-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added a new stage for Coverity analysis in the CI pipeline. This stage includes the necessary scripts and configurations to run Coverity scans, ensuring code quality and security checks are integrated into the development workflow. The changes also include updates to the job matrix to accommodate the new Coverity stage. Signed-off-by: Iaroslav Sydoruk <[email protected]>
- Loading branch information
Showing
6 changed files
with
318 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,172 @@ | ||
| #!/bin/bash -exEl | ||
| set -o pipefail | ||
|
|
||
| progname=$(basename $0) | ||
|
|
||
| DEFECTS_EXPECTED=13 | ||
|
|
||
| function usage() | ||
| { | ||
| cat << HEREDOC | ||
| Usage: $progname [--pre_script "./autogen.sh;./configure"] [--build_cmd "make all"] [--ignore_files "devx gtest"] [--verbose] | ||
| optional arguments: | ||
| -h, --help show this help message and exit | ||
| -p, --pre_script STRING Preparation commands to run prior running coverity | ||
| -b, --build_script STRING Build command to pass to coverity | ||
| -i, --ignore_files STRING Space separated list of files/dirs to ignore | ||
| --url STRING Coverity Server URL | ||
| --user STRING Login to Coverity Server | ||
| --password STRING Password to Coverity Server | ||
| --stream STRING Stream on Coverity Server where to upload the report | ||
| --upload Upload report to Coverity Server (--url, --user, --password are required) | ||
| --doca-version STRING DOCA SDK version | ||
| -v, --verbose increase the verbosity of the bash script | ||
| HEREDOC | ||
| exit 0 | ||
| } | ||
|
|
||
|
|
||
|
|
||
| while [[ "$#" -gt 0 ]]; do | ||
| case $1 in | ||
| -p|--pre_script) pre_cmd="$2"; shift ;; | ||
| -b|--build_script) build_cmd="$2"; shift ;; | ||
| -i|--include_files) include_list="$2"; shift ;; | ||
| --url) url="$2"; shift ;; | ||
| --user) user="$2"; shift ;; | ||
| --password) password="$2"; shift ;; | ||
| --stream) stream="$2"; shift ;; | ||
| --upload) upload=true;; | ||
| --doca-version) DOCA_VERSION="$2"; shift ;; | ||
| -h|--help) usage ;; | ||
| -v|--verbose) set +x ;; | ||
| *) echo "Unknown parameter passed: $1"; exit 1 ;; | ||
| esac | ||
| shift | ||
| done | ||
|
|
||
| if [ ! -d .git ]; then | ||
| echo "Error: should be run from project root" | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [ ! -z ${upload} ]; then | ||
| [ ! -z "$url" ] || { echo "Error: --url must be provided when --upload is set!"; exit 1; } | ||
| [ ! -z "$user" ] || { echo "Error: --user must be provided when --upload is set!"; exit 1; } | ||
| [ ! -z "$password" ] || { echo "Error: --password must be provided when --upload is set!"; exit 1; } | ||
| [ ! -z "$stream" ] || { echo "Error: --stream must be provided when --upload is set!"; exit 1; } | ||
| fi | ||
|
|
||
|
|
||
| ncpus=$(cat /proc/cpuinfo|grep processor|wc -l) | ||
|
|
||
| # Current coverity version (2023.12) supports GCC <= 11 | ||
| if ! command -v gcc-11 &> /dev/null; then | ||
| echo "Error: gcc-11 is not installed!" | ||
| exit 1 | ||
| fi | ||
|
|
||
| export CC=gcc-11 | ||
| export CXX=g++-11 | ||
|
|
||
|
|
||
| function install_dependencies() { | ||
|
|
||
| # Install DOCA STA | ||
| wget https://urm.nvidia.com/artifactory/sw-nbu-doca-local/doca-sdk/$(echo $DOCA_VERSION | grep -o "[0-9]\+\.[0-9]\+\.[0-9]")/DOCA_${DOCA_VERSION//./-}-1/doca-sdk-sta-${DOCA_VERSION}.tar.gz | ||
| tar xzvf doca-sdk-sta-${DOCA_VERSION}.tar.gz --no-same-owner | ||
| cd doca-sdk-sta-${DOCA_VERSION} | ||
| . ./devtools/public/set_env_variables.sh --deb | ||
| ./devtools/public/doca_package_build.sh --dpu --deb | ||
| cd ../ | ||
| sudo dpkg --force-all -i doca-sdk-sta_${DOCA_VERSION}-1_arm64.deb libdoca-sdk-sta-dev_${DOCA_VERSION}-1_arm64.deb | ||
| } | ||
|
|
||
| # Build and install NVMF Target Offload | ||
|
|
||
| if [ -n "${pre_cmd}" ]; then | ||
|
|
||
| echo "==== Running Pre-commands ====" | ||
|
|
||
| set +eE | ||
| install_dependencies | ||
| /bin/bash -c "$pre_cmd" | ||
| rc=$? | ||
|
|
||
| if [ $rc -ne 0 ]; then | ||
| echo pre-commands failed | ||
| exit 1 | ||
| fi | ||
|
|
||
| set -eE | ||
| fi | ||
|
|
||
| cov_build="cov_build" | ||
| rm -rf $cov_build | ||
|
|
||
| echo "==== Running coverity ====" | ||
|
|
||
| export PATH="$PATH:/auto/sw_tools/Commercial/Synopsys/Coverity/Coverity_2023.12/linux_arm64/bin" | ||
|
|
||
| cov-build --dir $cov_build $build_cmd | ||
|
|
||
| if [ -n "${include_list}" ]; then | ||
| echo "==== Restricting analysis to include list ====" | ||
|
|
||
| # Generate a list of all captured files | ||
| set -x | ||
| all_files=$(cov-manage-emit --dir ${cov_build} list | grep ">"| awk '{print $3}') | ||
| echo "All files: $all_files" | ||
| # Compute files to delete (those NOT in allow_list) | ||
| for file in ${all_files}; do | ||
| count=0 | ||
| for f in ${include_list}; do | ||
| if echo "${file}" | grep -q "$f"; then | ||
| count=$((count + 1)) | ||
| fi | ||
| done | ||
| if [ $count -eq 0 ]; then | ||
| cov-manage-emit --dir ${cov_build} --tu-pattern "file('${file}')" delete ||: | ||
| fi | ||
| done | ||
| fi | ||
|
|
||
|
|
||
| echo "==== Running anaysis ====" | ||
|
|
||
| cov-analyze --jobs 1 --security \ | ||
| --enable INTEGER_OVERFLOW \ | ||
| --enable AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK \ | ||
| --concurrency --dir $cov_build | ||
|
|
||
| if [ ! -z ${upload} ]; then | ||
|
|
||
| echo "==== Uploading report ====" | ||
|
|
||
| cov-commit-defects --ssl --on-new-cert trust \ | ||
| --url $url --user $user --password $password \ | ||
| --dir $cov_build \ | ||
| --stream $stream | ||
| fi | ||
|
|
||
| cov-format-errors --dir $cov_build --html-output $cov_build/html | ||
|
|
||
| nerrors=$(cov-format-errors --dir $cov_build --emacs-style |& tee $cov_build/coverity.log | grep 'Type:' | wc -l ) | ||
|
|
||
| echo -e "Number of Defects: ${nerrors} (expected $DEFECTS_EXPECTED)\n" | ||
|
|
||
| if (( $nerrors > $DEFECTS_EXPECTED )); then | ||
| echo "FAIL" | ||
| echo "New defects were added." | ||
| echo "Number of defects ($nerrors) > ($DEFECTS_EXPECTED) defects expected!" | ||
| echo "Please fix new defects or mark them as false-positive by incrementing the DEFECTS_EXPECTED in .ci/coverity.sh" | ||
| exit $nerrors | ||
| elif (( $nerrors < $DEFECTS_EXPECTED )); then | ||
| echo "FAIL" | ||
| echo "Defects were removed without updating the expected number." | ||
| echo "Number of defects ($nerrors) < ($DEFECTS_EXPECTED) defects expected!" | ||
| echo "Please update DEFECTS_EXPECTED to $nerrors in .ci/coverity.sh" | ||
| exit $nerrors | ||
| else | ||
| exit 0 | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| # | ||
| # SPDX-FileCopyrightText: Copyright (c) 2023-2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved. | ||
| # SPDX-License-Identifier: LicenseRef-NvidiaProprietary | ||
| # | ||
| # NVIDIA CORPORATION, its affiliates and licensors retain all intellectual | ||
| # property and proprietary rights in and to this material, related | ||
| # documentation and any modifications thereto. Any use, reproduction, | ||
| # disclosure or distribution of this material and related documentation | ||
| # without an express license agreement from NVIDIA CORPORATION or | ||
| # its affiliates is strictly prohibited. | ||
| # | ||
| --- | ||
| job: doca-nvmf-target-offload-coverity | ||
|
|
||
| registry_host: nbu-harbor.gtm.nvidia.com | ||
| registry_path: /swx-storage/doca_nvmf_target_offload | ||
|
|
||
| credentials: | ||
| - {credentialsId: 'snap4_coverity', usernameVariable: 'COV_USER', passwordVariable: 'COV_PASS'} | ||
|
|
||
| timeout_minutes: 120 | ||
|
|
||
| env: | ||
| DOCA_BUILDER_TAG: '${CI_ENV_DOCA_BUILDER_TAG}' | ||
| REGISTRY_AUTH_FILE: '${CI_ENV_REGISTRY_AUTH_FILE}' | ||
| GIT_SSH_COMMAND: '${CI_ENV_GIT_SSH_COMMAND}' | ||
| STORAGE_DRIVER: '${CI_ENV_STORAGE_DRIVER}' | ||
|
|
||
| failFast: false | ||
| kubernetes: | ||
| cloud: il-ipp-blossom-prod | ||
| namespace: nbu-swx-storage-devops | ||
| runAsUser: "6213" | ||
| runAsGroup: "11429" | ||
| privileged: true | ||
| arch_table: | ||
| aarch64: | ||
| jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:3283.v92c105e0f819-6' | ||
| dockerImage: 'urm.nvidia.com/quay-remote/podman/stable:v5.3.2' | ||
|
|
||
| volumes: | ||
| - {mountPath: /auto/sw_tools, hostPath: /auto/sw_tools} | ||
|
|
||
| empty_volumes: | ||
| - {mountPath: /var/home/swx-jenkins/.local/share/containers, memory: false} | ||
|
|
||
| pvc_volumes: | ||
| - {claimName: nbu-swx-storage-devops-pvc, mountPath: /mnt/pvc, readOnly: false} | ||
|
|
||
| secret_volumes: | ||
| - {secretName: 'registry-auth-file', mountPath: '/mnt/secret_podman'} | ||
| - {secretName: 'mellanox-github-rsa', mountPath: '/var/home/swx-jenkins/.ssh'} | ||
|
|
||
| runs_on_dockers: | ||
| - { | ||
| file: '.ci/Dockerfile.doca', name: 'toolbox', arch: 'aarch64', tag: "${CI_ENV_CI_REV}", | ||
| category: 'tool', build_args: "--build-arg DOCA_IMAGE_TAG=${DOCA_BUILDER_TAG} --pull --no-cache" | ||
| } | ||
|
|
||
| steps: | ||
| - name: Coverity | ||
| containerSelector: "{name:'toolbox'}" | ||
| credentialsId: 'snap4_coverity' | ||
| run: | | ||
| set -eux | ||
| [ ! -z "$COV_SERVER_URL" ] || { echo "COV_SERVER_URL is empty!"; exit 1; } | ||
| [ ! -z "$COV_USER" ] || { echo "COV_USER is empty!"; exit 1; } | ||
| [ ! -z "$COV_PASS" ] || { echo "COV_PASS is empty!"; exit 1; } | ||
| [ ! -z "$COV_STREAM" ] || { echo "COV_STREAM is empty!"; exit 1; } | ||
| .ci/coverity.sh --pre_script 'pwd && ls -la && .ci/dpdk_patch.sh && ./configure --with-rdma=mlx5_dv --with-doca --with-flexio --disable-tests --disable-unit-tests --disable-examples --prefix=/opt' \ | ||
| --build_script "make -j4" \ | ||
| --include_files 'lib/nvmf/rdma_offload.c lib/env_dpdk/dmabuf.c' \ | ||
| --doca-version `echo $DOCA_RUNTIME_TAG | grep -o "[0-9]\+\.[0-9]\+\.[0-9]*"` \ | ||
| --url $COV_SERVER_URL \ | ||
| --user $COV_USER \ | ||
| --password $COV_PASS \ | ||
| --stream $COV_STREAM \ | ||
| --upload \ | ||
| --verbose | ||
| archiveArtifacts: 'cov_build/html/**/*,cov_build/coverity.log,cov_build/*.txt' | ||
| publishHTML: | ||
| reportDir: 'cov_build/html' | ||
| reportFiles: 'index.html' | ||
| reportName: 'Coverity Report' | ||
| parallel: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters