mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
Merge pull request #24260 from systemd/coverity-update
ci: fetch the latest Coverity build script
This commit is contained in:
commit
1cb3f4ad6e
21
.github/workflows/coverity.yml
vendored
21
.github/workflows/coverity.yml
vendored
@ -17,27 +17,14 @@ jobs:
|
||||
runs-on: ubuntu-22.04
|
||||
if: github.repository == 'systemd/systemd'
|
||||
env:
|
||||
COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
|
||||
COVERITY_SCAN_NOTIFICATION_EMAIL: ""
|
||||
COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
|
||||
# Set in repo settings -> secrets -> repository secrets
|
||||
# Set in repo settings -> secrets -> actions
|
||||
COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
|
||||
CURRENT_REF: "${{ github.ref }}"
|
||||
COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}"
|
||||
steps:
|
||||
- name: Repository checkout
|
||||
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
|
||||
# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
|
||||
- name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
|
||||
run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> "$GITHUB_ENV"
|
||||
- name: Install Coverity tools
|
||||
run: tools/get-coverity.sh
|
||||
# Reuse the setup phase of the unit test script to avoid code duplication
|
||||
- name: Install build dependencies
|
||||
run: sudo -E .github/workflows/unit_tests.sh SETUP
|
||||
# Preconfigure with meson to prevent Coverity from capturing meson metadata
|
||||
- name: Preconfigure the build directory
|
||||
run: meson cov-build -Dman=false
|
||||
- name: Build
|
||||
run: tools/coverity.sh build
|
||||
- name: Upload the results
|
||||
run: tools/coverity.sh upload
|
||||
- name: Build & upload the results
|
||||
run: tools/coverity.sh
|
||||
|
3
.github/workflows/linter.yml
vendored
3
.github/workflows/linter.yml
vendored
@ -38,8 +38,7 @@ jobs:
|
||||
# missing shebangs)
|
||||
# - .*\.(in|SKELETON) - all template/skeleton files
|
||||
# except kernel-install
|
||||
# - tools/coverity\.sh - external file (with some modifications)
|
||||
FILTER_REGEX_EXCLUDE: .*/(man/.*|([^k]|k(k|ek)*([^ek]|e[^kr]))*(k(k|ek)*e?)?\.(in|SKELETON)|tools/coverity\.sh)$
|
||||
FILTER_REGEX_EXCLUDE: .*/(man/.*|([^k]|k(k|ek)*([^ek]|e[^kr]))*(k(k|ek)*e?)?\.(in|SKELETON))$
|
||||
VALIDATE_ALL_CODEBASE: false
|
||||
VALIDATE_BASH: true
|
||||
VALIDATE_GITHUB_ACTIONS: true
|
||||
|
@ -1,228 +1,62 @@
|
||||
#!/usr/bin/env bash
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
# The official unmodified version of the script can be found at
|
||||
# https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh
|
||||
set -eux
|
||||
|
||||
set -e
|
||||
COVERITY_SCAN_TOOL_BASE="/tmp/coverity-scan-analysis"
|
||||
COVERITY_SCAN_PROJECT_NAME="systemd/systemd"
|
||||
|
||||
# Declare build command
|
||||
COVERITY_SCAN_BUILD_COMMAND="ninja -C cov-build"
|
||||
function coverity_install_script {
|
||||
local platform tool_url tool_archive
|
||||
|
||||
# Environment check
|
||||
# Use default values if not set
|
||||
SCAN_URL=${SCAN_URL:="https://scan.coverity.com"}
|
||||
TOOL_BASE=${TOOL_BASE:="/tmp/coverity-scan-analysis"}
|
||||
UPLOAD_URL=${UPLOAD_URL:="https://scan.coverity.com/builds"}
|
||||
platform=$(uname)
|
||||
tool_url="https://scan.coverity.com/download/${platform}"
|
||||
tool_archive="/tmp/cov-analysis-${platform}.tgz"
|
||||
|
||||
# These must be set by environment
|
||||
echo -e "\033[33;1mNote: COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN are available on Project Settings page on scan.coverity.com\033[0m"
|
||||
[ -z "$COVERITY_SCAN_PROJECT_NAME" ] && echo "ERROR: COVERITY_SCAN_PROJECT_NAME must be set" && exit 1
|
||||
[ -z "$COVERITY_SCAN_NOTIFICATION_EMAIL" ] && echo "ERROR: COVERITY_SCAN_NOTIFICATION_EMAIL must be set" && exit 1
|
||||
[ -z "$COVERITY_SCAN_BRANCH_PATTERN" ] && echo "ERROR: COVERITY_SCAN_BRANCH_PATTERN must be set" && exit 1
|
||||
[ -z "$COVERITY_SCAN_BUILD_COMMAND" ] && echo "ERROR: COVERITY_SCAN_BUILD_COMMAND must be set" && exit 1
|
||||
[ -z "$COVERITY_SCAN_TOKEN" ] && echo "ERROR: COVERITY_SCAN_TOKEN must be set" && exit 1
|
||||
set +x # this is supposed to hide COVERITY_SCAN_TOKEN
|
||||
echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
|
||||
wget -nv -O "$tool_archive" "$tool_url" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=${COVERITY_SCAN_TOKEN:?}"
|
||||
set -x
|
||||
|
||||
# Verify this branch should run
|
||||
if [[ "${CURRENT_REF^^}" =~ "${COVERITY_SCAN_BRANCH_PATTERN^^}" ]]; then
|
||||
echo -e "\033[33;1mCoverity Scan configured to run on branch ${CURRENT_REF}\033[0m"
|
||||
else
|
||||
echo -e "\033[33;1mCoverity Scan NOT configured to run on branch ${CURRENT_REF}\033[0m"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify upload is permitted
|
||||
AUTH_RES=`curl -s --form project="$COVERITY_SCAN_PROJECT_NAME" --form token="$COVERITY_SCAN_TOKEN" $SCAN_URL/api/upload_permitted`
|
||||
if [ "$AUTH_RES" = "Access denied" ]; then
|
||||
echo -e "\033[33;1mCoverity Scan API access denied. Check COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN.\033[0m"
|
||||
exit 1
|
||||
else
|
||||
AUTH=`echo $AUTH_RES | jq .upload_permitted`
|
||||
if [ "$AUTH" = "true" ]; then
|
||||
echo -e "\033[33;1mCoverity Scan analysis authorized per quota.\033[0m"
|
||||
else
|
||||
WHEN=`echo $AUTH_RES | jq .next_upload_permitted_at`
|
||||
echo -e "\033[33;1mCoverity Scan analysis NOT authorized until $WHEN.\033[0m"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
TOOL_DIR=`find $TOOL_BASE -type d -name 'cov-analysis*'`
|
||||
export PATH="$TOOL_DIR/bin:$PATH"
|
||||
|
||||
# Disable CCACHE for cov-build to compilation units correctly
|
||||
export CCACHE_DISABLE=1
|
||||
|
||||
# FUNCTION DEFINITIONS
|
||||
# --------------------
|
||||
_help()
|
||||
{
|
||||
# displays help and exits
|
||||
cat <<-EOF
|
||||
USAGE: $0 [CMD] [OPTIONS]
|
||||
|
||||
CMD
|
||||
build Issue Coverity build
|
||||
upload Upload coverity archive for analysis
|
||||
Note: By default, archive is created from default results directory.
|
||||
To provide custom archive or results directory, see --result-dir
|
||||
and --tar options below.
|
||||
|
||||
OPTIONS
|
||||
-h,--help Display this menu and exits
|
||||
|
||||
Applicable to build command
|
||||
---------------------------
|
||||
-o,--out-dir Specify Coverity intermediate directory (defaults to 'cov-int')
|
||||
-t,--tar bool, archive the output to .tgz file (defaults to false)
|
||||
|
||||
Applicable to upload command
|
||||
----------------------------
|
||||
-d, --result-dir Specify result directory if different from default ('cov-int')
|
||||
-t, --tar ARCHIVE Use custom .tgz archive instead of intermediate directory or pre-archived .tgz
|
||||
(by default 'analysis-result.tgz'
|
||||
EOF
|
||||
return;
|
||||
mkdir -p "$COVERITY_SCAN_TOOL_BASE"
|
||||
pushd "$COVERITY_SCAN_TOOL_BASE"
|
||||
tar xzf "$tool_archive"
|
||||
popd
|
||||
}
|
||||
|
||||
_pack()
|
||||
{
|
||||
RESULTS_ARCHIVE=${RESULTS_ARCHIVE:-'analysis-results.tgz'}
|
||||
function run_coverity {
|
||||
local results_dir tool_dir results_archive sha response status_code
|
||||
|
||||
echo -e "\033[33;1mTarring Coverity Scan Analysis results...\033[0m"
|
||||
tar czf $RESULTS_ARCHIVE $RESULTS_DIR
|
||||
SHA=`git rev-parse --short HEAD`
|
||||
results_dir="cov-int"
|
||||
tool_dir=$(find "$COVERITY_SCAN_TOOL_BASE" -type d -name 'cov-analysis*')
|
||||
results_archive="analysis-results.tgz"
|
||||
sha=$(git rev-parse --short HEAD)
|
||||
|
||||
PACKED=true
|
||||
}
|
||||
meson -Dman=false build
|
||||
COVERITY_UNSUPPORTED=1 "$tool_dir/bin/cov-build" --dir "$results_dir" sh -c "ninja -C ./build -v"
|
||||
"$tool_dir/bin/cov-import-scm" --dir "$results_dir" --scm git --log "$results_dir/scm_log.txt"
|
||||
|
||||
tar czf "$results_archive" "$results_dir"
|
||||
|
||||
_build()
|
||||
{
|
||||
echo -e "\033[33;1mRunning Coverity Scan Analysis Tool...\033[0m"
|
||||
local _cov_build_options=""
|
||||
#local _cov_build_options="--return-emit-failures 8 --parse-error-threshold 85"
|
||||
eval "${COVERITY_SCAN_BUILD_COMMAND_PREPEND}"
|
||||
COVERITY_UNSUPPORTED=1 cov-build --dir $RESULTS_DIR $_cov_build_options sh -c "$COVERITY_SCAN_BUILD_COMMAND"
|
||||
cov-import-scm --dir $RESULTS_DIR --scm git --log $RESULTS_DIR/scm_log.txt
|
||||
|
||||
if [ $? != 0 ]; then
|
||||
echo -e "\033[33;1mCoverity Scan Build failed: $TEXT.\033[0m"
|
||||
return 1
|
||||
fi
|
||||
|
||||
[ -z $TAR ] || [ $TAR = false ] && return 0
|
||||
|
||||
if [ "$TAR" = true ]; then
|
||||
_pack
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
_upload()
|
||||
{
|
||||
# pack results
|
||||
[ -z $PACKED ] || [ $PACKED = false ] && _pack
|
||||
|
||||
# Upload results
|
||||
set +x # this is supposed to hide COVERITY_SCAN_TOKEN
|
||||
echo -e "\033[33;1mUploading Coverity Scan Analysis results...\033[0m"
|
||||
response=$(curl \
|
||||
--silent --write-out "\n%{http_code}\n" \
|
||||
--form project=$COVERITY_SCAN_PROJECT_NAME \
|
||||
--form token=$COVERITY_SCAN_TOKEN \
|
||||
--form email=$COVERITY_SCAN_NOTIFICATION_EMAIL \
|
||||
--form file=@$RESULTS_ARCHIVE \
|
||||
--form version=$SHA \
|
||||
--form description="Travis CI build" \
|
||||
$UPLOAD_URL)
|
||||
--silent --write-out "\n%{http_code}\n" \
|
||||
--form project="$COVERITY_SCAN_PROJECT_NAME" \
|
||||
--form token="${COVERITY_SCAN_TOKEN:?}" \
|
||||
--form email="${COVERITY_SCAN_NOTIFICATION_EMAIL:?}" \
|
||||
--form file="@$results_archive" \
|
||||
--form version="$sha" \
|
||||
--form description="Daily build" \
|
||||
https://scan.coverity.com/builds)
|
||||
printf "\033[33;1mThe response is\033[0m\n%s\n" "$response"
|
||||
status_code=$(echo "$response" | sed -n '$p')
|
||||
# Coverity Scan used to respond with 201 on successfully receiving analysis results.
|
||||
# Now for some reason it sends 200 and may change back in the foreseeable future.
|
||||
# See https://github.com/pmem/pmdk/commit/7b103fd2dd54b2e5974f71fb65c81ab3713c12c5
|
||||
if [ "$status_code" != "200" ]; then
|
||||
TEXT=$(echo "$response" | sed '$d')
|
||||
echo -e "\033[33;1mCoverity Scan upload failed: $TEXT.\033[0m"
|
||||
exit 1
|
||||
echo -e "\033[33;1mCoverity Scan upload failed: $(echo "$response" | sed '$d').\033[0m"
|
||||
return 1
|
||||
fi
|
||||
|
||||
echo -e "\n\033[33;1mCoverity Scan Analysis completed successfully.\033[0m"
|
||||
exit 0
|
||||
set -x
|
||||
}
|
||||
|
||||
# PARSE COMMAND LINE OPTIONS
|
||||
# --------------------------
|
||||
|
||||
case $1 in
|
||||
-h|--help)
|
||||
_help
|
||||
exit 0
|
||||
;;
|
||||
build)
|
||||
CMD='build'
|
||||
TEMP=`getopt -o ho:t --long help,out-dir:,tar -n '$0' -- "$@"`
|
||||
_ec=$?
|
||||
[[ $_ec -gt 0 ]] && _help && exit $_ec
|
||||
shift
|
||||
;;
|
||||
upload)
|
||||
CMD='upload'
|
||||
TEMP=`getopt -o hd:t: --long help,result-dir:tar: -n '$0' -- "$@"`
|
||||
_ec=$?
|
||||
[[ $_ec -gt 0 ]] && _help && exit $_ec
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
_help && exit 1 ;;
|
||||
esac
|
||||
|
||||
RESULTS_DIR='cov-int'
|
||||
|
||||
eval set -- "$TEMP"
|
||||
if [ $? != 0 ] ; then exit 1 ; fi
|
||||
|
||||
# extract options and their arguments into variables.
|
||||
if [[ $CMD == 'build' ]]; then
|
||||
TAR=false
|
||||
while true ; do
|
||||
case $1 in
|
||||
-h|--help)
|
||||
_help
|
||||
exit 0
|
||||
;;
|
||||
-o|--out-dir)
|
||||
RESULTS_DIR="$2"
|
||||
shift 2
|
||||
;;
|
||||
-t|--tar)
|
||||
TAR=true
|
||||
shift
|
||||
;;
|
||||
--) _build; shift ; break ;;
|
||||
*) echo "Internal error" ; _help && exit 6 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
elif [[ $CMD == 'upload' ]]; then
|
||||
while true ; do
|
||||
case $1 in
|
||||
-h|--help)
|
||||
_help
|
||||
exit 0
|
||||
;;
|
||||
-d|--result-dir)
|
||||
CHANGE_DEFAULT_DIR=true
|
||||
RESULTS_DIR="$2"
|
||||
shift 2
|
||||
;;
|
||||
-t|--tar)
|
||||
RESULTS_ARCHIVE="$2"
|
||||
[ -z $CHANGE_DEFAULT_DIR ] || [ $CHANGE_DEFAULT_DIR = false ] && PACKED=true
|
||||
shift 2
|
||||
;;
|
||||
--) _upload; shift ; break ;;
|
||||
*) echo "Internal error" ; _help && exit 6 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
fi
|
||||
coverity_install_script
|
||||
run_coverity
|
||||
|
@ -1,40 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
# Download and extract coverity tool
|
||||
|
||||
set -e
|
||||
set -o pipefail
|
||||
|
||||
# Environment check
|
||||
if [ -z "$COVERITY_SCAN_TOKEN" ]; then
|
||||
echo >&2 'ERROR: COVERITY_SCAN_TOKEN must be set'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Use default values if not set
|
||||
PLATFORM="$(uname)"
|
||||
TOOL_BASE="${TOOL_BASE:-/tmp/coverity-scan-analysis}"
|
||||
TOOL_ARCHIVE="${TOOL_ARCHIVE:-/tmp/cov-analysis-${PLATFORM}.tgz}"
|
||||
TOOL_URL="https://scan.coverity.com/download/${PLATFORM}"
|
||||
|
||||
# Make sure wget is installed
|
||||
sudo apt-get update && sudo apt-get -y install wget
|
||||
|
||||
# Get coverity tool
|
||||
if [ ! -d "$TOOL_BASE" ]; then
|
||||
# Download Coverity Scan Analysis Tool
|
||||
if [ ! -e "$TOOL_ARCHIVE" ]; then
|
||||
echo -e "\033[33;1mDownloading Coverity Scan Analysis Tool...\033[0m"
|
||||
wget -nv -O "$TOOL_ARCHIVE" "$TOOL_URL" --post-data "project=$COVERITY_SCAN_PROJECT_NAME&token=$COVERITY_SCAN_TOKEN"
|
||||
fi
|
||||
|
||||
# Extract Coverity Scan Analysis Tool
|
||||
echo -e "\033[33;1mExtracting Coverity Scan Analysis Tool...\033[0m"
|
||||
mkdir -p "$TOOL_BASE"
|
||||
pushd "$TOOL_BASE"
|
||||
tar xzf "$TOOL_ARCHIVE"
|
||||
popd
|
||||
fi
|
||||
|
||||
echo -e "\033[33;1mCoverity Scan Analysis Tool can be found at $TOOL_BASE ...\033[0m"
|
Loading…
Reference in New Issue
Block a user