aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Štetiar <ynezz@true.cz>2023-01-30 08:33:16 +0100
committerChristian Marangi <ansuelsmth@gmail.com>2023-04-26 17:24:50 +0200
commit9a2666951051f8072ba83f0535e1534ea0dbf6aa (patch)
treea390150ee593a61cd2481bb2da0b80ec351bd7e7
parent8f427f1a058dd5dcff21246a9a6d91318f55f80a (diff)
downloadupstream-9a2666951051f8072ba83f0535e1534ea0dbf6aa.tar.gz
upstream-9a2666951051f8072ba83f0535e1534ea0dbf6aa.tar.bz2
upstream-9a2666951051f8072ba83f0535e1534ea0dbf6aa.zip
ci: add Coverity Scan scheduled workflow
Coverity Scan is a static code analysis service focused on open source software quality and security, so lets scan various OpenWrt components every Friday for the start. Signed-off-by: Petr Štetiar <ynezz@true.cz>
-rw-r--r--.github/workflows/build.yml70
-rw-r--r--.github/workflows/coverity.yml64
2 files changed, 134 insertions, 0 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 22286c054e..8744bc7737 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,8 @@ name: Build sub target
on:
workflow_call:
+ secrets:
+ coverity_api_token:
inputs:
target:
required: true
@@ -25,6 +27,23 @@ on:
use_openwrt_container:
type: boolean
default: true
+ coverity_project_name:
+ type: string
+ default: OpenWrt
+ coverity_check_packages:
+ type: string
+ coverity_compiler_template_list:
+ type: string
+ default: >-
+ arm-openwrt-linux-gcc
+ coverity_force_compile_packages:
+ type: string
+ default: >-
+ curl
+ libnl
+ mbedtls
+ wolfssl
+ openssl
permissions:
contents: read
@@ -361,6 +380,57 @@ jobs:
working-directory: openwrt
run: make -j$(nproc) BUILD_LOG=1 || ret=$? .github/workflows/scripts/show_build_failures.sh
+ - name: Coverity prepare toolchain
+ if: inputs.coverity_check_packages != ''
+ shell: su buildbot -c "sh -e {0}"
+ working-directory: openwrt
+ run: |
+ wget -q https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.coverity_api_token }}&project=${{ inputs.coverity_project_name }}" -O coverity.tar.gz
+ wget -q https://scan.coverity.com/download/linux64 --post-data "token=${{ secrets.coverity_api_token }}&project=${{ inputs.coverity_project_name }}&md5=1" -O coverity.tar.gz.md5
+ echo ' coverity.tar.gz' >> coverity.tar.gz.md5
+ md5sum -c coverity.tar.gz.md5
+
+ mkdir cov-analysis-linux64
+ tar xzf coverity.tar.gz --strip 1 -C cov-analysis-linux64
+ export PATH=$(pwd)/cov-analysis-linux64/bin:$PATH
+
+ for template in ${{ inputs.coverity_compiler_template_list }}; do
+ cov-configure --template --comptype gcc --compiler "$template"
+ done
+
+ - name: Clean and recompile packages with Coverity toolchain
+ if: inputs.coverity_check_packages != ''
+ shell: su buildbot -c "bash {0}"
+ working-directory: openwrt
+ run: |
+ set -o pipefail -o errexit
+
+ coverity_check_packages=(${{ inputs.coverity_check_packages }})
+ printf -v clean_packages "package/%s/clean " "${coverity_check_packages[@]}"
+ make -j$(nproc) BUILD_LOG=1 $clean_packages || ret=$? .github/workflows/scripts/show_build_failures.sh
+
+ coverity_force_compile_packages=(${{ inputs.coverity_force_compile_packages }})
+ printf -v force_compile_packages "package/%s/compile " "${coverity_force_compile_packages[@]}"
+ make -j$(nproc) BUILD_LOG=1 $force_compile_packages || ret=$? .github/workflows/scripts/show_build_failures.sh
+
+ printf -v compile_packages "package/%s/compile " "${coverity_check_packages[@]}"
+ export PATH=$(pwd)/cov-analysis-linux64/bin:$PATH
+ cov-build --dir cov-int make -j $(nproc) BUILD_LOG=1 $compile_packages || ret=$? .github/workflows/scripts/show_build_failures.sh
+
+ - name: Upload build to Coverity for analysis
+ if: inputs.coverity_check_packages != ''
+ shell: su buildbot -c "sh -e {0}"
+ working-directory: openwrt
+ run: |
+ tar czf cov-int.tar.gz ./cov-int
+ curl \
+ --form token="${{ secrets.coverity_api_token }}" \
+ --form email="contact@openwrt.org" \
+ --form file=@cov-int.tar.gz \
+ --form version="${{ github.ref_name }}-${{ github.sha }}" \
+ --form description="OpenWrt ${{ github.ref_name }}-${{ github.sha }}" \
+ "https://scan.coverity.com/builds?project=${{ inputs.coverity_project_name }}"
+
- name: Upload logs
if: failure()
uses: actions/upload-artifact@v3
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
new file mode 100644
index 0000000000..db628d05ee
--- /dev/null
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,64 @@
+name: Coverity scan build
+
+on:
+ schedule:
+ - cron: '30 2 * * 6'
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+ coverity_build:
+ name: Coverity x86/64 build
+ secrets:
+ coverity_api_token: ${{ secrets.COVERITY_API_TOKEN }}
+ permissions:
+ contents: read
+ packages: read
+ uses: ./.github/workflows/build.yml
+ with:
+ target: x86/64
+ build_full: true
+ include_feeds: true
+ coverity_compiler_template_list: >-
+ x86_64-openwrt-linux-gcc
+ x86_64-openwrt-linux-musl-gcc
+ # qosify fails to build with cov-build
+ coverity_check_packages: >-
+ cgi-io
+ dnsmasq
+ dropbear
+ firewall
+ fstools
+ fwtool
+ iwinfo
+ jsonfilter
+ libnl-tiny
+ libubox
+ mtd
+ netifd
+ odhcp6c
+ odhcpd
+ opkg
+ procd
+ relayd
+ rpcd
+ swconfig
+ ubox
+ ubus
+ ucert
+ uci
+ uclient
+ ucode
+ ugps
+ uhttpd
+ umbim
+ umdns
+ unetd
+ uqmi
+ urngd
+ usbmode
+ usign
+ usteer
+ ustp
+ ustream-ssl