[3/3] travis: Add config to do a Coverity Scan upload

Message ID 1497369290-20401-4-git-send-email-peter.maydell@linaro.org
State New
Headers show
Series
  • Automate coverity scan uploads via Travis
Related show

Commit Message

Peter Maydell June 13, 2017, 3:54 p.m.
Add config to travis to do a Coverity Scan build and upload, using
the new run-coverity-scan script.

There is an official integration between Travis and Coverity Scan:
 https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb
which slurps values out of the .travis.yml and downloads a build
script from Coverity which does the bulk of the work:
 https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh

However we choose to roll our own since this seems less
confusing and also allows us to include debug features
(notably the ability to do a "dry run" test which doesn't
actually upload anything).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

---
 .travis.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

-- 
2.7.4

Comments

Alex Bennée June 14, 2017, 3:14 p.m. | #1
Peter Maydell <peter.maydell@linaro.org> writes:

> Add config to travis to do a Coverity Scan build and upload, using

> the new run-coverity-scan script.

>

> There is an official integration between Travis and Coverity Scan:

>  https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb

> which slurps values out of the .travis.yml and downloads a build

> script from Coverity which does the bulk of the work:

>  https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh

>

> However we choose to roll our own since this seems less

> confusing and also allows us to include debug features

> (notably the ability to do a "dry run" test which doesn't

> actually upload anything).

>

> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

> ---

>  .travis.yml | 24 ++++++++++++++++++++++++

>  1 file changed, 24 insertions(+)

>

> diff --git a/.travis.yml b/.travis.yml

> index 26dabb6..d772a4a 100644

> --- a/.travis.yml

> +++ b/.travis.yml

> @@ -210,3 +210,27 @@ matrix:

>          - TEST_CMD=""

>        before_script:

>          - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log

> +    # Build and upload to Coverity Scan.

> +    # We do not impose any rate limiting here, but instead rely on the

> +    # limiting done by the coverity servers, which for a project of QEMU's

> +    # size means one build a day. The run-coverity-scan script will exit

> +    # early if the limiter does not permit a new upload, so the effect will

> +    # be that the first build (only) in each 24 hour period will be scanned.

> +    # If we needed to apply a limit at the Travis end, the simplest approach

> +    # would be to run the scan only if the branch was 'coverity-scan', and

> +    # use a cron job to push master to the 'coverity-scan' branch periodically.

> +    # We run on the trusty Travis hosts so that there's a wider set of

> +    # dependencies satisfied to improve coverage.

> +    - dist: trusty


I think we ought to add a sudo: stanza here to make it explicit if we
want the containerised or VM based trusty image here. I'm wildly
assuming we need lots of memory for this build so I would suggest:

 sudo: required

> +      env:

> +        - COVERITY=1

> +        - COVERITY_BUILD_CMD="make -j3"

> +        - COVERITY_EMAIL=peter.maydell@linaro.org

> +        # This 'secure' setting sets COVERITY_TOKEN=<secret token>

> +        # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=...

> +        - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o="

> +      before_script:

> +        - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi

> +        - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping

> Coverity (wrong branch)"; exit 0; fi


This doesn't actually skip anything - but you can't exit non-zero
without breaking the build. You would need to touch a file or something
to make run-coverity-scan skip its work.

> +      script:

> +        - ./scripts/run-coverity-scan



--
Alex Bennée
Peter Maydell June 14, 2017, 3:46 p.m. | #2
On 14 June 2017 at 16:14, Alex Bennée <alex.bennee@linaro.org> wrote:
>

> Peter Maydell <peter.maydell@linaro.org> writes:

>

>> Add config to travis to do a Coverity Scan build and upload, using

>> the new run-coverity-scan script.

>>

>> There is an official integration between Travis and Coverity Scan:

>>  https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb

>> which slurps values out of the .travis.yml and downloads a build

>> script from Coverity which does the bulk of the work:

>>  https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh

>>

>> However we choose to roll our own since this seems less

>> confusing and also allows us to include debug features

>> (notably the ability to do a "dry run" test which doesn't

>> actually upload anything).

>>

>> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

>> ---

>>  .travis.yml | 24 ++++++++++++++++++++++++

>>  1 file changed, 24 insertions(+)

>>

>> diff --git a/.travis.yml b/.travis.yml

>> index 26dabb6..d772a4a 100644

>> --- a/.travis.yml

>> +++ b/.travis.yml

>> @@ -210,3 +210,27 @@ matrix:

>>          - TEST_CMD=""

>>        before_script:

>>          - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log

>> +    # Build and upload to Coverity Scan.

>> +    # We do not impose any rate limiting here, but instead rely on the

>> +    # limiting done by the coverity servers, which for a project of QEMU's

>> +    # size means one build a day. The run-coverity-scan script will exit

>> +    # early if the limiter does not permit a new upload, so the effect will

>> +    # be that the first build (only) in each 24 hour period will be scanned.

>> +    # If we needed to apply a limit at the Travis end, the simplest approach

>> +    # would be to run the scan only if the branch was 'coverity-scan', and

>> +    # use a cron job to push master to the 'coverity-scan' branch periodically.

>> +    # We run on the trusty Travis hosts so that there's a wider set of

>> +    # dependencies satisfied to improve coverage.

>> +    - dist: trusty

>

> I think we ought to add a sudo: stanza here to make it explicit if we

> want the containerised or VM based trusty image here. I'm wildly

> assuming we need lots of memory for this build so I would suggest:

>

>  sudo: required


It works with both, and the default as set in the top of the travis
config is for not-required so that's what I went with. I think the
sudo:required setups give you less CPU which makes it even more
likely to hit the 50 minute timeout.

>> +      env:

>> +        - COVERITY=1

>> +        - COVERITY_BUILD_CMD="make -j3"

>> +        - COVERITY_EMAIL=peter.maydell@linaro.org

>> +        # This 'secure' setting sets COVERITY_TOKEN=<secret token>

>> +        # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=...

>> +        - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o="

>> +      before_script:

>> +        - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi

>> +        - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping

>> Coverity (wrong branch)"; exit 0; fi

>

> This doesn't actually skip anything - but you can't exit non-zero

> without breaking the build. You would need to touch a file or something

> to make run-coverity-scan skip its work.


Yes, you're right. That's a bit awkward.

thanks
-- PMM

Patch hide | download patch | download mbox

diff --git a/.travis.yml b/.travis.yml
index 26dabb6..d772a4a 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -210,3 +210,27 @@  matrix:
         - TEST_CMD=""
       before_script:
         - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log
+    # Build and upload to Coverity Scan.
+    # We do not impose any rate limiting here, but instead rely on the
+    # limiting done by the coverity servers, which for a project of QEMU's
+    # size means one build a day. The run-coverity-scan script will exit
+    # early if the limiter does not permit a new upload, so the effect will
+    # be that the first build (only) in each 24 hour period will be scanned.
+    # If we needed to apply a limit at the Travis end, the simplest approach
+    # would be to run the scan only if the branch was 'coverity-scan', and
+    # use a cron job to push master to the 'coverity-scan' branch periodically.
+    # We run on the trusty Travis hosts so that there's a wider set of
+    # dependencies satisfied to improve coverage.
+    - dist: trusty
+      env:
+        - COVERITY=1
+        - COVERITY_BUILD_CMD="make -j3"
+        - COVERITY_EMAIL=peter.maydell@linaro.org
+        # This 'secure' setting sets COVERITY_TOKEN=<secret token>
+        # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=...
+        - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o="
+      before_script:
+        - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi
+        - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping Coverity (wrong branch)"; exit 0; fi
+      script:
+        - ./scripts/run-coverity-scan