| blob | 43cf770f5e34ebe2bcc5c3ff3f12b4a08fccc90a |
1 #!/bin/sh -e
3 # Upload a created tarball to Coverity Scan, as per
4 # https://scan.coverity.com/projects/qemu/builds/new
6 # This work is licensed under the terms of the GNU GPL version 2,
7 # or (at your option) any later version.
8 # See the COPYING file in the top-level directory.
9 #
10 # Copyright (c) 2017-2020 Linaro Limited
11 # Written by Peter Maydell
13 # Note that this script will automatically download and
14 # run the (closed-source) coverity build tools, so don't
15 # use it if you don't trust them!
17 # This script assumes that you're running it from a QEMU source
18 # tree, and that tree is a fresh clean one, because we do an in-tree
19 # build. (This is necessary so that the filenames that the Coverity
20 # Scan server sees are relative paths that match up with the component
21 # regular expressions it uses; an out-of-tree build won't work for this.)
22 # The host machine should have as many of QEMU's dependencies
23 # installed as possible, for maximum coverity coverage.
25 # To do an upload you need to be a maintainer in the Coverity online
26 # service, and you will need to know the "Coverity token", which is a
27 # secret 8 digit hex string. You can find that from the web UI in the
28 # project settings, if you have maintainer access there.
30 # Command line options:
31 # --check-upload-only : return success if upload is possible
32 # --dry-run : run the tools, but don't actually do the upload
33 # --docker : create and work inside a container
34 # --docker-engine : specify the container engine to use (docker/podman/auto);
35 # implies --docker
36 # --update-tools-only : update the cached copy of the tools, but don't run them
37 # --no-update-tools : do not update the cached copy of the tools
38 # --tokenfile : file to read Coverity token from
39 # --version ver : specify version being analyzed (default: ask git)
40 # --description desc : specify description of this version (default: ask git)
41 # --srcdir : QEMU source tree to analyze (default: current working dir)
42 # --results-tarball : path to copy the results tarball to (default: don't
43 # copy it anywhere, just upload it)
44 # --src-tarball : tarball to untar into src dir (default: none); this
45 # is intended mainly for internal use by the Docker support
46 #
47 # User-specifiable environment variables:
48 # COVERITY_TOKEN -- Coverity token (default: looks at your
49 # coverity.token config)
50 # COVERITY_EMAIL -- the email address to use for uploads (default:
51 # looks at your git coverity.email or user.email config)
52 # COVERITY_BUILD_CMD -- make command (default: 'make -jN' where N is
53 # number of CPUs as determined by 'nproc')
54 # COVERITY_TOOL_BASE -- set to directory to put coverity tools
55 # (default: /tmp/coverity-tools)
56 #
57 # You must specify the token, either by environment variable or by
58 # putting it in a file and using --tokenfile. Everything else has
59 # a reasonable default if this is run from a git tree.
61 upload_permitted() {
62 # Check whether we can do an upload to the server; will exit *the script*
63 # with status 99 if the check failed (usually a bad token);
64 # will return from the function with status 1 if the check indicated
65 # that we can't upload yet (ie we are at quota)
66 # Assumes that COVERITY_TOKEN and PROJNAME have been initialized.
70 if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted --post-data "token=$COVERITY_TOKEN&project=$PROJNAME" -q -O -)"; then
73 fi
75 # Really up_perm is a JSON response with either
76 # {upload_permitted:true} or {next_upload_permitted_at:<date>}
77 # We do some hacky string parsing instead of properly parsing it.
81 ;;
84 ;;
85 *)
88 ;;
89 esac
90 }
93 check_upload_permissions() {
94 # Check whether we can do an upload to the server; will exit the script
95 # with status 99 if the check failed (usually a bad token);
96 # will exit the script with status 0 if the check indicated that we
97 # can't upload yet (ie we are at quota)
98 # Assumes that COVERITY_TOKEN, PROJNAME and DRYRUN have been initialized.
102 else
105 else
107 # Exit success as this isn't a build error.
109 fi
110 fi
111 }
114 build_docker_image() {
115 # build docker container including the coverity-scan tools
117 # TODO: This re-unpacks the tools every time, rather than caching
118 # and reusing the image produced by the COPY of the .tgz file.
119 # Not sure why.
124 }
126 update_coverity_tools () {
127 # Check for whether we need to download the Coverity tools
128 # (either because we don't have a copy, or because it's out of date)
129 # Assumes that COVERITY_TOOL_BASE, COVERITY_TOKEN and PROJNAME are set.
135 wget https://scan.coverity.com/download/cxx/linux64 --post-data "token=$COVERITY_TOKEN&project=$PROJNAME&md5=1" -O coverity_tool.md5.new
138 # out of date md5 or no md5: download new build tool
139 # blow away the old build tool
142 wget https://scan.coverity.com/download/cxx/linux64 --post-data "token=$COVERITY_TOKEN&project=$PROJNAME" -O coverity_tool.tgz
146 fi
149 # extract the new one, keeping it corralled in a 'coverity_tool' directory
151 mkdir -p coverity_tool
152 cd coverity_tool
154 cd ..
155 mv coverity_tool.md5.new coverity_tool.md5
156 fi
157 fi
162 build_docker_image
163 fi
164 }
167 # Check user-provided environment variables and arguments
168 DRYRUN=no
170 DOCKER=no
171 PROJNAME=QEMU
176 shift
177 DRYRUN=check
178 ;;
180 shift
182 ;;
184 shift
185 UPDATE=no
186 ;;
188 shift
189 UPDATE=only
190 ;;
192 shift
196 fi
198 shift
199 ;;
201 shift
205 fi
207 shift
208 ;;
210 shift
214 fi
216 shift
217 ;;
219 shift
223 fi
225 shift
226 ;;
228 shift
232 fi
234 shift
235 ;;
237 shift
241 fi
243 shift
244 ;;
247 DOCKER_ENGINE=auto
248 shift
249 ;;
251 shift
255 fi
258 shift
259 ;;
260 *)
263 ;;
264 esac
265 done
269 fi
273 fi
276 upload_permitted
277 exit $?
278 fi
284 fi
289 fi
293 fi
298 # Just do the tools update; we don't need to check whether
299 # we are in a source tree or have upload rights for this,
300 # so do it before some of the command line and source tree checks.
305 fi
307 update_coverity_tools
309 fi
313 fi
320 fi
326 fi
328 # Fill in defaults used by the non-update-only process
331 fi
335 fi
339 fi
342 fi
344 # Otherwise, continue with the full build and upload process.
346 check_upload_permissions
349 update_coverity_tools
350 fi
352 # Run ourselves inside docker if that's what the user wants
354 # Put the Coverity token into a temporary file that only
355 # we have read access to, and then pass it to docker build
356 # using a volume. A volume is enough for the token not to
357 # leak into the Docker image.
363 fi
373 fi
375 # If we need to capture the output tarball, get the inner run to
376 # save it to the secrets directory so we can copy it out before the
377 # directory is cleaned up.
380 fi
381 # Arrange for this docker run to get access to the sources with -v.
382 # We pass through all the configuration from the outer script to the inner.
383 export COVERITY_EMAIL COVERITY_BUILD_CMD
392 fi
395 fi
402 fi
410 mkdir +build
414 # We configure with a fixed set of enables here to ensure that we don't
415 # accidentally reduce the scope of the analysis by doing the build on
416 # the system that's missing a dependency that we need to build part of
417 # the codebase.
419 --enable-opengl --enable-vte --enable-gnutls \
420 --enable-nettle --enable-curses --enable-curl \
422 --enable-vnc --enable-vnc-sasl --enable-vnc-jpeg --enable-png \
423 --enable-xen --enable-brlapi \
424 --enable-linux-aio --enable-attr \
426 --enable-libusb --enable-usb-redir \
427 --enable-libiscsi --enable-libnfs --enable-seccomp \
428 --enable-tpm --enable-libssh --enable-lzo --enable-snappy --enable-bzip2 \
429 --enable-numa --enable-rdma --enable-smartcard --enable-virglrenderer \
430 --enable-mpath --enable-glusterfs \
431 --enable-virtfs --enable-zstd
435 mkdir cov-int
444 fi
451 fi