From 97644bf95ff7303d0c1c10511384c303e954bf4c Mon Sep 17 00:00:00 2001
From: Vasil Danielov Pashov <vasil.pashov1@gmail.com>
Date: Sat, 9 Nov 2024 12:19:26 +0200
Subject: [PATCH] Add coverity CI step (#1919)

#### Reference Issues/PRs
<!--Example: Fixes #1234. See also #3456.-->

#### What does this implement or fix?
Add Coverity scan. The current implementation does not get PR comments
and does not block the build.
#### Any other comments?

#### Checklist

<details>
  <summary>
   Checklist for code changes...
  </summary>

- [ ] Have you updated the relevant docstrings, documentation and
copyright notice?
- [ ] Is this contribution tested against [all ArcticDB's
features](../docs/mkdocs/docs/technical/contributing.md)?
- [ ] Do all exceptions introduced raise appropriate [error
messages](https://docs.arcticdb.io/error_messages/)?
 - [ ] Are API changes highlighted in the PR description?
- [ ] Is the PR labelled as enhancement or bug so it appears in
autogenerated release notes?
</details>

<!--
Thanks for contributing a Pull Request to ArcticDB! Please ensure you
have taken a look at:
- ArcticDB's Code of Conduct:
https://github.com/man-group/ArcticDB/blob/master/CODE_OF_CONDUCT.md
- ArcticDB's Contribution Licensing:
https://github.com/man-group/ArcticDB/blob/master/docs/mkdocs/docs/technical/contributing.md#contribution-licensing
-->

---------

Co-authored-by: Vasil Pashov <vasil.pashov@man.com>
---
 .github/workflows/static_analysis.yml | 70 +++++++++++++++++++++++++++
 coverity.yaml                         |  9 ++++
 cpp/arcticdb/CMakeLists.txt           |  3 --
 3 files changed, 79 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/static_analysis.yml
 create mode 100644 coverity.yaml

diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml
new file mode 100644
index 0000000000..4acbfabfe5
--- /dev/null
+++ b/.github/workflows/static_analysis.yml
@@ -0,0 +1,70 @@
+---
+  name: Coverity Static Analysis
+  on: [pull_request, workflow_dispatch]
+
+  jobs:
+    polaris-scan:
+      name: Polaris Coverity Static Analysis
+      permissions:
+        packages: write
+      runs-on: ubuntu-22.04
+      env:
+        VCPKG_NUGET_USER: ${{secrets.VCPKG_NUGET_USER || github.repository_owner}}
+        VCPKG_NUGET_TOKEN: ${{secrets.VCPKG_NUGET_TOKEN || secrets.GITHUB_TOKEN}}
+      steps:
+        - name: Get number of CPU cores
+          uses: SimenB/github-actions-cpu-cores@v2.0.0
+          id: cpu-cores
+
+        - name: Checkout Source
+          uses: actions/checkout@v4
+          with:
+            submodules: recursive
+            fetch-depth: 0
+
+        - name: Setup build dependencies
+          run: |
+            sudo apt-get update
+            sudo apt-get install -y gcc-10 g++-10 make mono-complete libkrb5-dev libsasl2-dev
+
+        - name: Setup VCPKG cache
+          run: |
+            . build_tooling/vcpkg_caching.sh
+            echo -e "VCPKG_BINARY_SOURCES=$VCPKG_BINARY_SOURCES
+            VCPKG_ROOT=$PLATFORM_VCPKG_ROOT" | tee -a $GITHUB_ENV
+
+        - name: Get CMake
+          uses: lukka/get-cmake@latest
+
+        - name: CMake configure
+          uses: lukka/run-cmake@v10.8
+          env:
+            CC: "gcc-10"
+            CXX: "g++-10"
+          with:
+            cmakeListsTxtPath: ${{github.workspace}}/cpp/CMakeLists.txt
+            configurePreset: linux-release
+            configurePresetAdditionalArgs: "['-DVCPKG_INSTALL_OPTIONS=--clean-after-build', '-DCMAKE_C_COMPILER=gcc-10', '-DCMAKE_CXX_COMPILER=g++-10']"
+
+        - name: Copy Coverity config
+          run: cp ${{github.workspace}}/coverity.yaml ${{github.workspace}}/cpp/out/linux-release-build
+
+        - name: Polaris PR Scan
+          uses: synopsys-sig/synopsys-action@v1.13.0
+          with:
+            polaris_server_url: ${{ vars.POLARIS_SERVER_URL }}
+            polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
+            polaris_application_name: "ArcticDB"
+            polaris_project_name: "ArcticDB-core"
+            polaris_assessment_types: "SAST"
+            polaris_prComment_enabled: true
+            polaris_waitForScan: true
+            coverity_build_command: make -j ${{ steps.cpu-cores.outputs.count }}
+            coverity_clean_command: make clean
+            github_token: ${{ secrets.POLARIS_GITHUB_TOKEN }}
+            project_directory: ${{github.workspace}}/cpp/out/linux-release-build
+            include_diagnostics: true
+            polaris_reports_sarif_create: true
+            polaris_reports_sarif_groupSCAIssues: true
+            polaris_upload_sarif_report: true
+            polaris_prComment_severities: "high,critical,medium,low"
\ No newline at end of file
diff --git a/coverity.yaml b/coverity.yaml
new file mode 100644
index 0000000000..53c3e2b0ba
--- /dev/null
+++ b/coverity.yaml
@@ -0,0 +1,9 @@
+---
+capture:
+  languages:
+    include:
+     - c-family
+analyze:
+  aggressiveness-level: high
+  c-cpp-fnptr: true
+  c-cpp-virtual: true
\ No newline at end of file
diff --git a/cpp/arcticdb/CMakeLists.txt b/cpp/arcticdb/CMakeLists.txt
index 4519233faf..e79c148f8f 100644
--- a/cpp/arcticdb/CMakeLists.txt
+++ b/cpp/arcticdb/CMakeLists.txt
@@ -1001,9 +1001,6 @@ if(${TEST})
                 GTest::gtest
                 GTest::gmock
                 Python::Python # + pybind11::pybind11 (transitively included) = pybind11::embed, but latter is sometimes not found...
-                curl
-                krb5support
-                k5crypto
                 util # TODO: find out where we lost the transitive link to it
                 )
         if(NOT APPLE)