Add coverity push script #165
Conversation
Signed-off-by: Paul Elliott <[email protected]>
paul-elliott-arm
added
enhancement
|
One possible improvment (although not yet required) would be to parameterise the project so that we can easily use this on other projects, however I'm not sure how many coverity scan projects we are allowed to have! |
There was a problem hiding this comment.
I've read the code, but not tried to run it (I'll do that when I re-review). This looks good from a high-level view, but there are several places where I found the code hard to follow. Some places seem to reinvent standard library functions, and some places have difficult-to-understand error handling that looks like it could be simpler. Generally, in Python, prefer context handlers (with …) if possible.
Signed-off-by: Paul Elliott <[email protected]>
Mistaken usage of hashlib.md5(), much simpler form is available. Signed-off-by: Paul Elliott <[email protected]>
-j without a number means unlimited, and is likely a bad idea on limited systems. Signed-off-by: Paul Elliott <[email protected]>
(Rather than empty string) Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Refactor previous function as now too small to really be required (error handling now done by exceptions thrown by run(), and only a single API call now required) Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Also make branch change recurse into submodules, as we now have one. Signed-off-by: Paul Elliott <[email protected]>
Use 'with' context, copy to backup file if required. Signed-off-by: Paul Elliott <[email protected]>
The addition of the framework necessitates this. Signed-off-by: Paul Elliott <[email protected]>
Missed as logic causes the script to just redownload the tools. Signed-off-by: Paul Elliott <[email protected]>
Instead of erroring out if the specified backup directory is non-existent, just create it. Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Useful for debug more than anything else. Signed-off-by: Paul Elliott <[email protected]>
.. and update documentation to add new options. Signed-off-by: Paul Elliott <[email protected]>
If config.h was changed upstream, it would be backed up prior to these changes being applied locally, and then restored into the wrong state. Signed-off-by: Paul Elliott <[email protected]>
There was a problem hiding this comment.
Thanks for the updates! On code inspection, I believe I now understand what the code is doing, and would be able to maintain it going forward.
I haven't tried running the script yet (and there's a typo that looks like it would fail midway).
I wonder how to test it: how far can we go before consuming a limited Coverity credit: is that consumed by the build request? By triggering? Could we have a test mode in the script that does everything except the credit-consuming step, and leaves behind or prints out all necessary information to do the credit-consuming step manually?
| logger.log(logging.ERROR, format_exc()) | ||
| ret_code = 1 | ||
| except CalledProcessError as e: | ||
| logger.log(logging.ERROR, 'Command {} returned {}\n Output : {}'.format(e.cmd, |
There was a problem hiding this comment.
[non-blocker] The error message says “Output”, which suggests stdout, but we're showing stderr.
Should we show both? Given that this is intended as a CI script which may run in environments that are subtly different from local testing, and therefore failures may be difficult to reproduce, I'd prefer to err on the side of logging everything.
| # Backup config files here prior to running config.py, as the branch checkout may also have | ||
| # changed them, and backing up before this point will end up with old versions of the file being | ||
| # restored. | ||
| backup_config_files(logger, mbedtls_path, False) |
There was a problem hiding this comment.
[semi-blocker: it doesn't work but I think I know how to fix it] mbedtls_path is not defined here. There's a variable mbedtls_dir but we're already chdir'ed into that, so I guess os.curdir? Because of the chdir, using mbedtls_dir here would be wrong if it's a relative path.
| The token can either be passed in as an argument with -t, or via the environment | ||
| in the variable 'COVERITY_TOKEN' | ||
|
|
||
| Other options: |
There was a problem hiding this comment.
[non-blocker] It might be better to leave out the list of options here. They're already documented through the argparse calls and I fear that we'll forget to update the text here.
| Build the MBed TLS source located in the passed in dir, using the tools specified, using the | ||
| given pre-build and build commands. Tar the results up into the given file name, as required by | ||
| coverity. | ||
| """ | ||
|
|
||
| os.chdir(mbedtls_dir) |
There was a problem hiding this comment.
[non-blocker] Because of the chdir call here, I'm not sure how the each command line arguments will be interpreted if they're relative paths, or if they even can be relative paths. It would be more robust to not call chdir and pass cwd=mbedtls_dir to subprocess.run calls.
Description
This is the script to allow us to push coverity builds from Jenkins (or anyone's machine come to that)
Functionality is documented within the script, but to test:
either:
or
The token can be found from the coverity web interface, and for the email address I would use your own email address for now (email address is unfortunately compulsary). Conversations are ongoing about which address to use for notifications in the future, the notification email will look like this:
Should new defects be found, another email will be generated, but this will go to the whole team (this is specified within coverity itself)
WARNING - the mbedtls directory specified will be switched to the latest version of the branch specified, any outstanding differences will currently cause the script to fail (in my opinion better than forcing anything).
This constitutes stage 1 of getting coverity push back into CI, getting this script reviewed so that we can at least check its in the correct shape, then stage 2 will be adding the groovy and testing in the repo. I currently envisage this to be added shortly after the existing push from
developmenttocoverity_scanbranches in the nightly runs.