scripts: update run-scan-build

* Do not build test target Building the test target breaks the whole build since the tests for libsepol require checkpolicy to be build already: make[2]: *** No rule to make target '../../checkpolicy/y.tab.o', needed by 'libsepol-tests'. Stop. make[2]: *** Waiting for unfinished jobs.... Since issues in the test suites are not critical do not build them. * Update build status reporting Since the script sets the option -e scan-build will immediately exit on failure and the informative message "++ Build failed" is not printed. * Bump to fortify level 3 * Fix typo Signed-off-by: Christian Göttsche <[email protected]> Acked-by: James Carter <[email protected]>
SELinuxProject · Nov 15, 2023 · de491fd · de491fd
1 parent a7a8295
commit de491fd
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/scripts/run-scan-build b/scripts/run-scan-build
@@ -1,7 +1,7 @@
 #!/bin/sh
 # Run clang's static analyzer (scan-build) and record its output in output-scan-build/
 
-# Allow overriding binariy names, like clang-12
+# Allow overriding binary names, like clang-12
 export CC=${CC:-clang}
 SCAN_BUILD=${SCAN_BUILD:-scan-build}
 
@@ -32,15 +32,12 @@ fi
 make -C .. clean distclean -j"$(nproc)"
 $SCAN_BUILD -analyze-headers -o "$OUTPUTDIR" make -C .. \
     DESTDIR="$DESTDIR" \
-    CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -D__CHECKER__ -I$DESTDIR/usr/include" \
+    CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=3 -D__CHECKER__ -I$DESTDIR/usr/include" \
     -j"$(nproc)" \
-    install install-pywrap install-rubywrap all test
+    install install-pywrap install-rubywrap all \
+    || { echo "++ Build failed!"; exit 1; }
 
-if [ $? -eq 0 ]; then
-    echo "++ Build succeeded"
-else
-    echo "++ Build failed"
-fi
+echo "++ Build succeeded"
 
 # Reduce the verbosity in order to keep the message from scan-build saying
 # "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports.