From 176086a2ecef0274bdbdaf4ea00eb54c071bbb63 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 9 Aug 2022 14:43:28 +0200 Subject: [PATCH 1/2] ci: simplify the Coverity script a bit Also, address https://github.com/systemd/systemd/pull/24252#issuecomment-1208747320 by using a pre-defined e-mail address stored in the GH Action secrets. --- .github/workflows/coverity.yml | 21 +-- tools/coverity.sh | 246 ++++++--------------------------- tools/get-coverity.sh | 40 ------ 3 files changed, 44 insertions(+), 263 deletions(-) delete mode 100755 tools/get-coverity.sh diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 904a6895fd4..3fbebc6bbf1 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -17,27 +17,14 @@ jobs: runs-on: ubuntu-22.04 if: github.repository == 'systemd/systemd' env: - COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}" - COVERITY_SCAN_NOTIFICATION_EMAIL: "" - COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}" - # Set in repo settings -> secrets -> repository secrets + # Set in repo settings -> secrets -> actions COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}" - CURRENT_REF: "${{ github.ref }}" + COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}" steps: - name: Repository checkout uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable - - name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable - run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> "$GITHUB_ENV" - - name: Install Coverity tools - run: tools/get-coverity.sh # Reuse the setup phase of the unit test script to avoid code duplication - name: Install build dependencies run: sudo -E .github/workflows/unit_tests.sh SETUP - # Preconfigure with meson to prevent Coverity from capturing meson metadata - - name: Preconfigure the build directory - run: meson cov-build -Dman=false - - name: Build - run: tools/coverity.sh build - - name: Upload the results - run: tools/coverity.sh upload + - name: Build & upload the results + run: tools/coverity.sh diff --git a/tools/coverity.sh b/tools/coverity.sh index f140b781740..361376fd21e 100755 --- a/tools/coverity.sh +++ b/tools/coverity.sh @@ -1,228 +1,62 @@ #!/usr/bin/env bash # SPDX-License-Identifier: LGPL-2.1-or-later -# The official unmodified version of the script can be found at -# https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh +set -eux -set -e +COVERITY_SCAN_TOOL_BASE="/tmp/coverity-scan-analysis" +COVERITY_SCAN_PROJECT_NAME="systemd/systemd" -# Declare build command -COVERITY_SCAN_BUILD_COMMAND="ninja -C cov-build" +function coverity_install_script { + local platform tool_url tool_archive -# Environment check -# Use default values if not set -SCAN_URL=${SCAN_URL:="https://scan.coverity.com"} -TOOL_BASE=${TOOL_BASE:="/tmp/coverity-scan-analysis"} -UPLOAD_URL=${UPLOAD_URL:="https://scan.coverity.com/builds"} + platform=$(uname) + tool_url="https://scan.coverity.com/download/${platform}" + tool_archive="/tmp/cov-analysis-${platform}.tgz" -# These must be set by environment -echo -e "\033[33;1mNote: COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN are available on Project Settings page on scan.coverity.com\033[0m" -[ -z "$COVERITY_SCAN_PROJECT_NAME" ] && echo "ERROR: COVERITY_SCAN_PROJECT_NAME must be set" && exit 1 -[ -z "$COVERITY_SCAN_NOTIFICATION_EMAIL" ] && echo "ERROR: COVERITY_SCAN_NOTIFICATION_EMAIL must be set" && exit 1 -[ -z "$COVERITY_SCAN_BRANCH_PATTERN" ] && echo "ERROR: COVERITY_SCAN_BRANCH_PATTERN must be set" && exit 1 -[ -z "$COVERITY_SCAN_BUILD_COMMAND" ] && echo "ERROR: COVERITY_SCAN_BUILD_COMMAND must be set" && exit 1 -[ -z "$COVERITY_SCAN_TOKEN" ] && echo "ERROR: COVERITY_SCAN_TOKEN must be set" && exit 1 + set +x # this is supposed to hide COVERITY_SCAN_TOKEN + echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m" + wget -nv -O "$tool_archive" "$tool_url" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=${COVERITY_SCAN_TOKEN:?}" + set -x -# Verify this branch should run -if [[ "${CURRENT_REF^^}" =~ "${COVERITY_SCAN_BRANCH_PATTERN^^}" ]]; then - echo -e "\033[33;1mCoverity Scan configured to run on branch ${CURRENT_REF}\033[0m" -else - echo -e "\033[33;1mCoverity Scan NOT configured to run on branch ${CURRENT_REF}\033[0m" - exit 1 -fi - -# Verify upload is permitted -AUTH_RES=`curl -s --form project="$COVERITY_SCAN_PROJECT_NAME" --form token="$COVERITY_SCAN_TOKEN" $SCAN_URL/api/upload_permitted` -if [ "$AUTH_RES" = "Access denied" ]; then - echo -e "\033[33;1mCoverity Scan API access denied. Check COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN.\033[0m" - exit 1 -else - AUTH=`echo $AUTH_RES | jq .upload_permitted` - if [ "$AUTH" = "true" ]; then - echo -e "\033[33;1mCoverity Scan analysis authorized per quota.\033[0m" - else - WHEN=`echo $AUTH_RES | jq .next_upload_permitted_at` - echo -e "\033[33;1mCoverity Scan analysis NOT authorized until $WHEN.\033[0m" - exit 1 - fi -fi - -TOOL_DIR=`find $TOOL_BASE -type d -name 'cov-analysis*'` -export PATH="$TOOL_DIR/bin:$PATH" - -# Disable CCACHE for cov-build to compilation units correctly -export CCACHE_DISABLE=1 - -# FUNCTION DEFINITIONS -# -------------------- -_help() -{ - # displays help and exits - cat <<-EOF - USAGE: $0 [CMD] [OPTIONS] - - CMD - build Issue Coverity build - upload Upload coverity archive for analysis - Note: By default, archive is created from default results directory. - To provide custom archive or results directory, see --result-dir - and --tar options below. - - OPTIONS - -h,--help Display this menu and exits - - Applicable to build command - --------------------------- - -o,--out-dir Specify Coverity intermediate directory (defaults to 'cov-int') - -t,--tar bool, archive the output to .tgz file (defaults to false) - - Applicable to upload command - ---------------------------- - -d, --result-dir Specify result directory if different from default ('cov-int') - -t, --tar ARCHIVE Use custom .tgz archive instead of intermediate directory or pre-archived .tgz - (by default 'analysis-result.tgz' - EOF - return; + mkdir -p "$COVERITY_SCAN_TOOL_BASE" + pushd "$COVERITY_SCAN_TOOL_BASE" + tar xzf "$tool_archive" + popd } -_pack() -{ - RESULTS_ARCHIVE=${RESULTS_ARCHIVE:-'analysis-results.tgz'} +function run_coverity { + local results_dir tool_dir results_archive sha response status_code - echo -e "\033[33;1mTarring Coverity Scan Analysis results...\033[0m" - tar czf $RESULTS_ARCHIVE $RESULTS_DIR - SHA=`git rev-parse --short HEAD` + results_dir="cov-int" + tool_dir=$(find "$COVERITY_SCAN_TOOL_BASE" -type d -name 'cov-analysis*') + results_archive="analysis-results.tgz" + sha=$(git rev-parse --short HEAD) - PACKED=true -} + meson -Dman=false build + COVERITY_UNSUPPORTED=1 "$tool_dir/bin/cov-build" --dir "$results_dir" sh -c "ninja -C ./build -v" + "$tool_dir/bin/cov-import-scm" --dir "$results_dir" --scm git --log "$results_dir/scm_log.txt" + tar czf "$results_archive" "$results_dir" -_build() -{ - echo -e "\033[33;1mRunning Coverity Scan Analysis Tool...\033[0m" - local _cov_build_options="" - #local _cov_build_options="--return-emit-failures 8 --parse-error-threshold 85" - eval "${COVERITY_SCAN_BUILD_COMMAND_PREPEND}" - COVERITY_UNSUPPORTED=1 cov-build --dir $RESULTS_DIR $_cov_build_options sh -c "$COVERITY_SCAN_BUILD_COMMAND" - cov-import-scm --dir $RESULTS_DIR --scm git --log $RESULTS_DIR/scm_log.txt - - if [ $? != 0 ]; then - echo -e "\033[33;1mCoverity Scan Build failed: $TEXT.\033[0m" - return 1 - fi - - [ -z $TAR ] || [ $TAR = false ] && return 0 - - if [ "$TAR" = true ]; then - _pack - fi -} - - -_upload() -{ - # pack results - [ -z $PACKED ] || [ $PACKED = false ] && _pack - - # Upload results + set +x # this is supposed to hide COVERITY_SCAN_TOKEN echo -e "\033[33;1mUploading Coverity Scan Analysis results...\033[0m" response=$(curl \ - --silent --write-out "\n%{http_code}\n" \ - --form project=$COVERITY_SCAN_PROJECT_NAME \ - --form token=$COVERITY_SCAN_TOKEN \ - --form email=$COVERITY_SCAN_NOTIFICATION_EMAIL \ - --form file=@$RESULTS_ARCHIVE \ - --form version=$SHA \ - --form description="Travis CI build" \ - $UPLOAD_URL) + --silent --write-out "\n%{http_code}\n" \ + --form project="$COVERITY_SCAN_PROJECT_NAME" \ + --form token="${COVERITY_SCAN_TOKEN:?}" \ + --form email="${COVERITY_SCAN_NOTIFICATION_EMAIL:?}" \ + --form file="@$results_archive" \ + --form version="$sha" \ + --form description="Daily build" \ + https://scan.coverity.com/builds) printf "\033[33;1mThe response is\033[0m\n%s\n" "$response" status_code=$(echo "$response" | sed -n '$p') - # Coverity Scan used to respond with 201 on successfully receiving analysis results. - # Now for some reason it sends 200 and may change back in the foreseeable future. - # See https://github.com/pmem/pmdk/commit/7b103fd2dd54b2e5974f71fb65c81ab3713c12c5 if [ "$status_code" != "200" ]; then - TEXT=$(echo "$response" | sed '$d') - echo -e "\033[33;1mCoverity Scan upload failed: $TEXT.\033[0m" - exit 1 + echo -e "\033[33;1mCoverity Scan upload failed: $(echo "$response" | sed '$d').\033[0m" + return 1 fi - - echo -e "\n\033[33;1mCoverity Scan Analysis completed successfully.\033[0m" - exit 0 + set -x } -# PARSE COMMAND LINE OPTIONS -# -------------------------- - -case $1 in - -h|--help) - _help - exit 0 - ;; - build) - CMD='build' - TEMP=`getopt -o ho:t --long help,out-dir:,tar -n '$0' -- "$@"` - _ec=$? - [[ $_ec -gt 0 ]] && _help && exit $_ec - shift - ;; - upload) - CMD='upload' - TEMP=`getopt -o hd:t: --long help,result-dir:tar: -n '$0' -- "$@"` - _ec=$? - [[ $_ec -gt 0 ]] && _help && exit $_ec - shift - ;; - *) - _help && exit 1 ;; -esac - -RESULTS_DIR='cov-int' - -eval set -- "$TEMP" -if [ $? != 0 ] ; then exit 1 ; fi - -# extract options and their arguments into variables. -if [[ $CMD == 'build' ]]; then - TAR=false - while true ; do - case $1 in - -h|--help) - _help - exit 0 - ;; - -o|--out-dir) - RESULTS_DIR="$2" - shift 2 - ;; - -t|--tar) - TAR=true - shift - ;; - --) _build; shift ; break ;; - *) echo "Internal error" ; _help && exit 6 ;; - esac - done - -elif [[ $CMD == 'upload' ]]; then - while true ; do - case $1 in - -h|--help) - _help - exit 0 - ;; - -d|--result-dir) - CHANGE_DEFAULT_DIR=true - RESULTS_DIR="$2" - shift 2 - ;; - -t|--tar) - RESULTS_ARCHIVE="$2" - [ -z $CHANGE_DEFAULT_DIR ] || [ $CHANGE_DEFAULT_DIR = false ] && PACKED=true - shift 2 - ;; - --) _upload; shift ; break ;; - *) echo "Internal error" ; _help && exit 6 ;; - esac - done - -fi +coverity_install_script +run_coverity diff --git a/tools/get-coverity.sh b/tools/get-coverity.sh deleted file mode 100755 index b067ed23eba..00000000000 --- a/tools/get-coverity.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env bash -# SPDX-License-Identifier: LGPL-2.1-or-later - -# Download and extract coverity tool - -set -e -set -o pipefail - -# Environment check -if [ -z "$COVERITY_SCAN_TOKEN" ]; then - echo >&2 'ERROR: COVERITY_SCAN_TOKEN must be set' - exit 1 -fi - -# Use default values if not set -PLATFORM="$(uname)" -TOOL_BASE="${TOOL_BASE:-/tmp/coverity-scan-analysis}" -TOOL_ARCHIVE="${TOOL_ARCHIVE:-/tmp/cov-analysis-${PLATFORM}.tgz}" -TOOL_URL="https://scan.coverity.com/download/${PLATFORM}" - -# Make sure wget is installed -sudo apt-get update && sudo apt-get -y install wget - -# Get coverity tool -if [ ! -d "$TOOL_BASE" ]; then - # Download Coverity Scan Analysis Tool - if [ ! -e "$TOOL_ARCHIVE" ]; then - echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m" - wget -nv -O "$TOOL_ARCHIVE" "$TOOL_URL" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=$COVERITY_SCAN_TOKEN" - fi - - # Extract Coverity Scan Analysis Tool - echo -e "\033[33;1mExtracting Coverity Scan Analysis Tool...\033[0m" - mkdir -p "$TOOL_BASE" - pushd "$TOOL_BASE" - tar xzf "$TOOL_ARCHIVE" - popd -fi - -echo -e "\033[33;1mCoverity Scan Analysis Tool can be found at $TOOL_BASE ...\033[0m" From 34a2f39b3734a931731716daab28b0a5c5dc9487 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Thu, 11 Aug 2022 10:36:02 +0200 Subject: [PATCH 2/2] ci: lint the Coverity script as we now use our own custom script for it. --- .github/workflows/linter.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 0612a709ce3..4c6a8d5e5a0 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -38,8 +38,7 @@ jobs: # missing shebangs) # - .*\.(in|SKELETON) - all template/skeleton files # except kernel-install - # - tools/coverity\.sh - external file (with some modifications) - FILTER_REGEX_EXCLUDE: .*/(man/.*|([^k]|k(k|ek)*([^ek]|e[^kr]))*(k(k|ek)*e?)?\.(in|SKELETON)|tools/coverity\.sh)$ + FILTER_REGEX_EXCLUDE: .*/(man/.*|([^k]|k(k|ek)*([^ek]|e[^kr]))*(k(k|ek)*e?)?\.(in|SKELETON))$ VALIDATE_ALL_CODEBASE: false VALIDATE_BASH: true VALIDATE_GITHUB_ACTIONS: true