shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Code

Merge pull request #18174 from systemd/coverity-now-for-real

Browse Source 
ci: move the Coverity job to GitHub Actions
This commit is contained in:
Luca Boccassi 2021-01-11 17:56:13 +00:00 committed by GitHub
commit bcac754d66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 42 additions and 438 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
.github/workflows/coverity.yml vendored Normal file
View File

@ -0,0 +1,39 @@
---
# vi: ts=2 sw=2 et:
#
name: Coverity
on:
schedule:
# Run Coverity daily at midnight
- cron: '0 0 * * *'
jobs:
build:
runs-on: ubuntu-20.04
if: github.repository == 'systemd/systemd'
env:
COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
COVERITY_SCAN_NOTIFICATION_EMAIL: ""
COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
# Set in repo settings -> secrets -> repository secrets
COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
CURRENT_REF: "${{ github.ref }}"
steps:
- name: Repository checkout
uses: actions/checkout@v1
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
- name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV
- name: Install Coverity tools
run: tools/get-coverity.sh
# Reuse the setup phase of the unit test script to avoid code duplication
- name: Install build dependencies
run: sudo -E .github/workflows/ubuntu-unit-tests.sh SETUP
# Preconfigure with meson to prevent Coverity from capturing meson metadata
- name: Preconfigure the build directory
run: meson cov-build -Dman=false
- name: Build
run: tools/coverity.sh build
- name: Upload the results
run: tools/coverity.sh upload

1
.github/workflows/unit_tests.yml vendored
View File

@ -1,4 +1,3 @@
---
# vi: ts=2 sw=2 et:
#

62
.travis.yml
View File

@ -1,62 +0,0 @@
---
# vi: ts=2 sw=2 et:
language: bash
dist: bionic
services:
- docker
env:
global:
- AUTHOR_EMAIL="$(git log -1 $TRAVIS_COMMIT --pretty=\"%aE\")"
- CI_MANAGERS="$TRAVIS_BUILD_DIR/travis-ci/managers"
- CI_TOOLS="$TRAVIS_BUILD_DIR/travis-ci/tools"
- REPO_ROOT="$TRAVIS_BUILD_DIR"
stages:
# Run Coverity periodically instead of for each commit/PR
- name: Coverity
if: type = cron
jobs:
include:
- stage: Coverity
language: bash
env:
- FEDORA_RELEASE="31"
- TOOL_BASE="/var/tmp/coverity-scan-analysis"
- CONT_NAME="coverity-fedora-$FEDORA_RELEASE"
- DOCKER_EXEC="docker exec -ti $CONT_NAME"
- DOCKER_RUN="docker run -v $TOOL_BASE:$TOOL_BASE:rw --env-file .cov-env"
# Coverity env variables
- PLATFORM="$(uname)"
- TOOL_ARCHIVE="/var/tmp/cov-analysis-$PLATFORM.tgz"
- SCAN_URL="https://scan.coverity.com"
- UPLOAD_URL="https://scan.coverity.com/builds"
- COVERITY_SCAN_PROJECT_NAME="$TRAVIS_REPO_SLUG"
- COVERITY_SCAN_NOTIFICATION_EMAIL="${AUTHOR_EMAIL}"
- COVERITY_SCAN_BRANCH_PATTERN="$TRAVIS_BRANCH"
# Encrypted COVERITY_SCAN_TOKEN env variable
# Generated using `travis encrypt -r systemd/systemd COVERITY_SCAN_TOKEN=xxxx`
- secure: "jKSz+Y1Mv8xMpQHh7g5lzW7E6HQGndFz/vKDJQ1CVShwFoyjV3Zu+MFS3UYKlh1236zL0Z4dvsYFx/b3Hq8nxZWCrWeZs2NdXgy/wh8LZhxwzcGYigp3sIA/cYdP5rDjFJO0MasNkl25/rml8+eZWz+8/xQic98UQHjSco/EOWtssoRcg0J0c4eDM7bGLfIQWE73NNY1Q1UtWjKmx1kekVrM8dPmHXJ9aERka7bmcbJAcKd6vabs6DQ5AfWccUPIn/EsRYqIJTRxJrFYU6XizANZ1a7Vwk/DWHZUEn2msxcZw5BbAMDTMx0TbfrNkKSHMHuvQUCu6KCBAq414i+LgkMfmQ2SWwKiIUsud1kxXX3ZPl9bxDv1HkvVdcniC/EM7lNEEVwm4meOnjuhI2lhOyOjmP3FTSlMHGP7xlK8DS2k9fqL58vn0BaSjwWgd+2+HuL2+nJmxcK1eLGzKqaostFxrk2Xs2vPZkUdV2nWY/asUrcWHml6YlWDn2eP83pfwxHYsMiEHY/rTKvxeVY+iirO/AphoO+eaYu7LvjKZU1Yx5Z4u/SnGWAiCH0yhMis0bWmgi7SCbw+sDd2uya+aoiLIGiB2ChW7hXHXCue/dif6/gLU7b+L8R00pQwnWdvKUPoIJCmZJYCluTeib4jpW+EmARB2+nR8wms2K9FGKM="
before_install:
- sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
- docker --version
install:
# Install Coverity on the host
- $CI_TOOLS/get-coverity.sh
# Export necessary env variables for Coverity
- env | grep -E "TRAVIS|COV|TOOL|URL" > .cov-env
# Pull a Docker image and start a new container
- $CI_MANAGERS/fedora.sh SETUP
script:
- set -e
# Preconfigure with meson to prevent Coverity from capturing meson metadata
- $DOCKER_EXEC meson cov-build -Dman=false
# Run Coverity
- $DOCKER_EXEC tools/coverity.sh build
- $DOCKER_EXEC tools/coverity.sh upload
- set +e
after_script:
- $CI_MANAGERS/fedora.sh CLEANUP

1
README.md
View File

@ -9,7 +9,6 @@ System and Service Manager
[![OSS-Fuzz Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/systemd.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#systemd)<br/>
[![CIFuzz](https://github.com/systemd/systemd/workflows/CIFuzz/badge.svg)](https://github.com/systemd/systemd/actions)<br/>
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1369/badge)](https://bestpractices.coreinfrastructure.org/projects/1369)<br/>
[![Travis CI Build Status](https://travis-ci.org/systemd/systemd.svg?branch=master)](https://travis-ci.org/systemd/systemd)<br/>
[![Language Grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/systemd/systemd.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/systemd/systemd/context:cpp)<br/>
[![CentOS CI - CentOS 7](https://jenkins-systemd.apps.ocp.ci.centos.org/buildStatus/icon?subject=CentOS%20CI%20-%20CentOS%207&job=upstream-centos7)](https://jenkins-systemd.apps.ocp.ci.centos.org/job/upstream-centos7/)<br/>
[![CentOS CI - Arch](https://jenkins-systemd.apps.ocp.ci.centos.org/buildStatus/icon?subject=CentOS%20CI%20-%20Arch&job=upstream-vagrant-archlinux)](https://jenkins-systemd.apps.ocp.ci.centos.org/job/upstream-vagrant-archlinux/)<br/>

12
tools/coverity.sh
View File

@ -22,17 +22,11 @@ echo -e "\033[33;1mNote: COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN are
[ -z "$COVERITY_SCAN_BUILD_COMMAND" ] && echo "ERROR: COVERITY_SCAN_BUILD_COMMAND must be set" && exit 1
[ -z "$COVERITY_SCAN_TOKEN" ] && echo "ERROR: COVERITY_SCAN_TOKEN must be set" && exit 1
# Do not run on pull requests
if [ "${TRAVIS_PULL_REQUEST}" = "true" ]; then
echo -e "\033[33;1mINFO: Skipping Coverity Analysis: branch is a pull request.\033[0m"
exit 0
fi
# Verify this branch should run
if [[ "${TRAVIS_BRANCH^^}" =~ "${COVERITY_SCAN_BRANCH_PATTERN^^}" ]]; then
echo -e "\033[33;1mCoverity Scan configured to run on branch ${TRAVIS_BRANCH}\033[0m"
if [[ "${CURRENT_REF^^}" =~ "${COVERITY_SCAN_BRANCH_PATTERN^^}" ]]; then
echo -e "\033[33;1mCoverity Scan configured to run on branch ${CURRENT_REF}\033[0m"
else
echo -e "\033[33;1mCoverity Scan NOT configured to run on branch ${TRAVIS_BRANCH}\033[0m"
echo -e "\033[33;1mCoverity Scan NOT configured to run on branch ${CURRENT_REF}\033[0m"
exit 1
fi

0
travis-ci/tools/get-coverity.sh → tools/get-coverity.sh
View File

30
travis-ci/.dockerignore
View File

@ -1,30 +0,0 @@
*.a
*.cache
*.gch
*.log
*.o
*.plist
*.py[co]
*.stamp
*.swp
*.trs
*~
.config.args
.deps/
/*.gcda
/*.gcno
/GPATH
/GRTAGS
/GSYMS
/GTAGS
/TAGS
/ID
/build*
/coverage/
/install-tree
/mkosi.builddir/
/tags
image.raw
image.raw.cache-pre-dev
image.raw.cache-pre-inst
__pycache__/

37
travis-ci/Dockerfile
View File

@ -1,37 +0,0 @@
## Create Dockerfile that builds container suitable for systemd build
## This container runs as non-root user by default
FROM fedora:27
# Demand the specification of non-root username
ARG DOCKER_USER
ARG DOCKER_USER_UID
ARG DOCKER_USER_GID
# Copy the requirements into the container at /tmp
COPY requirements.txt /tmp/
# Install the requirements
# RUN dnf -y update FIXME
RUN dnf -y install $(cat '/tmp/requirements.txt')
# clean step to prevent cache and metadata corruption
RUN dnf clean all
RUN dnf -y builddep systemd
# Add non-root user and chown the project dir
RUN groupadd -g $DOCKER_USER_GID $DOCKER_USER
RUN useradd --create-home --shell /bin/bash -u $DOCKER_USER_UID -g $DOCKER_USER_GID -G wheel $DOCKER_USER
ENV HOME /home/$DOCKER_USER
ENV PROJECTDIR $HOME/systemd
# Copy content to the project directory
COPY . $PROJECTDIR
# Greant user all permissions to the project dir
RUN chown -R $DOCKER_USER $PROJECTDIR
# Switch to noroot user by default
USER $DOCKER_USER
# Update workdir to user home dir
WORKDIR $PROJECTDIR

98
travis-ci/managers/debian.sh
View File

@ -1,98 +0,0 @@
#!/bin/bash
# Run this script from the root of the systemd's git repository
# or set REPO_ROOT to a correct path.
#
# Example execution on Fedora:
# dnf install docker
# systemctl start docker
# export CONT_NAME="my-fancy-container"
# travis-ci/managers/debian.sh SETUP RUN CLEANUP
PHASES=(${@:-SETUP RUN RUN_ASAN_UBSAN CLEANUP})
DEBIAN_RELEASE="${DEBIAN_RELEASE:-testing}"
CONT_NAME="${CONT_NAME:-systemd-debian-$DEBIAN_RELEASE}"
DOCKER_EXEC="${DOCKER_EXEC:-docker exec -it $CONT_NAME}"
DOCKER_RUN="${DOCKER_RUN:-docker run}"
REPO_ROOT="${REPO_ROOT:-$PWD}"
ADDITIONAL_DEPS=(
clang
fdisk
libfdisk-dev
libfido2-dev
libp11-kit-dev
libpwquality-dev
libqrencode-dev
libssl-dev
libtss2-dev
libzstd-dev
perl
python3-libevdev
python3-pyparsing
zstd
)
function info() {
echo -e "\033[33;1m$1\033[0m"
}
set -e
source "$(dirname $0)/travis_wait.bash"
for phase in "${PHASES[@]}"; do
case $phase in
SETUP)
info "Setup phase"
info "Using Debian $DEBIAN_RELEASE"
printf "FROM debian:$DEBIAN_RELEASE\nRUN bash -c 'apt-get -y update && apt-get install -y systemd'\n" | docker build -t debian-with-systemd/latest -
info "Starting container $CONT_NAME"
$DOCKER_RUN -v $REPO_ROOT:/build:rw -e container=docker \
-w /build --privileged=true --name $CONT_NAME \
-dit --net=host debian-with-systemd/latest /bin/systemd
$DOCKER_EXEC bash -c "echo deb-src http://deb.debian.org/debian $DEBIAN_RELEASE main >>/etc/apt/sources.list"
# Wait for the container to properly boot up, otherwise we were
# running following apt-get commands during the initializing/starting
# (early/late bootup) phase, which caused nasty race conditions
$DOCKER_EXEC bash -c 'systemctl is-system-running --wait || :'
$DOCKER_EXEC apt-get -y update
$DOCKER_EXEC apt-get -y build-dep systemd
$DOCKER_EXEC apt-get -y install "${ADDITIONAL_DEPS[@]}"
;;
RUN|RUN_GCC|RUN_CLANG)
if [[ "$phase" = "RUN_CLANG" ]]; then
ENV_VARS="-e CC=clang -e CXX=clang++"
fi
docker exec $ENV_VARS -it $CONT_NAME meson --werror -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true -Dsplit-usr=true -Dman=true build
$DOCKER_EXEC ninja -v -C build
docker exec -e "TRAVIS=$TRAVIS" -it $CONT_NAME ninja -C build test
;;
RUN_ASAN_UBSAN|RUN_GCC_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN)
if [[ "$phase" = "RUN_CLANG_ASAN_UBSAN" ]]; then
ENV_VARS="-e CC=clang -e CXX=clang++"
# Build fuzzer regression tests only with clang (for now),
# see: https://github.com/systemd/systemd/pull/15886#issuecomment-632689604
# -Db_lundef=false: See https://github.com/mesonbuild/meson/issues/764
MESON_ARGS="-Db_lundef=false -Dfuzz-tests=true --optimization=1"
fi
docker exec $ENV_VARS -it $CONT_NAME meson --werror -Dtests=unsafe -Db_sanitize=address,undefined -Dsplit-usr=true $MESON_ARGS build
$DOCKER_EXEC ninja -v -C build
# Never remove halt_on_error from UBSAN_OPTIONS. See https://github.com/systemd/systemd/commit/2614d83aa06592aedb.
travis_wait docker exec --interactive=false \
-e UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 \
-e ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1 \
-e "TRAVIS=$TRAVIS" \
-t $CONT_NAME \
meson test --timeout-multiplier=3 -C ./build/ --print-errorlogs
;;
CLEANUP)
info "Cleanup phase"
docker stop $CONT_NAME
docker rm -f $CONT_NAME
;;
*)
echo >&2 "Unknown phase '$phase'"
exit 1
esac
done

121
travis-ci/managers/fedora.sh
View File

@ -1,121 +0,0 @@
#!/bin/bash
# Run this script from the root of the systemd's git repository
# or set REPO_ROOT to a correct path.
#
# Example execution on Fedora:
# dnf install docker
# systemctl start docker
# export CONT_NAME="my-fancy-container"
# travis-ci/managers/fedora.sh SETUP RUN CLEANUP
PHASES=(${@:-SETUP RUN RUN_ASAN_UBSAN CLEANUP})
FEDORA_RELEASE="${FEDORA_RELEASE:-rawhide}"
CONT_NAME="${CONT_NAME:-systemd-fedora-$FEDORA_RELEASE}"
DOCKER_EXEC="${DOCKER_EXEC:-docker exec -it $CONT_NAME}"
DOCKER_RUN="${DOCKER_RUN:-docker run}"
REPO_ROOT="${REPO_ROOT:-$PWD}"
ADDITIONAL_DEPS=(
clang
dnf-plugins-core
hostname
iputils
jq
libasan
libfdisk-devel
libfido2-devel
libpwquality-devel
libubsan
libzstd-devel
llvm
openssl-devel
p11-kit-devel
perl
python3-evdev
python3-pyparsing
tpm2-tss-devel
)
info() {
echo -e "\033[33;1m$1\033[0m"
}
# Simple wrapper which retries given command up to five times
_retry() {
local EC=1
for i in {1..5}; do
if "$@"; then
EC=0
break
fi
sleep $((i * 5))
done
return $EC
}
set -e
source "$(dirname $0)/travis_wait.bash"
for phase in "${PHASES[@]}"; do
case $phase in
SETUP)
info "Setup phase"
info "Using Fedora $FEDORA_RELEASE"
# Pull a Docker image and start a new container
printf "FROM fedora:$FEDORA_RELEASE\nRUN bash -c 'dnf install -y systemd'\n" | docker build -t fedora-with-systemd/latest -
info "Starting container $CONT_NAME"
$DOCKER_RUN -v $REPO_ROOT:/build:rw \
-w /build --privileged=true --name $CONT_NAME \
-dit --net=host fedora-with-systemd/latest /sbin/init
# Wait for the container to properly boot up, otherwise we were
# running following dnf commands during the initializing/starting
# (early/late bootup) phase, which caused nasty race conditions
$DOCKER_EXEC bash -c 'systemctl is-system-running --wait || :'
_retry $DOCKER_EXEC dnf makecache
# Install necessary build/test requirements
_retry $DOCKER_EXEC dnf -y --exclude selinux-policy\* upgrade
_retry $DOCKER_EXEC dnf -y install "${ADDITIONAL_DEPS[@]}"
_retry $DOCKER_EXEC dnf -y builddep systemd
;;
RUN)
info "Run phase"
# Build systemd
$DOCKER_EXEC meson --werror -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true build
$DOCKER_EXEC ninja -v -C build
$DOCKER_EXEC ninja -C build test
;;
RUN_CLANG)
docker exec -e CC=clang -e CXX=clang++ -it $CONT_NAME meson --werror -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true -Dman=true build
$DOCKER_EXEC ninja -v -C build
$DOCKER_EXEC ninja -C build test
;;
RUN_ASAN|RUN_GCC_ASAN_UBSAN|RUN_CLANG_ASAN_UBSAN)
if [[ "$phase" = "RUN_CLANG_ASAN_UBSAN" ]]; then
ENV_VARS="-e CC=clang -e CXX=clang++"
MESON_ARGS="-Db_lundef=false" # See https://github.com/mesonbuild/meson/issues/764
fi
docker exec $ENV_VARS -it $CONT_NAME meson --werror -Dtests=unsafe -Db_sanitize=address,undefined $MESON_ARGS build
$DOCKER_EXEC ninja -v -C build
# Never remove halt_on_error from UBSAN_OPTIONS. See https://github.com/systemd/systemd/commit/2614d83aa06592aedb.
travis_wait docker exec --interactive=false \
-e UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 \
-e ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1 \
-e "TRAVIS=$TRAVIS" \
-t $CONT_NAME \
meson test --timeout-multiplier=3 -C ./build/ --print-errorlogs
;;
CLEANUP)
info "Cleanup phase"
docker stop $CONT_NAME
docker rm -f $CONT_NAME
;;
*)
error "Unknown phase '$phase'"
exit 1
esac
done

61
travis-ci/managers/travis_wait.bash
View File

@ -1,61 +0,0 @@
# This was borrowed from https://github.com/travis-ci/travis-build/tree/master/lib/travis/build/bash
# to get around https://github.com/travis-ci/travis-ci/issues/9979. It should probably be removed
# as soon as Travis CI has started to provide an easy way to export the functions to bash scripts.
travis_jigger() {
local cmd_pid="${1}"
shift
local timeout="${1}"
shift
local count=0
echo -e "\\n"
while [[ "${count}" -lt "${timeout}" ]]; do
count="$((count + 1))"
echo -ne "Still running (${count} of ${timeout}): ${*}\\r"
sleep 60
done
echo -e "\\n${ANSI_RED}Timeout (${timeout} minutes) reached. Terminating \"${*}\"${ANSI_RESET}\\n"
kill -9 "${cmd_pid}"
}
travis_wait() {
local timeout="${1}"
if [[ "${timeout}" =~ ^[0-9]+$ ]]; then
shift
else
timeout=20
fi
local cmd=("${@}")
local log_file="travis_wait_${$}.log"
"${cmd[@]}" &>"${log_file}" &
local cmd_pid="${!}"
travis_jigger "${!}" "${timeout}" "${cmd[@]}" &
local jigger_pid="${!}"
local result
{
set +e
wait "${cmd_pid}" 2>/dev/null
result="${?}"
ps -p"${jigger_pid}" &>/dev/null && kill "${jigger_pid}"
set -e
}
if [[ "${result}" -eq 0 ]]; then
echo -e "\\n${ANSI_GREEN}The command ${cmd[*]} exited with ${result}.${ANSI_RESET}"
else
echo -e "\\n${ANSI_RED}The command ${cmd[*]} exited with ${result}.${ANSI_RESET}"
fi
echo -e "\\n${ANSI_GREEN}Log:${ANSI_RESET}\\n"
cat "${log_file}"
return "${result}"
}

5
travis-ci/requirements.txt
View File

@ -1,5 +0,0 @@
dnf-plugins-core
meson
ninja-build
perl
python

13
travis-ci/scripts/build-docker-image.sh
View File

@ -1,13 +0,0 @@
#!/bin/bash
# Check environment
[ -z "$TRAVIS_COMMIT" ] && echo "ERROR: TRAVIS_COMMIT must be set" && exit 1
# Build docker image
echo -e "\n\033[33;1mBuilding docker image: coverity-$TRAVIS_COMMIT.\033[0m"
docker build \
--build-arg DOCKER_USER=$USER \
--build-arg DOCKER_USER_UID=`id -u` \
--build-arg DOCKER_USER_GID=`id -g` \
--force-rm -t coverity-${TRAVIS_COMMIT} --pull=true .