aboutsummaryrefslogtreecommitdiff
path: root/scripts/coverity-scan/run-coverity-scan
blob: 129672c86fa1dfc8eeb17672eb448b5affef80c6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
#!/bin/sh -e

# Upload a created tarball to Coverity Scan, as per
# https://scan.coverity.com/projects/qemu/builds/new

# This work is licensed under the terms of the GNU GPL version 2,
# or (at your option) any later version.
# See the COPYING file in the top-level directory.
#
# Copyright (c) 2017-2020 Linaro Limited
# Written by Peter Maydell

# Note that this script will automatically download and
# run the (closed-source) coverity build tools, so don't
# use it if you don't trust them!

# This script assumes that you're running it from a QEMU source
# tree, and that tree is a fresh clean one, because we do an in-tree
# build. (This is necessary so that the filenames that the Coverity
# Scan server sees are relative paths that match up with the component
# regular expressions it uses; an out-of-tree build won't work for this.)
# The host machine should have as many of QEMU's dependencies
# installed as possible, for maximum coverity coverage.

# To do an upload you need to be a maintainer in the Coverity online
# service, and you will need to know the "Coverity token", which is a
# secret 8 digit hex string. You can find that from the web UI in the
# project settings, if you have maintainer access there.

# Command line options:
#   --dry-run : run the tools, but don't actually do the upload
#   --docker : create and work inside a container
#   --docker-engine : specify the container engine to use (docker/podman/auto);
#                     implies --docker
#   --update-tools-only : update the cached copy of the tools, but don't run them
#   --no-update-tools : do not update the cached copy of the tools
#   --tokenfile : file to read Coverity token from
#   --version ver : specify version being analyzed (default: ask git)
#   --description desc : specify description of this version (default: ask git)
#   --srcdir : QEMU source tree to analyze (default: current working dir)
#   --results-tarball : path to copy the results tarball to (default: don't
#                       copy it anywhere, just upload it)
#   --src-tarball : tarball to untar into src dir (default: none); this
#                   is intended mainly for internal use by the Docker support
#
# User-specifiable environment variables:
#  COVERITY_TOKEN -- Coverity token (default: looks at your
#                    coverity.token config)
#  COVERITY_EMAIL -- the email address to use for uploads (default:
#                    looks at your git coverity.email or user.email config)
#  COVERITY_BUILD_CMD -- make command (default: 'make -jN' where N is
#                    number of CPUs as determined by 'nproc')
#  COVERITY_TOOL_BASE -- set to directory to put coverity tools
#                        (default: /tmp/coverity-tools)
#
# You must specify the token, either by environment variable or by
# putting it in a file and using --tokenfile. Everything else has
# a reasonable default if this is run from a git tree.

check_upload_permissions() {
    # Check whether we can do an upload to the server; will exit the script
    # with status 1 if the check failed (usually a bad token);
    # will exit the script with status 0 if the check indicated that we
    # can't upload yet (ie we are at quota)
    # Assumes that COVERITY_TOKEN, PROJNAME and DRYRUN have been initialized.

    echo "Checking upload permissions..."

    if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted --post-data "token=$COVERITY_TOKEN&project=$PROJNAME" -q -O -)"; then
        echo "Coverity Scan API access denied: bad token?"
        exit 1
    fi

    # Really up_perm is a JSON response with either
    # {upload_permitted:true} or {next_upload_permitted_at:<date>}
    # We do some hacky string parsing instead of properly parsing it.
    case "$up_perm" in
        *upload_permitted*true*)
            echo "Coverity Scan: upload permitted"
            ;;
        *next_upload_permitted_at*)
            if [ "$DRYRUN" = yes ]; then
                echo "Coverity Scan: upload quota reached, continuing dry run"
            else
                echo "Coverity Scan: upload quota reached; stopping here"
                # Exit success as this isn't a build error.
                exit 0
            fi
            ;;
        *)
            echo "Coverity Scan upload check: unexpected result $up_perm"
            exit 1
            ;;
    esac
}


build_docker_image() {
    # build docker container including the coverity-scan tools
    echo "Building docker container..."
    # TODO: This re-unpacks the tools every time, rather than caching
    # and reusing the image produced by the COPY of the .tgz file.
    # Not sure why.
    tests/docker/docker.py --engine ${DOCKER_ENGINE} build \
                   -t coverity-scanner -f scripts/coverity-scan/coverity-scan.docker \
                   --extra-files scripts/coverity-scan/run-coverity-scan \
                                 "$COVERITY_TOOL_BASE"/coverity_tool.tgz
}

update_coverity_tools () {
    # Check for whether we need to download the Coverity tools
    # (either because we don't have a copy, or because it's out of date)
    # Assumes that COVERITY_TOOL_BASE, COVERITY_TOKEN and PROJNAME are set.

    mkdir -p "$COVERITY_TOOL_BASE"
    cd "$COVERITY_TOOL_BASE"

    echo "Checking for new version of coverity build tools..."
    wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_TOKEN&project=$PROJNAME&md5=1" -O coverity_tool.md5.new

    if ! cmp -s coverity_tool.md5 coverity_tool.md5.new; then
        # out of date md5 or no md5: download new build tool
        # blow away the old build tool
        echo "Downloading coverity build tools..."
        rm -rf coverity_tool coverity_tool.tgz
        wget https://scan.coverity.com/download/linux64 --post-data "token=$COVERITY_TOKEN&project=$PROJNAME" -O coverity_tool.tgz
        if ! (cat coverity_tool.md5.new; echo "  coverity_tool.tgz") | md5sum -c --status; then
            echo "Downloaded tarball didn't match md5sum!"
            exit 1
        fi

        if [ "$DOCKER" != yes ]; then
            # extract the new one, keeping it corralled in a 'coverity_tool' directory
            echo "Unpacking coverity build tools..."
            mkdir -p coverity_tool
            cd coverity_tool
            tar xf ../coverity_tool.tgz
            cd ..
            mv coverity_tool.md5.new coverity_tool.md5
        fi
    fi
    rm -f coverity_tool.md5.new
    cd "$SRCDIR"

    if [ "$DOCKER" = yes ]; then
        build_docker_image
    fi
}


# Check user-provided environment variables and arguments
DRYRUN=no
UPDATE=yes
DOCKER=no

while [ "$#" -ge 1 ]; do
    case "$1" in
        --dry-run)
            shift
            DRYRUN=yes
            ;;
        --no-update-tools)
            shift
            UPDATE=no
            ;;
        --update-tools-only)
            shift
            UPDATE=only
            ;;
        --version)
            shift
            if [ $# -eq 0 ]; then
                echo "--version needs an argument"
                exit 1
            fi
            VERSION="$1"
            shift
            ;;
        --description)
            shift
            if [ $# -eq 0 ]; then
                echo "--description needs an argument"
                exit 1
            fi
            DESCRIPTION="$1"
            shift
            ;;
        --tokenfile)
            shift
            if [ $# -eq 0 ]; then
                echo "--tokenfile needs an argument"
                exit 1
            fi
            COVERITY_TOKEN="$(cat "$1")"
            shift
            ;;
        --srcdir)
            shift
            if [ $# -eq 0 ]; then
                echo "--srcdir needs an argument"
                exit 1
            fi
            SRCDIR="$1"
            shift
            ;;
        --results-tarball)
            shift
            if [ $# -eq 0 ]; then
                echo "--results-tarball needs an argument"
                exit 1
            fi
            RESULTSTARBALL="$1"
            shift
            ;;
        --src-tarball)
            shift
            if [ $# -eq 0 ]; then
                echo "--src-tarball needs an argument"
                exit 1
            fi
            SRCTARBALL="$1"
            shift
            ;;
        --docker)
            DOCKER=yes
            DOCKER_ENGINE=auto
            shift
            ;;
        --docker-engine)
            shift
            if [ $# -eq 0 ]; then
                echo "--docker-engine needs an argument"
                exit 1
            fi
            DOCKER=yes
            DOCKER_ENGINE="$1"
            shift
            ;;
        *)
            echo "Unexpected argument '$1'"
            exit 1
            ;;
    esac
done

if [ -z "$COVERITY_TOKEN" ]; then
    COVERITY_TOKEN="$(git config coverity.token)"
fi
if [ -z "$COVERITY_TOKEN" ]; then
    echo "COVERITY_TOKEN environment variable not set"
    exit 1
fi

if [ -z "$COVERITY_BUILD_CMD" ]; then
    NPROC=$(nproc)
    COVERITY_BUILD_CMD="make -j$NPROC"
    echo "COVERITY_BUILD_CMD: using default '$COVERITY_BUILD_CMD'"
fi

if [ -z "$COVERITY_TOOL_BASE" ]; then
    echo "COVERITY_TOOL_BASE: using default /tmp/coverity-tools"
    COVERITY_TOOL_BASE=/tmp/coverity-tools
fi

if [ -z "$SRCDIR" ]; then
    SRCDIR="$PWD"
fi

PROJNAME=QEMU
TARBALL=cov-int.tar.xz

if [ "$UPDATE" = only ]; then
    # Just do the tools update; we don't need to check whether
    # we are in a source tree or have upload rights for this,
    # so do it before some of the command line and source tree checks.

    if [ "$DOCKER" = yes ] && [ ! -z "$SRCTARBALL" ]; then
        echo --update-tools-only --docker is incompatible with --src-tarball.
        exit 1
    fi

    update_coverity_tools
    exit 0
fi

if [ ! -e "$SRCDIR" ]; then
    mkdir "$SRCDIR"
fi

cd "$SRCDIR"

if [ ! -z "$SRCTARBALL" ]; then
    echo "Untarring source tarball into $SRCDIR..."
    tar xvf "$SRCTARBALL"
fi

echo "Checking this is a QEMU source tree..."
if ! [ -e "$SRCDIR/VERSION" ]; then
    echo "Not in a QEMU source tree?"
    exit 1
fi

# Fill in defaults used by the non-update-only process
if [ -z "$VERSION" ]; then
    VERSION="$(git describe --always HEAD)"
fi

if [ -z "$DESCRIPTION" ]; then
    DESCRIPTION="$(git rev-parse HEAD)"
fi

if [ -z "$COVERITY_EMAIL" ]; then
    COVERITY_EMAIL="$(git config coverity.email)"
fi
if [ -z "$COVERITY_EMAIL" ]; then
    COVERITY_EMAIL="$(git config user.email)"
fi

# Otherwise, continue with the full build and upload process.

check_upload_permissions

if [ "$UPDATE" != no ]; then
    update_coverity_tools
fi

# Run ourselves inside docker if that's what the user wants
if [ "$DOCKER" = yes ]; then
    # Put the Coverity token into a temporary file that only
    # we have read access to, and then pass it to docker build
    # using a volume.  A volume is enough for the token not to
    # leak into the Docker image.
    umask 077
    SECRETDIR=$(mktemp -d)
    if [ -z "$SECRETDIR" ]; then
        echo "Failed to create temporary directory"
        exit 1
    fi
    trap 'rm -rf "$SECRETDIR"' INT TERM EXIT
    echo "Created temporary directory $SECRETDIR"
    SECRET="$SECRETDIR/token"
    echo "$COVERITY_TOKEN" > "$SECRET"
    echo "Archiving sources to be analyzed..."
    ./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz"
    ARGS="--no-update-tools"
    if [ "$DRYRUN" = yes ]; then
        ARGS="$ARGS --dry-run"
    fi
    echo "Running scanner..."
    # If we need to capture the output tarball, get the inner run to
    # save it to the secrets directory so we can copy it out before the
    # directory is cleaned up.
    if [ ! -z "$RESULTSTARBALL" ]; then
        ARGS="$ARGS --results-tarball /work/cov-int.tar.xz"
    fi
    # Arrange for this docker run to get access to the sources with -v.
    # We pass through all the configuration from the outer script to the inner.
    export COVERITY_EMAIL COVERITY_BUILD_CMD
    tests/docker/docker.py run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \
           -v "$SECRETDIR:/work" coverity-scanner \
           ./run-coverity-scan --version "$VERSION" \
           --description "$DESCRIPTION" $ARGS --tokenfile /work/token \
           --srcdir /qemu --src-tarball /work/qemu-sources.tgz
    if [ ! -z "$RESULTSTARBALL" ]; then
        echo "Copying results tarball to $RESULTSTARBALL..."
        cp "$SECRETDIR/cov-int.tar.xz" "$RESULTSTARBALL"
    fi
    echo "Docker work complete."
    exit 0
fi

TOOLBIN="$(cd "$COVERITY_TOOL_BASE" && echo $PWD/coverity_tool/cov-analysis-*/bin)"

if ! test -x "$TOOLBIN/cov-build"; then
    echo "Couldn't find cov-build in the coverity build-tool directory??"
    exit 1
fi

export PATH="$TOOLBIN:$PATH"

cd "$SRCDIR"

echo "Nuking build directory..."
rm -rf +build
mkdir +build
cd +build

echo "Configuring..."
# We configure with a fixed set of enables here to ensure that we don't
# accidentally reduce the scope of the analysis by doing the build on
# the system that's missing a dependency that we need to build part of
# the codebase.
../configure --disable-modules --enable-sdl --enable-gtk \
    --enable-opengl --enable-vte --enable-gnutls \
    --enable-nettle --enable-curses --enable-curl \
    --audio-drv-list=oss,alsa,sdl,pa --enable-virtfs \
    --enable-vnc --enable-vnc-sasl --enable-vnc-jpeg --enable-png \
    --enable-xen --enable-brlapi \
    --enable-linux-aio --enable-attr \
    --enable-cap-ng --enable-trace-backends=log --enable-spice --enable-rbd \
    --enable-libusb --enable-usb-redir \
    --enable-libiscsi --enable-libnfs --enable-seccomp \
    --enable-tpm --enable-libssh --enable-lzo --enable-snappy --enable-bzip2 \
    --enable-numa --enable-rdma --enable-smartcard --enable-virglrenderer \
    --enable-mpath --enable-glusterfs \
    --enable-virtfs --enable-zstd

echo "Running cov-build..."
rm -rf cov-int
mkdir cov-int
cov-build --dir cov-int $COVERITY_BUILD_CMD

echo "Creating results tarball..."
tar cvf - cov-int | xz > "$TARBALL"

if [ ! -z "$RESULTSTARBALL" ]; then
    echo "Copying results tarball to $RESULTSTARBALL..."
    cp "$TARBALL" "$RESULTSTARBALL"
fi

echo "Uploading results tarball..."

if [ "$DRYRUN" = yes ]; then
    echo "Dry run only, not uploading $TARBALL"
    exit 0
fi

curl --form token="$COVERITY_TOKEN" --form email="$COVERITY_EMAIL" \
     --form file=@"$TARBALL" --form version="$VERSION" \
     --form description="$DESCRIPTION" \
     https://scan.coverity.com/builds?project="$PROJNAME"

echo "Done."