://scan.coverity.com/

  2. Search for “Xen Project” and request membership.

  3. The project team reviews requests within a few days.

Note

Requests from accounts that have never engaged with the project (for example, never posted to a mailing list) may be declined.

Triaging defects

Coverity reports potential defects but does not always indicate whether they are real bugs. Triaging means reviewing a reported defect and determining:

  • Whether it is a genuine bug or a false positive.

  • If it is genuine, how serious it is and what a fix might look like.

Triaging defects and proposing fixes is a useful way to contribute to Xen’s security and quality. Once you have identified a real issue, follow the normal patch submission process to send a fix.