ci: added coverity stage

Added a new stage for Coverity analysis in the CI pipeline. This stage includes the necessary scripts and configurations to run Coverity scans, ensuring code quality and security checks are integrated into the development workflow. The changes also include updates to the job matrix to accommodate the new Coverity stage. Signed-off-by: Iaroslav Sydoruk <[email protected]>
Mellanox · Mar 6, 2025 · e617e6a · e617e6a
1 parent cd99a00
commit e617e6a
Show file tree

Hide file tree

Showing 4 changed files with 210 additions and 7 deletions.
diff --git a/.ci/Dockerfile.doca b/.ci/Dockerfile.doca
@@ -25,8 +25,17 @@ RUN set -eux; \
     curl \
     unzip \
     podman \
-    gcc-9 \
-    jq
+    gcc-11 \
+    cpp-11 \
+    jq \
+    dpkg-dev \
+    debhelper \
+    patchelf \
+    python3-pyelftools \
+    libfuse3-dev \
+    libaio-dev \
+    libncurses-dev
+
 
 ### TOOLS INSTALL ###
 RUN set -eux; \

diff --git a/.ci/ci_env.sh b/.ci/ci_env.sh
@@ -22,4 +22,4 @@ export CI_ENV_DOCA_BUILDER_TAG="2.10.0087-devel-ubuntu22.04-arm64"
 # changes that affect components in CI builder images.
 # CI builder images use it as docker tag.
 # Format=<YYMMDD>-<ID>
-export CI_ENV_CI_REV="250205-2"
+export CI_ENV_CI_REV="250305-1"
diff --git a/.ci/coverity.sh b/.ci/coverity.sh
@@ -0,0 +1,172 @@
+#!/bin/bash -exEl
+set -o pipefail
+
+progname=$(basename $0)
+
+DEFECTS_EXPECTED=13
+
+function usage()
+{
+	cat << HEREDOC
+   Usage: $progname [--pre_script "./autogen.sh;./configure"] [--build_cmd "make all"] [--ignore_files "devx gtest"]  [--verbose]
+   optional arguments:
+     -h, --help           			show this help message and exit
+     -p, --pre_script STRING        Preparation commands to run prior running coverity
+     -b, --build_script STRING      Build command to pass to coverity
+     -i, --ignore_files STRING      Space separated list of files/dirs to ignore
+     --url STRING                   Coverity Server URL
+     --user STRING                  Login to Coverity Server
+     --password STRING              Password to Coverity Server
+     --stream STRING                Stream on Coverity Server where to upload the report
+     --upload                       Upload report to Coverity Server (--url, --user, --password are required)
+     --doca-version STRING          DOCA SDK version
+     -v, --verbose        	    increase the verbosity of the bash script
+HEREDOC
+exit 0
+}
+
+
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -p|--pre_script) pre_cmd="$2"; shift ;;
+        -b|--build_script) build_cmd="$2"; shift ;;
+        -i|--include_files) include_list="$2"; shift ;;
+	--url) url="$2"; shift ;;
+	--user) user="$2"; shift ;;
+	--password) password="$2"; shift ;;
+	--stream) stream="$2"; shift ;;
+	--upload) upload=true;;
+	--doca-version) DOCA_VERSION="$2"; shift ;;
+        -h|--help) usage ;;
+        -v|--verbose) set +x ;;
+        *) echo "Unknown parameter passed: $1"; exit 1 ;;
+    esac
+    shift
+done
+
+if [ ! -d .git ]; then
+	echo "Error: should be run from project root"
+	exit 1
+fi
+
+if [ ! -z ${upload} ]; then
+	[ ! -z "$url" ] || { echo "Error: --url must be provided when --upload is set!"; exit 1; }
+	[ ! -z "$user" ] || { echo "Error: --user must be provided when --upload is set!"; exit 1; }
+	[ ! -z "$password" ] || { echo "Error: --password must be provided when --upload is set!"; exit 1; }
+	[ ! -z "$stream" ] || { echo "Error: --stream must be provided when --upload is set!"; exit 1; }
+fi
+
+
+ncpus=$(cat /proc/cpuinfo|grep processor|wc -l)
+
+# Current coverity version (2023.12) supports GCC <= 11
+if ! command -v gcc-11 &> /dev/null; then
+	echo "Error: gcc-11 is not installed!"
+	exit 1
+fi
+
+export CC=gcc-11
+export CXX=g++-11
+
+
+function install_dependencies() {
+
+    # Install DOCA STA
+    wget https://urm.nvidia.com/artifactory/sw-nbu-doca-local/doca-sdk/$(echo $DOCA_VERSION | grep -o "[0-9]\+\.[0-9]\+\.[0-9]")/DOCA_${DOCA_VERSION//./-}-1/doca-sdk-sta-${DOCA_VERSION}.tar.gz
+    tar xzvf doca-sdk-sta-${DOCA_VERSION}.tar.gz --no-same-owner
+    cd doca-sdk-sta-${DOCA_VERSION}
+    . ./devtools/public/set_env_variables.sh --deb
+    ./devtools/public/doca_package_build.sh --dpu --deb
+    cd ../
+    sudo dpkg --force-all -i doca-sdk-sta_${DOCA_VERSION}-1_arm64.deb libdoca-sdk-sta-dev_${DOCA_VERSION}-1_arm64.deb
+}
+
+# Build and install NVMF Target Offload
+
+if [ -n "${pre_cmd}" ]; then
+
+    echo "==== Running Pre-commands ===="
+
+    set +eE
+    install_dependencies
+    /bin/bash -c "$pre_cmd"
+    rc=$?
+
+    if [ $rc -ne 0 ]; then
+        echo pre-commands failed
+        exit 1
+    fi
+
+    set -eE
+fi
+
+cov_build="cov_build"
+rm -rf $cov_build
+
+echo "==== Running coverity ===="
+
+export PATH="$PATH:/auto/sw_tools/Commercial/Synopsys/Coverity/Coverity_2023.12/linux_arm64/bin"
+
+cov-build --dir $cov_build $build_cmd
+
+if [ -n "${include_list}" ]; then
+    echo "==== Restricting analysis to include list ===="
+
+    # Generate a list of all captured files
+    set -x
+    all_files=$(cov-manage-emit --dir ${cov_build} list | grep ">"| awk '{print $3}')
+    echo "All files: $all_files"
+    # Compute files to delete (those NOT in allow_list)
+    for file in ${all_files}; do
+        count=0
+        for f in ${include_list}; do
+            if echo "${file}" | grep -q "$f"; then
+                count=$((count + 1))
+            fi
+        done
+        if [ $count -eq 0 ]; then
+            cov-manage-emit --dir ${cov_build} --tu-pattern "file('${file}')" delete ||:
+        fi
+    done
+fi
+
+
+echo "==== Running anaysis ===="
+
+cov-analyze --jobs 1 --security \
+	    --enable INTEGER_OVERFLOW \
+	    --enable AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK \
+	    --concurrency --dir $cov_build
+
+if [ ! -z ${upload} ]; then
+
+    echo "==== Uploading report ===="
+
+    cov-commit-defects --ssl --on-new-cert trust \
+	    --url $url --user $user --password $password \
+	    --dir $cov_build \
+	    --stream $stream
+fi
+
+cov-format-errors --dir $cov_build --html-output $cov_build/html
+
+nerrors=$(cov-format-errors --dir $cov_build --emacs-style |& tee $cov_build/coverity.log | grep 'Type:' | wc -l )
+
+echo -e "Number of Defects: ${nerrors} (expected $DEFECTS_EXPECTED)\n"
+
+if (( $nerrors > $DEFECTS_EXPECTED )); then
+    echo "FAIL"
+    echo "New defects were added."
+    echo "Number of defects ($nerrors) > ($DEFECTS_EXPECTED) defects expected!"
+    echo "Please fix new defects or mark them as false-positive by incrementing the DEFECTS_EXPECTED in .ci/coverity.sh"
+    exit $nerrors
+elif (( $nerrors < $DEFECTS_EXPECTED )); then
+    echo "FAIL"
+    echo "Defects were removed without updating the expected number."
+    echo "Number of defects ($nerrors) < ($DEFECTS_EXPECTED) defects expected!"
+    echo "Please update DEFECTS_EXPECTED to $nerrors in .ci/coverity.sh"
+    exit $nerrors
+else
+    exit 0
+fi
diff --git a/.ci/job_matrix_doca_nvmf_target_offload_pr.yaml.in b/.ci/job_matrix_doca_nvmf_target_offload_pr.yaml.in
@@ -43,11 +43,14 @@ kubernetes:
   privileged: true
   arch_table:
     aarch64:
-      jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:latest'
-      dockerImage: 'quay.io/podman/stable:v5.1.2'
+      jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:3283.v92c105e0f819-6'
+      dockerImage: 'urm.nvidia.com/quay-remote/podman/stable:v5.3.2'
     x86_64:
-      jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:latest'
-      dockerImage: 'quay.io/podman/stable:v5.1.2'
+      jnlpImage: 'dockerhub.nvidia.com/jenkins/inbound-agent:3283.v92c105e0f819-6'
+      dockerImage: 'urm.nvidia.com/quay-remote/podman/stable:v5.3.2'
+
+volumes:
+  - {mountPath: /auto/sw_tools, hostPath: /auto/sw_tools}
 
 empty_volumes:
   - {mountPath: /var/home/swx-jenkins/.local/share/containers, memory: false}
@@ -65,6 +68,10 @@ runs_on_dockers:
      file: '.ci/Dockerfile.doca', name: 'doca_ci', arch: 'aarch64', tag: "${CI_ENV_CI_REV}",
      build_args: '--build-arg DOCA_IMAGE_TAG=$DOCA_BUILDER_TAG --pull --no-cache'
     }
+  - {
+     file: '.ci/Dockerfile.doca', name: 'toolbox', arch: 'aarch64', tag: "${CI_ENV_CI_REV}", 
+     category: 'tool', build_args: '--build-arg DOCA_IMAGE_TAG=$DOCA_BUILDER_TAG --pull --no-cache'
+    }
 
 steps:
   - name: Clone DPA sign tool
@@ -86,3 +93,18 @@ steps:
         --docker-registry-path=$DOCKER_REGISTRY_PATH \
         --docker-image-name=doca_nvmf_target_offload \
         --sign --push
+
+  - name: Coverity
+    containerSelector: "{name:'toolbox'}"
+    run: |
+      .ci/coverity.sh --pre_script 'pwd && ls -la && .ci/dpdk_patch.sh && ./configure --with-rdma=mlx5_dv --with-doca --with-flexio --disable-tests --disable-unit-tests --disable-examples --prefix=/opt' \
+                      --build_script "make -j4" \
+                      --include_files 'lib/nvmf/rdma_offload.c lib/env_dpdk/dmabuf.c' \
+                      --doca-version `echo $DOCA_RUNTIME_TAG | grep -o "[0-9]\+\.[0-9]\+\.[0-9]*"` \
+                      --verbose
+    archiveArtifacts: 'cov_build/html/**/*,cov_build/coverity.log,cov_build/*.txt'
+    publishHTML:
+      reportDir: 'cov_build/html'
+      reportFiles: 'index.html'
+      reportName: 'Coverity Report'
+    parallel: true