forked from netdata/netdata
-
Notifications
You must be signed in to change notification settings - Fork 0
/
coverity-scan.sh
executable file
·210 lines (174 loc) · 6.63 KB
/
coverity-scan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
#!/usr/bin/env bash
#
# Coverity scan script
#
# Copyright: SPDX-License-Identifier: GPL-3.0-or-later
#
# Author : Costa Tsaousis ([email protected])
# Author : Pawel Krupa (paulfantom)
# Author : Pavlos Emm. Katsoulakis ([email protected])
# shellcheck disable=SC1091,SC2230,SC2086
# To run manually, save configuration to .coverity-scan.conf like this:
#
# the repository to report to coverity - devs can set here their own fork
# REPOSITORY="netdata/netdata"
#
# the email of the developer, as given to coverity
# COVERITY_SCAN_SUBMIT_MAIL="[email protected]"
#
# the token given by coverity to the developer
# COVERITY_SCAN_TOKEN="TOKEN taken from Coverity site"
#
# the absolute path of the cov-build - optional
# COVERITY_BUILD_PATH="/opt/cov-analysis-linux64-2021.12/bin/cov-build"
#
# when set, the script will print on screen the curl command that submits the build to coverity
# this includes the token, so the default is not to print it.
# COVERITY_SUBMIT_DEBUG=1
#
# Override the standard coverity build version we know is supported
# COVERITY_BUILD_VERSION="cov-analysis-linux64-2019.03"
#
# All these variables can also be exported before running this script.
#
# If the first parameter of this script is "install",
# coverity build tools will be downloaded and installed in /opt/coverity
set -e
INSTALL_DIR="/opt"
# the version of coverity to use
COVERITY_BUILD_VERSION="${COVERITY_BUILD_VERSION:-cov-analysis-linux64-2023.6.2}"
# TODO: For some reasons this does not fully load on Debian 10 (Haven't checked if it happens on other distros yet), it breaks
source packaging/installer/functions.sh || echo "Failed to fully load the functions library"
cpus=$(find_processors)
[ -z "${cpus}" ] && cpus=1
if [ -f ".coverity-scan.conf" ]; then
source ".coverity-scan.conf"
fi
repo="${REPOSITORY}"
if [ -z "${repo}" ]; then
fatal "export variable REPOSITORY or set it in .coverity-scan.conf"
fi
repo="${repo//\//%2F}"
email="${COVERITY_SCAN_SUBMIT_MAIL}"
if [ -z "${email}" ]; then
fatal "export variable COVERITY_SCAN_SUBMIT_MAIL or set it in .coverity-scan.conf"
fi
token="${COVERITY_SCAN_TOKEN}"
if [ -z "${token}" ]; then
fatal "export variable COVERITY_SCAN_TOKEN or set it in .coverity-scan.conf"
fi
if ! command -v curl > /dev/null 2>&1; then
fatal "CURL is required for coverity scan to work"
fi
# only print the output of a command
# when debugging is enabled
# used to hide the token when debugging is not enabled
debugrun() {
if [ "${COVERITY_SUBMIT_DEBUG}" = "1" ]; then
run "${@}"
return $?
else
"${@}"
return $?
fi
}
scanit() {
progress "Scanning using coverity"
COVERITY_PATH=$(find "${INSTALL_DIR}" -maxdepth 1 -name 'cov*linux*')
export PATH=${PATH}:${COVERITY_PATH}/bin/
covbuild="${COVERITY_BUILD_PATH}"
[ -z "${covbuild}" ] && covbuild="$(which cov-build 2> /dev/null || command -v cov-build 2> /dev/null)"
if [ -z "${covbuild}" ]; then
fatal "Cannot find 'cov-build' binary in \$PATH. Export variable COVERITY_BUILD_PATH or set it in .coverity-scan.conf"
elif [ ! -x "${covbuild}" ]; then
fatal "The command '${covbuild}' is not executable. Export variable COVERITY_BUILD_PATH or set it in .coverity-scan.conf"
fi
version="$(grep "^#define PACKAGE_VERSION" config.h | cut -d '"' -f 2)"
progress "Working on netdata version: ${version}"
progress "Cleaning up old builds..."
run make clean || echo >&2 "Nothing to clean"
[ -d "cov-int" ] && rm -rf "cov-int"
[ -f netdata-coverity-analysis.tgz ] && run rm netdata-coverity-analysis.tgz
progress "Configuring netdata source..."
run autoreconf -ivf
run ./configure ${OTHER_OPTIONS}
progress "Analyzing netdata..."
run "${covbuild}" --dir cov-int make -j${cpus}
echo >&2 "Compressing analysis..."
run tar czvf netdata-coverity-analysis.tgz cov-int
echo >&2 "Sending analysis to coverity for netdata version ${version} ..."
COVERITY_SUBMIT_RESULT=$(debugrun curl --progress-bar \
--form token="${token}" \
--form email="${email}" \
--form [email protected] \
--form version="${version}" \
--form description="netdata, monitor everything, in real-time." \
https://scan.coverity.com/builds?project="${repo}")
echo "${COVERITY_SUBMIT_RESULT}" | grep -q -e 'Build successfully submitted' || echo >&2 "scan results were not pushed to coverity. Message was: ${COVERITY_SUBMIT_RESULT}"
progress "Coverity scan completed"
}
installit() {
ORIGINAL_DIR="${PWD}"
TMP_DIR="$(mktemp -d /tmp/netdata-coverity-scan-XXXXX)"
progress "Downloading coverity in ${TMP_DIR}..."
cd "${TMP_DIR}"
debugrun curl --remote-name --remote-header-name --show-error --location --data "token=${token}&project=${repo}" https://scan.coverity.com/download/linux64
if [ -f "${COVERITY_BUILD_VERSION}.tar.gz" ]; then
progress "Installing coverity..."
cd "${INSTALL_DIR}"
run sudo tar -z -x -f "${TMP_DIR}/${COVERITY_BUILD_VERSION}.tar.gz" || exit 1
rm "${TMP_DIR}/${COVERITY_BUILD_VERSION}.tar.gz"
COVERITY_PATH=$(find "${INSTALL_DIR}" -maxdepth 1 -name 'cov*linux*')
export PATH=${PATH}:${COVERITY_PATH}/bin/
elif find . -name "*.tar.gz" > /dev/null 2>&1; then
ls ./*.tar.gz
fatal "Downloaded coverity tool tarball does not appear to be the version we were expecting, exiting."
else
fatal "Failed to download coverity tool tarball!"
fi
# Validate the installation
covbuild="$(which cov-build 2> /dev/null || command -v cov-build 2> /dev/null)"
if [ -z "$covbuild" ]; then
fatal "Failed to install coverity."
fi
progress "Coverity scan tools are installed."
cd "$ORIGINAL_DIR"
# Clean temp directory
[ -n "${TMP_DIR}" ] && rm -rf "${TMP_DIR}"
return 0
}
OTHER_OPTIONS="--disable-lto"
OTHER_OPTIONS+=" --with-zlib"
OTHER_OPTIONS+=" --with-math"
OTHER_OPTIONS+=" --enable-lz4"
OTHER_OPTIONS+=" --enable-openssl"
OTHER_OPTIONS+=" --enable-jsonc"
OTHER_OPTIONS+=" --enable-plugin-nfacct"
OTHER_OPTIONS+=" --enable-plugin-freeipmi"
OTHER_OPTIONS+=" --enable-plugin-cups"
OTHER_OPTIONS+=" --enable-exporting-prometheus-remote-write"
# TODO: enable these plugins too
#OTHER_OPTIONS+=" --enable-plugin-xenstat"
#OTHER_OPTIONS+=" --enable-exporting-kinesis"
#OTHER_OPTIONS+=" --enable-exporting-mongodb"
FOUND_OPTS="NO"
while [ -n "${1}" ]; do
if [ "${1}" = "--with-install" ]; then
progress "Running coverity install"
installit
shift 1
elif [ -n "${1}" ]; then
# Clear the default arguments, once you bump into the first argument
if [ "${FOUND_OPTS}" = "NO" ]; then
OTHER_OPTIONS="${1}"
FOUND_OPTS="YES"
else
OTHER_OPTIONS+=" ${1}"
fi
shift 1
else
break
fi
done
echo "Running coverity scan with extra options ${OTHER_OPTIONS}"
scanit "${OTHER_OPTIONS}"