ado/coverity-gpr.yml

pool:
  name: private-linux
jobs:
- job: Build
  workspace:
    clean: all
  steps:
  - task: Maven@4
    displayName: 'Maven Build'
    inputs:
      options: '-B -DskipTests'
- job: Coverity
  dependsOn: Build
  workspace:
    clean: all
  # Coverity enabled on Builds or Pull Requests for main, stage or release branches
  condition: |
    or(in(variables['Build.SourceBranchName'],'main','stage','release'),
    in(variables['System.PullRequest.TargetBranch'],'refs/heads/main','refs/heads/stage','refs/heads/release'))
  variables:
  - group: poc222.coverity.synopsys.com
  - name: COVERITY_TOOL_HOME
    value: /opt/coverity/analysis/2024.12.0
  - name: COVERITY_PROJECT
    value: $(Build.Repository.Name)
  steps:
  # use Coverity plugin for full scans of CI Builds
  - task: synopsys-coverity@1
    inputs:
      coverityService: 'poc222.coverity.synopsys.com'
      projectName: '$(Build.Repository.Name)'
      streamName: '$(Build.Repository.Name)-$(Build.SourceBranchName)'
      checkIssues: true
      issueView: 'Outstanding Issues'
      issueStatus: 'unstable'
      buildCommand: 'mvn -B -DskipTests package'
      customCommandArgs: true
      covBuildArgs: '--fs-capture-search $(Build.SourcesDirectory)'
      covAnalyzeArgs: '--ticker-mode none --strip-path $(Build.SourcesDirectory) --webapp-security'
      covCommitArgs: '--ticker-mode none --description $(Build.BuildURI) --version $(Build.SourceVersion) --scm git'
      allowUntrusted: true
    displayName: 'Full Scan'
    condition: not(eq(variables['Build.Reason'], 'PullRequest'))
  # use cov-run-desktop for incremental scans of GPRs
  - bash: |
      REMOVE="refs/heads/"
      export SYSTEM_PULLREQUEST_TARGETBRANCHNAME="${SYSTEM_PULLREQUEST_TARGETBRANCH//$REMOVE/}"
      export CHANGE_SET=$(git --no-pager diff origin/$SYSTEM_PULLREQUEST_TARGETBRANCHNAME --name-only)
      export STREAM="$(COVERITY_PROJECT)-$SYSTEM_PULLREQUEST_TARGETBRANCHNAME"
      export PATH=$PATH:$COVERITY_TOOL_HOME/bin
      set -ex
      cov-run-desktop --dir idir --url $(COVERITY_URL) --stream $STREAM --build mvn -B -DskipTests package
      cov-run-desktop --dir idir --url $(COVERITY_URL) --stream $STREAM --present-in-reference false --ignore-uncapturable-inputs true --exit1-if-defects true $CHANGE_SET
    env:
      COVERITY_PASSPHRASE: $(COVERITY_PASSPHRASE)
    displayName: 'Incremental Scan'
    condition: eq(variables['Build.Reason'], 'PullRequest')