From patchwork Tue Nov 13 18:46:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 151005 Delivered-To: patches@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp4757688ljp; Tue, 13 Nov 2018 10:46:47 -0800 (PST) X-Google-Smtp-Source: AJdET5e80jGwp+/APeiSWzXgqkXAidecQK94zRlSCqgowGP/I/m2VsZpuOADr8U5afnl5PVXfexZ X-Received: by 2002:a19:f89:: with SMTP id 9mr3457206lfp.10.1542134806979; Tue, 13 Nov 2018 10:46:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542134806; cv=none; d=google.com; s=arc-20160816; b=P/mfmhO/HPve9PQ1ooCSB25a7s0+1OmeOPhUPnh2CmjzIOWnSA/6S9X5sczPBtX/y3 LWQKsspkrSKhxxw+zDgtjiJ6VSU3RhLQVMAtp6hGTOUbPxBzae5JIG8YKFhlfoesDryl C7GXExEb1yTXiCEuZYUIMtFxZsSFMdvmshxA72vTDmX/aDmvPXoULe6Oc0qJ423Ex3PY T7avo3cZbMaSZSntQXYzwY7CKQMp1w76AOcFI4s6n43RC00yYZZ2CNYYZHo7eCWZjrey Uq1P39txC0BKplgQX8tvKxVR6rSEveZXo1rclpiAkgRFBuFxmNGb6ifx/P25HOtqokow BW+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=VpIcUfhFSKGaUIxxBXl6EbGSNB5CL+zB5eh+MuzXQwY=; b=HuoWowh3wiyXya9xarYKbH0BPtpqNd5kq1kfgpzgZsbhmwFcwEM6PuUlwUakjXj2iO md1wBbJuN3iSNMJqpqXCfCvBV4gLhxqxM2oZMPUASnIkNSLNuVrw9SVhS2ciibOIlofD bP7plkDm7WtCh1YXBAgJWvLMi+XKi44kf1HSPBLzgLKJWK06uWrTF9p0Ma3yjHMFvZsp PyOQUgGYgHjXeexAluWuv7+Acb5xReWC6b4HHm4bZEZd3XOcI4wULajLxp9ZtFpJLqZe zX7raXApjlH5IP3ncFU/fMmMUR6h2Tk7yGcuy47yV5ouY/dTJbGwIvaLiGzsmE6OZDHP MngQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id w18-v6si22724617ljw.142.2018.11.13.10.46.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 13 Nov 2018 10:46:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1gMdi1-0007DT-IF; Tue, 13 Nov 2018 18:46:45 +0000 From: Peter Maydell To: qemu-devel@nongnu.org Cc: patches@linaro.org, Paolo Bonzini , =?utf-8?q?Alex_Benn=C3=A9e?= , Fam Zheng , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Markus Armbruster Subject: [PATCH 1/2] scripts/run-coverity-scan: Script to run Coverity Scan build Date: Tue, 13 Nov 2018 18:46:40 +0000 Message-Id: <20181113184641.4492-2-peter.maydell@linaro.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181113184641.4492-1-peter.maydell@linaro.org> References: <20181113184641.4492-1-peter.maydell@linaro.org> MIME-Version: 1.0 Add a new script to automate the process of running the Coverity Scan build tools and uploading the resulting tarball to the website. This is intended eventually to be driven from Travis, but it can be run locally, if you are a maintainer of the QEMU project on the Coverity Scan website and have the secret upload token. The script must be run directly on a Fedora 28 system. Signed-off-by: Peter Maydell --- MAINTAINERS | 5 + scripts/coverity-scan/run-coverity-scan | 292 ++++++++++++++++++++++++ 2 files changed, 297 insertions(+) create mode 100755 scripts/coverity-scan/run-coverity-scan -- 2.19.1 diff --git a/MAINTAINERS b/MAINTAINERS index 126fe0be7eb..5f107d99061 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1553,6 +1553,11 @@ M: Markus Armbruster S: Supported F: scripts/coverity-model.c +Coverity Scan integration +M: Peter Maydell +S: Maintained +F: scripts/coverity-scan/ + CPU L: qemu-devel@nongnu.org S: Supported diff --git a/scripts/coverity-scan/run-coverity-scan b/scripts/coverity-scan/run-coverity-scan new file mode 100755 index 00000000000..99495b04501 --- /dev/null +++ b/scripts/coverity-scan/run-coverity-scan @@ -0,0 +1,292 @@ +#!/bin/sh -e + +# Upload a created tarball to Coverity Scan, as per +# https://scan.coverity.com/projects/qemu/builds/new + +# This work is licensed under the terms of the GNU GPL version 2, +# or (at your option) any later version. +# See the COPYING file in the top-level directory. +# +# Copyright (c) 2017, 2018 Linaro Limited +# Written by Peter Maydell + +# Note that this script will automatically download and +# run the (closed-source) coverity build tools, so don't +# use it if you don't trust them! + +# This script assumes that you're running it from a QEMU source +# tree, and that tree is a fresh clean one, because we do an in-tree +# build. (This is necessary so that the filenames that the Coverity +# Scan server sees are relative paths that match up with the component +# regular expressions it uses; an out-of-tree build won't work for this.) +# The host machine should have as many of QEMU's dependencies +# installed as possible, for maximum coverity coverage. + +# To do an upload you need to be a maintainer in the Coverity online +# service, and you will need to know the "Coverity token", which is a +# secret 8 digit hex string. You can find that from the web UI in the +# project settings, if you have maintainer access there. + +# Command line options: +# --dry-run : run the tools, but don't actually do the upload +# --update-tools-only : update the cached copy of the tools, but don't run them +# --tokenfile : file to read Coverity token from +# --version ver : specify version being analyzed (default: ask git) +# --description desc : specify description of this version (default: ask git) +# --srcdir : QEMU source tree to analyze (default: current working dir) +# +# User-specifiable environment variables: +# COVERITY_TOKEN -- Coverity token +# COVERITY_EMAIL -- the email address to use for uploads (default: +# looks at your git user.email config) +# COVERITY_BUILD_CMD -- make command (default: 'make -j8') +# COVERITY_TOOL_BASE -- set to directory to put coverity tools +# (default: /tmp/coverity-tools) +# +# You must specify the token, either by environment variable or by +# putting it in a file and using --tokenfile. Everything else has +# a reasonable default if this is run from a git tree. + +check_upload_permissions() { + # Check whether we can do an upload to the server; will exit the script + # with status 1 if the check failed (usually a bad token); + # will exit the script with status 0 if the check indicated that we + # can't upload yet (ie we are at quota) + # Assumes that PROJTOKEN, PROJNAME and DRYRUN have been initialized. + + echo "Checking upload permissions..." + + if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted --post-data "token=$PROJTOKEN&project=$PROJNAME" -q -O -)"; then + echo "Coverity Scan API access denied: bad token?" + exit 1 + fi + + # Really up_perm is a JSON response with either + # {upload_permitted:true} or {next_upload_permitted_at:} + # We do some hacky string parsing instead of properly parsing it. + case "$up_perm" in + *upload_permitted*true*) + echo "Coverity Scan: upload permitted" + ;; + *next_upload_permitted_at*) + if [ "$DRYRUN" = yes ]; then + echo "Coverity Scan: upload quota reached; stopping here" + # Exit success as this isn't a build error. + exit 0 + else + echo "Coverity Scan: upload quota reached, continuing dry run" + fi + ;; + *) + echo "Coverity Scan upload check: unexpected result $up_perm" + exit 1 + ;; + esac +} + + +update_coverity_tools () { + # Check for whether we need to download the Coverity tools + # (either because we don't have a copy, or because it's out of date) + # Assumes that COVERITY_TOOL_BASE, PROJTOKEN and PROJNAME are set. + + mkdir -p "$COVERITY_TOOL_BASE" + cd "$COVERITY_TOOL_BASE" + + echo "Checking for new version of coverity build tools..." + wget https://scan.coverity.com/download/linux64 --post-data "token=$PROJTOKEN&project=$PROJNAME&md5=1" -O coverity_tool.md5.new + + if ! cmp -s coverity_tool.md5 coverity_tool.md5.new; then + # out of date md5 or no md5: download new build tool + # blow away the old build tool + echo "Downloading coverity build tools..." + rm -rf coverity_tool coverity_tool.tgz + wget https://scan.coverity.com/download/linux64 --post-data "token=$PROJTOKEN&project=$PROJNAME" -O coverity_tool.tgz + if ! (cat coverity_tool.md5.new; echo " coverity_tool.tgz") | md5sum -c --status; then + echo "Downloaded tarball didn't match md5sum!" + exit 1 + fi + # extract the new one, keeping it corralled in a 'coverity_tool' directory + echo "Unpacking coverity build tools..." + mkdir -p coverity_tool + cd coverity_tool + tar xf ../coverity_tool.tgz + cd .. + mv coverity_tool.md5.new coverity_tool.md5 + fi + + rm -f coverity_tool.md5.new +} + + +# Check user-provided environment variables and arguments +DRYRUN=no +UPDATE_ONLY=no + +while [ "$#" -ge 1 ]; do + case "$1" in + --dry-run) + shift + DRYRUN=yes + ;; + --update-tools-only) + shift + UPDATE_ONLY=yes + ;; + --version) + shift + if [ $# -eq 0 ]; then + echo "--version needs an argument" + exit 1 + fi + VERSION="$1" + shift + ;; + --description) + shift + if [ $# -eq 0 ]; then + echo "--description needs an argument" + exit 1 + fi + DESCRIPTION="$1" + shift + ;; + --tokenfile) + shift + if [ $# -eq 0 ]; then + echo "--tokenfile needs an argument" + exit 1 + fi + COVERITY_TOKEN="$(cat "$1")" + shift + ;; + --srcdir) + shift + if [ $# -eq 0 ]; then + echo "--srcdir needs an argument" + exit 1 + fi + SRCDIR="$1" + shift + ;; + *) + echo "Unexpected argument '$1'" + exit 1 + ;; + esac +done + +if [ -z "$COVERITY_TOKEN" ]; then + echo "COVERITY_TOKEN environment variable not set" + exit 1 +fi + +if [ -z "$COVERITY_BUILD_CMD" ]; then + echo "COVERITY_BUILD_CMD: using default 'make -j8'" + COVERITY_BUILD_CMD="make -j8" +fi + +if [ -z "$COVERITY_TOOL_BASE" ]; then + echo "COVERITY_TOOL_BASE: using default /tmp/coverity-tools" + COVERITY_TOOL_BASE=/tmp/coverity-tools +fi + +if [ -z "$SRCDIR" ]; then + SRCDIR="$(pwd)" +fi + +PROJTOKEN="$COVERITY_TOKEN" +PROJNAME=QEMU +TARBALL=cov-int.tar.xz + + +if [ "$UPDATE_ONLY" = yes ]; then + # Just do the tools update; we don't need to check whether + # we are in a source tree or have upload rights for this, + # so do it before some of the command line and source tree checks. + update_coverity_tools + exit 0 +fi + +cd "$SRCDIR" + +echo "Checking this is a QEMU source tree..." +if ! [ -e "$SRCDIR/VERSION" ]; then + echo "Not in a QEMU source tree?" + exit 1 +fi + +# Fill in defaults used by the non-update-only process +if [ -z "$VERSION" ]; then + VERSION="$(git describe --always HEAD)" +fi + +if [ -z "$DESCRIPTION" ]; then + DESCRIPTION="$(git rev-parse HEAD)" +fi + +if [ -z "$COVERITY_EMAIL" ]; then + COVERITY_EMAIL="$(git config user.email)" +fi + +check_upload_permissions + +update_coverity_tools + +TOOLBIN="$(cd "$COVERITY_TOOL_BASE" && echo $(pwd)/coverity_tool/cov-analysis-*/bin)" + +if ! test -x "$TOOLBIN/cov-build"; then + echo "Couldn't find cov-build in the coverity build-tool directory??" + exit 1 +fi + +export PATH="$TOOLBIN:$PATH" + +cd "$SRCDIR" + +echo "Doing make distclean..." +make distclean + +echo "Configuring..." +# We configure with a fixed set of enables here to ensure that we don't +# accidentally reduce the scope of the analysis by doing the build on +# the system that's missing a dependency that we need to build part of +# the codebase. +./configure --disable-modules --enable-sdl --with-sdlabi=2.0 --enable-gtk \ + --enable-opengl --enable-vte --enable-gnutls \ + --enable-nettle --enable-curses --enable-curl \ + --audio-drv-list=oss,alsa,sdl,pa --enable-virtfs \ + --enable-vnc --enable-vnc-sasl --enable-vnc-jpeg --enable-vnc-png \ + --enable-xen --enable-brlapi --enable-bluez \ + --disable-vde --enable-linux-aio --enable-attr \ + --enable-cap-ng --enable-trace-backends=log --enable-spice --enable-rbd \ + --enable-xfsctl --enable-libusb --enable-usb-redir \ + --enable-libiscsi --enable-libnfs --enable-seccomp \ + --enable-tpm --enable-libssh2 --enable-lzo --enable-snappy --enable-bzip2 \ + --enable-numa --enable-rdma --enable-smartcard --enable-virglrenderer \ + --enable-mpath --enable-libxml2 --enable-glusterfs + +echo "Making libqemustub.a..." +make libqemustub.a + +echo "Running cov-build..." +rm -rf cov-int +mkdir cov-int +cov-build --dir cov-int $COVERITY_BUILD_CMD + +echo "Creating results tarball..." +tar cvf - cov-int | xz > "$TARBALL" + +echo "Uploading results tarball..." + +if [ "$DRYRUN" = yes ]; then + echo "Dry run only, not uploading $TARBALL" + exit 0 +fi + +curl --form token="$PROJTOKEN" --form email="$COVERITY_EMAIL" \ + --form file=@"$TARBALL" --form version="$VERSION" \ + --form description="$DESCRIPTION" \ + https://scan.coverity.com/builds?project="$PROJNAME" + +echo "Done." From patchwork Tue Nov 13 18:46:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 151004 Delivered-To: patches@linaro.org Received: by 2002:a2e:299d:0:0:0:0:0 with SMTP id p29-v6csp4757692ljp; Tue, 13 Nov 2018 10:46:47 -0800 (PST) X-Google-Smtp-Source: AJdET5dHPNV4McmuoGDNa3+QI1xG/CVZdQdjfv75THVn3TYqHfAqqVmMgIMQn4csVcl5WmpHDLI0 X-Received: by 2002:adf:80c8:: with SMTP id 66-v6mr6067807wrl.57.1542134807192; Tue, 13 Nov 2018 10:46:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542134807; cv=none; d=google.com; s=arc-20160816; b=jUOEyammXMrJoBL+o3MKSkPZPoUHP8VAPsyAwUHnxqrc76GGaKsMez9/w79tKDWWQ2 Qq5FK2FdyLqtwkGtIwtCerKrui26m5OVAPjOdvzulkDtaJ4MJ7vB+/EBWjqON9IJ1o7g 5jnG7L8MYegHYv3WYMG8poJrVt5ImKQxTzKB3Z7NNdQXolWH3efeDXkmH4W+nVaRYv43 VXSwSaio7GjrK5jQT9Cxl/B2EV1c4xNv96JlI2+7wJ6VlCKBQ603vrkjJzAMSisNhzNB PxT8ydzJbP/oUjiurz/pR1FNrut7wmy/QIvLPCsL5LCA3lk72CTGLNY9eDeLQQ21EdMF OpDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=Ags+AJUoI7iifXmfZDxtNRqvTP4zKdwa2uX9A0FTgRc=; b=KqDFTpJ/qJKMvIIc7Qa8cFJm1ghyAR4is3kwSu/8SScHLw7pbAk/KhTXEXclcO3V3z D077wukLeVC2PrVhD+dgjxCwAO5ebAM8PCvIFmAbN8cbmuaAClXvoN37AsTNUz7usgyR Lro1XyiaaE8Y2tJYvAHBBDYmm27ikJHYLPGWMzH0Q1NIJIxA7y2NkjUY4HbqvhCQfgaC RByXSXpr2xiPI8ozziutul4FaKY1Hdt7UJiJyazbga+K6zYv9QDWLCgzkG6h/njqRI3i Jy1krh6XH31H7jpGbyqaVCs04H9DthrqaFBCcT0jOf/tjNfHDLJy1qF37lWCb8AU6+Ez nYfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from orth.archaic.org.uk (orth.archaic.org.uk. [2001:8b0:1d0::2]) by mx.google.com with ESMTPS id y16-v6si16845060wrr.124.2018.11.13.10.46.46 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 13 Nov 2018 10:46:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) client-ip=2001:8b0:1d0::2; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of pm215@archaic.org.uk designates 2001:8b0:1d0::2 as permitted sender) smtp.mailfrom=pm215@archaic.org.uk; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from pm215 by orth.archaic.org.uk with local (Exim 4.89) (envelope-from ) id 1gMdi2-0007Dl-GY; Tue, 13 Nov 2018 18:46:46 +0000 From: Peter Maydell To: qemu-devel@nongnu.org Cc: patches@linaro.org, Paolo Bonzini , =?utf-8?q?Alex_Benn=C3=A9e?= , Fam Zheng , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , Markus Armbruster Subject: [PATCH 2/2] scripts/coverity-scan: Add Docker support Date: Tue, 13 Nov 2018 18:46:41 +0000 Message-Id: <20181113184641.4492-3-peter.maydell@linaro.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181113184641.4492-1-peter.maydell@linaro.org> References: <20181113184641.4492-1-peter.maydell@linaro.org> MIME-Version: 1.0 Add support for running the Coverity Scan tools inside a Docker container rather than directly on the host system. Signed-off-by: Peter Maydell --- scripts/coverity-scan/coverity-scan.docker | 120 +++++++++++++++++++++ scripts/coverity-scan/run-coverity-scan | 58 ++++++++++ 2 files changed, 178 insertions(+) create mode 100644 scripts/coverity-scan/coverity-scan.docker -- 2.19.1 diff --git a/scripts/coverity-scan/coverity-scan.docker b/scripts/coverity-scan/coverity-scan.docker new file mode 100644 index 00000000000..81f69459954 --- /dev/null +++ b/scripts/coverity-scan/coverity-scan.docker @@ -0,0 +1,120 @@ +# syntax=docker/dockerfile:1.0.0-experimental +# +# Docker setup for running the "Coverity Scan" tools over the source +# tree and uploading them to the website, as per +# https://scan.coverity.com/projects/qemu/builds/new +# We do this on a fixed config (currently Fedora 28 with a known +# set of dependencies and a configure command that enables a specific +# set of options) so that random changes don't result in our accidentally +# dropping some files from the scan. +# The work of actually doing the build is handled by the +# run-coverity-scan script. + + +FROM fedora:28 +ENV PACKAGES \ + alsa-lib-devel \ + bc \ + bison \ + bluez-libs-devel \ + brlapi-devel \ + bzip2 \ + bzip2-devel \ + ccache \ + clang \ + curl \ + cyrus-sasl-devel \ + device-mapper-multipath-devel \ + findutils \ + flex \ + gcc \ + gcc-c++ \ + gettext \ + git \ + glib2-devel \ + glusterfs-api-devel \ + gnutls-devel \ + gtk3-devel \ + hostname \ + libaio-devel \ + libasan \ + libattr-devel \ + libcap-devel \ + libcap-ng-devel \ + libcurl-devel \ + libepoxy-devel \ + libfdt-devel \ + libgbm-devel \ + libiscsi-devel \ + libjpeg-devel \ + libnfs-devel \ + libpng-devel \ + librbd-devel \ + libseccomp-devel \ + libssh2-devel \ + libubsan \ + libudev-devel \ + libusbx-devel \ + libxml2-devel \ + llvm \ + lzo-devel \ + make \ + mingw32-bzip2 \ + mingw32-curl \ + mingw32-glib2 \ + mingw32-gmp \ + mingw32-gnutls \ + mingw32-gtk3 \ + mingw32-libjpeg-turbo \ + mingw32-libpng \ + mingw32-libssh2 \ + mingw32-libtasn1 \ + mingw32-nettle \ + mingw32-pixman \ + mingw32-pkg-config \ + mingw32-SDL2 \ + mingw64-bzip2 \ + mingw64-curl \ + mingw64-glib2 \ + mingw64-gmp \ + mingw64-gnutls \ + mingw64-gtk3 \ + mingw64-libjpeg-turbo \ + mingw64-libpng \ + mingw64-libssh2 \ + mingw64-libtasn1 \ + mingw64-nettle \ + mingw64-pixman \ + mingw64-pkg-config \ + mingw64-SDL2 \ + ncurses-devel \ + nettle-devel \ + nss-devel \ + numactl-devel \ + perl \ + pixman-devel \ + pulseaudio-libs-devel \ + python3 \ + PyYAML \ + rdma-core-devel \ + SDL2-devel \ + snappy-devel \ + sparse \ + spice-server-devel \ + systemtap-sdt-devel \ + tar \ + usbredir-devel \ + virglrenderer-devel \ + vte3-devel \ + wget \ + which \ + xen-devel \ + xfsprogs-devel \ + zlib-devel +ENV QEMU_CONFIGURE_OPTS --python=/usr/bin/python3 + +RUN dnf install -y $PACKAGES +RUN rpm -q $PACKAGES | sort > /packages.txt +ENV COVERITY_TOOL_BASE=/coverity-tools +COPY run-coverity-scan run-coverity-scan +RUN --mount=type=secret,id=coverity.token,required ./run-coverity-scan --update-tools-only --tokenfile /run/secrets/coverity.token diff --git a/scripts/coverity-scan/run-coverity-scan b/scripts/coverity-scan/run-coverity-scan index 99495b04501..e89316c090d 100755 --- a/scripts/coverity-scan/run-coverity-scan +++ b/scripts/coverity-scan/run-coverity-scan @@ -29,6 +29,7 @@ # Command line options: # --dry-run : run the tools, but don't actually do the upload +# --docker : create and work inside a docker container # --update-tools-only : update the cached copy of the tools, but don't run them # --tokenfile : file to read Coverity token from # --version ver : specify version being analyzed (default: ask git) @@ -122,6 +123,7 @@ update_coverity_tools () { # Check user-provided environment variables and arguments DRYRUN=no UPDATE_ONLY=no +DOCKER=no while [ "$#" -ge 1 ]; do case "$1" in @@ -169,6 +171,10 @@ while [ "$#" -ge 1 ]; do SRCDIR="$1" shift ;; + --docker) + DOCKER=yes + shift + ;; *) echo "Unexpected argument '$1'" exit 1 @@ -199,6 +205,10 @@ PROJTOKEN="$COVERITY_TOKEN" PROJNAME=QEMU TARBALL=cov-int.tar.xz +if [ "$UPDATE_ONLY" = yes ] && [ "$DOCKER" = yes ]; then + echo "Combining --docker and --update-only is not supported" + exit 1 +fi if [ "$UPDATE_ONLY" = yes ]; then # Just do the tools update; we don't need to check whether @@ -229,6 +239,54 @@ if [ -z "$COVERITY_EMAIL" ]; then COVERITY_EMAIL="$(git config user.email)" fi +# Run ourselves inside docker if that's what the user wants +if [ "$DOCKER" = yes ]; then + # build docker container including the coverity-scan tools + # Put the Coverity token into a temporary file that only + # we have read access to, and then pass it to docker build + # using --secret. This requires at least Docker 18.09. + # Mostly what we are trying to do here is ensure we don't leak + # the token into the Docker image. + umask 077 + SECRETDIR=$(mktemp -d) + if [ -z "$SECRETDIR" ]; then + echo "Failed to create temporary directory" + exit 1 + fi + trap 'rm -rf "$SECRETDIR"' INT TERM EXIT + echo "Created temporary directory $SECRETDIR" + SECRET="$SECRETDIR/token" + echo "$COVERITY_TOKEN" > "$SECRET" + echo "Building docker container..." + # TODO: This re-downloads the tools every time, rather than + # caching and reusing the image produced with the downloaded tools. + # Not sure why. + # TODO: how do you get 'docker build' to print the output of the + # commands it is running to its stdout? This would be useful for debug. + DOCKER_BUILDKIT=1 docker build -t coverity-scanner \ + --secret id=coverity.token,src="$SECRET" \ + -f scripts/coverity-scan/coverity-scan.docker \ + scripts/coverity-scan + echo "Archiving sources to be analyzed..." + ./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz" + (cd "$SECRETDIR" && mkdir qemu && cd qemu && tar xvf ../qemu-sources.tgz) + if [ "$DRYRUN" = yes ]; then + DRYRUNARG=--dry-run + fi + echo "Running scanner..." + # Arrange for this docker run to get access to the sources with -v. + # We pass through all the configuration from the outer script to the inner. + docker run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \ + -v "$SECRETDIR:/work" coverity-scanner \ + ./run-coverity-scan --version "$VERSION" \ + --description "$DESCRIPTION" $DRYRUNARG --tokenfile /work/token \ + --srcdir /work/qemu + echo "Docker work complete." + exit 0 +fi + +# Otherwise, continue with the full build and upload process. + check_upload_permissions update_coverity_tools