19c263d07SPeter Maydell#!/bin/sh -e 29c263d07SPeter Maydell 39c263d07SPeter Maydell# Upload a created tarball to Coverity Scan, as per 49c263d07SPeter Maydell# https://scan.coverity.com/projects/qemu/builds/new 59c263d07SPeter Maydell 69c263d07SPeter Maydell# This work is licensed under the terms of the GNU GPL version 2, 79c263d07SPeter Maydell# or (at your option) any later version. 89c263d07SPeter Maydell# See the COPYING file in the top-level directory. 99c263d07SPeter Maydell# 109c263d07SPeter Maydell# Copyright (c) 2017-2020 Linaro Limited 119c263d07SPeter Maydell# Written by Peter Maydell 129c263d07SPeter Maydell 139c263d07SPeter Maydell# Note that this script will automatically download and 149c263d07SPeter Maydell# run the (closed-source) coverity build tools, so don't 159c263d07SPeter Maydell# use it if you don't trust them! 169c263d07SPeter Maydell 179c263d07SPeter Maydell# This script assumes that you're running it from a QEMU source 189c263d07SPeter Maydell# tree, and that tree is a fresh clean one, because we do an in-tree 199c263d07SPeter Maydell# build. (This is necessary so that the filenames that the Coverity 209c263d07SPeter Maydell# Scan server sees are relative paths that match up with the component 219c263d07SPeter Maydell# regular expressions it uses; an out-of-tree build won't work for this.) 229c263d07SPeter Maydell# The host machine should have as many of QEMU's dependencies 239c263d07SPeter Maydell# installed as possible, for maximum coverity coverage. 249c263d07SPeter Maydell 259c263d07SPeter Maydell# To do an upload you need to be a maintainer in the Coverity online 269c263d07SPeter Maydell# service, and you will need to know the "Coverity token", which is a 279c263d07SPeter Maydell# secret 8 digit hex string. You can find that from the web UI in the 289c263d07SPeter Maydell# project settings, if you have maintainer access there. 299c263d07SPeter Maydell 309c263d07SPeter Maydell# Command line options: 31*2f3e5e4cSPaolo Bonzini# --check-upload-only : return success if upload is possible 329c263d07SPeter Maydell# --dry-run : run the tools, but don't actually do the upload 3372659059SPaolo Bonzini# --docker : create and work inside a container 3472659059SPaolo Bonzini# --docker-engine : specify the container engine to use (docker/podman/auto); 3572659059SPaolo Bonzini# implies --docker 369c263d07SPeter Maydell# --update-tools-only : update the cached copy of the tools, but don't run them 37b99b0079SPaolo Bonzini# --no-update-tools : do not update the cached copy of the tools 389c263d07SPeter Maydell# --tokenfile : file to read Coverity token from 399c263d07SPeter Maydell# --version ver : specify version being analyzed (default: ask git) 409c263d07SPeter Maydell# --description desc : specify description of this version (default: ask git) 419c263d07SPeter Maydell# --srcdir : QEMU source tree to analyze (default: current working dir) 429c263d07SPeter Maydell# --results-tarball : path to copy the results tarball to (default: don't 439c263d07SPeter Maydell# copy it anywhere, just upload it) 449edfa358SPeter Maydell# --src-tarball : tarball to untar into src dir (default: none); this 459edfa358SPeter Maydell# is intended mainly for internal use by the Docker support 469c263d07SPeter Maydell# 479c263d07SPeter Maydell# User-specifiable environment variables: 486ed4075cSPaolo Bonzini# COVERITY_TOKEN -- Coverity token (default: looks at your 496ed4075cSPaolo Bonzini# coverity.token config) 509c263d07SPeter Maydell# COVERITY_EMAIL -- the email address to use for uploads (default: 516ed4075cSPaolo Bonzini# looks at your git coverity.email or user.email config) 529c263d07SPeter Maydell# COVERITY_BUILD_CMD -- make command (default: 'make -jN' where N is 539c263d07SPeter Maydell# number of CPUs as determined by 'nproc') 549c263d07SPeter Maydell# COVERITY_TOOL_BASE -- set to directory to put coverity tools 559c263d07SPeter Maydell# (default: /tmp/coverity-tools) 569c263d07SPeter Maydell# 579c263d07SPeter Maydell# You must specify the token, either by environment variable or by 589c263d07SPeter Maydell# putting it in a file and using --tokenfile. Everything else has 599c263d07SPeter Maydell# a reasonable default if this is run from a git tree. 609c263d07SPeter Maydell 61*2f3e5e4cSPaolo Bonziniupload_permitted() { 62*2f3e5e4cSPaolo Bonzini # Check whether we can do an upload to the server; will exit *the script* 63*2f3e5e4cSPaolo Bonzini # with status 99 if the check failed (usually a bad token); 64*2f3e5e4cSPaolo Bonzini # will return from the function with status 1 if the check indicated 65*2f3e5e4cSPaolo Bonzini # that we can't upload yet (ie we are at quota) 66*2f3e5e4cSPaolo Bonzini # Assumes that COVERITY_TOKEN and PROJNAME have been initialized. 679c263d07SPeter Maydell 689c263d07SPeter Maydell echo "Checking upload permissions..." 699c263d07SPeter Maydell 706ed4075cSPaolo Bonzini if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted --post-data "token=$COVERITY_TOKEN&project=$PROJNAME" -q -O -)"; then 719c263d07SPeter Maydell echo "Coverity Scan API access denied: bad token?" 72*2f3e5e4cSPaolo Bonzini exit 99 739c263d07SPeter Maydell fi 749c263d07SPeter Maydell 759c263d07SPeter Maydell # Really up_perm is a JSON response with either 769c263d07SPeter Maydell # {upload_permitted:true} or {next_upload_permitted_at:<date>} 779c263d07SPeter Maydell # We do some hacky string parsing instead of properly parsing it. 789c263d07SPeter Maydell case "$up_perm" in 799c263d07SPeter Maydell *upload_permitted*true*) 80*2f3e5e4cSPaolo Bonzini return 0 819c263d07SPeter Maydell ;; 829c263d07SPeter Maydell *next_upload_permitted_at*) 83*2f3e5e4cSPaolo Bonzini return 1 84*2f3e5e4cSPaolo Bonzini ;; 85*2f3e5e4cSPaolo Bonzini *) 86*2f3e5e4cSPaolo Bonzini echo "Coverity Scan upload check: unexpected result $up_perm" 87*2f3e5e4cSPaolo Bonzini exit 99 88*2f3e5e4cSPaolo Bonzini ;; 89*2f3e5e4cSPaolo Bonzini esac 90*2f3e5e4cSPaolo Bonzini} 91*2f3e5e4cSPaolo Bonzini 92*2f3e5e4cSPaolo Bonzini 93*2f3e5e4cSPaolo Bonzinicheck_upload_permissions() { 94*2f3e5e4cSPaolo Bonzini # Check whether we can do an upload to the server; will exit the script 95*2f3e5e4cSPaolo Bonzini # with status 99 if the check failed (usually a bad token); 96*2f3e5e4cSPaolo Bonzini # will exit the script with status 0 if the check indicated that we 97*2f3e5e4cSPaolo Bonzini # can't upload yet (ie we are at quota) 98*2f3e5e4cSPaolo Bonzini # Assumes that COVERITY_TOKEN, PROJNAME and DRYRUN have been initialized. 99*2f3e5e4cSPaolo Bonzini 100*2f3e5e4cSPaolo Bonzini if upload_permitted; then 101*2f3e5e4cSPaolo Bonzini echo "Coverity Scan: upload permitted" 102*2f3e5e4cSPaolo Bonzini else 1039c263d07SPeter Maydell if [ "$DRYRUN" = yes ]; then 1049c263d07SPeter Maydell echo "Coverity Scan: upload quota reached, continuing dry run" 1059c263d07SPeter Maydell else 1069c263d07SPeter Maydell echo "Coverity Scan: upload quota reached; stopping here" 1079c263d07SPeter Maydell # Exit success as this isn't a build error. 1089c263d07SPeter Maydell exit 0 1099c263d07SPeter Maydell fi 110*2f3e5e4cSPaolo Bonzini fi 1119c263d07SPeter Maydell} 1129c263d07SPeter Maydell 1139c263d07SPeter Maydell 114fbb84f07SPaolo Bonzinibuild_docker_image() { 115fbb84f07SPaolo Bonzini # build docker container including the coverity-scan tools 116fbb84f07SPaolo Bonzini echo "Building docker container..." 117fbb84f07SPaolo Bonzini # TODO: This re-unpacks the tools every time, rather than caching 118fbb84f07SPaolo Bonzini # and reusing the image produced by the COPY of the .tgz file. 119fbb84f07SPaolo Bonzini # Not sure why. 120fbb84f07SPaolo Bonzini tests/docker/docker.py --engine ${DOCKER_ENGINE} build \ 121fbb84f07SPaolo Bonzini -t coverity-scanner -f scripts/coverity-scan/coverity-scan.docker \ 122fbb84f07SPaolo Bonzini --extra-files scripts/coverity-scan/run-coverity-scan \ 123fbb84f07SPaolo Bonzini "$COVERITY_TOOL_BASE"/coverity_tool.tgz 124fbb84f07SPaolo Bonzini} 125fbb84f07SPaolo Bonzini 1269c263d07SPeter Maydellupdate_coverity_tools () { 1279c263d07SPeter Maydell # Check for whether we need to download the Coverity tools 1289c263d07SPeter Maydell # (either because we don't have a copy, or because it's out of date) 1296ed4075cSPaolo Bonzini # Assumes that COVERITY_TOOL_BASE, COVERITY_TOKEN and PROJNAME are set. 1309c263d07SPeter Maydell 1319c263d07SPeter Maydell mkdir -p "$COVERITY_TOOL_BASE" 1329c263d07SPeter Maydell cd "$COVERITY_TOOL_BASE" 1339c263d07SPeter Maydell 1349c263d07SPeter Maydell echo "Checking for new version of coverity build tools..." 13581a541e9SPaolo Bonzini wget https://scan.coverity.com/download/cxx/linux64 --post-data "token=$COVERITY_TOKEN&project=$PROJNAME&md5=1" -O coverity_tool.md5.new 1369c263d07SPeter Maydell 1379c263d07SPeter Maydell if ! cmp -s coverity_tool.md5 coverity_tool.md5.new; then 1389c263d07SPeter Maydell # out of date md5 or no md5: download new build tool 1399c263d07SPeter Maydell # blow away the old build tool 1409c263d07SPeter Maydell echo "Downloading coverity build tools..." 1419c263d07SPeter Maydell rm -rf coverity_tool coverity_tool.tgz 14281a541e9SPaolo Bonzini wget https://scan.coverity.com/download/cxx/linux64 --post-data "token=$COVERITY_TOKEN&project=$PROJNAME" -O coverity_tool.tgz 1439c263d07SPeter Maydell if ! (cat coverity_tool.md5.new; echo " coverity_tool.tgz") | md5sum -c --status; then 1449c263d07SPeter Maydell echo "Downloaded tarball didn't match md5sum!" 1459c263d07SPeter Maydell exit 1 1469c263d07SPeter Maydell fi 1472e90470eSPaolo Bonzini 1482e90470eSPaolo Bonzini if [ "$DOCKER" != yes ]; then 1499c263d07SPeter Maydell # extract the new one, keeping it corralled in a 'coverity_tool' directory 1509c263d07SPeter Maydell echo "Unpacking coverity build tools..." 1519c263d07SPeter Maydell mkdir -p coverity_tool 1529c263d07SPeter Maydell cd coverity_tool 1539c263d07SPeter Maydell tar xf ../coverity_tool.tgz 1549c263d07SPeter Maydell cd .. 1559c263d07SPeter Maydell mv coverity_tool.md5.new coverity_tool.md5 1569c263d07SPeter Maydell fi 1572e90470eSPaolo Bonzini fi 1589c263d07SPeter Maydell rm -f coverity_tool.md5.new 159fbb84f07SPaolo Bonzini cd "$SRCDIR" 160fbb84f07SPaolo Bonzini 161fbb84f07SPaolo Bonzini if [ "$DOCKER" = yes ]; then 162fbb84f07SPaolo Bonzini build_docker_image 163fbb84f07SPaolo Bonzini fi 1649c263d07SPeter Maydell} 1659c263d07SPeter Maydell 1669c263d07SPeter Maydell 1679c263d07SPeter Maydell# Check user-provided environment variables and arguments 1689c263d07SPeter MaydellDRYRUN=no 169b99b0079SPaolo BonziniUPDATE=yes 1709edfa358SPeter MaydellDOCKER=no 171*2f3e5e4cSPaolo BonziniPROJNAME=QEMU 1729c263d07SPeter Maydell 1739c263d07SPeter Maydellwhile [ "$#" -ge 1 ]; do 1749c263d07SPeter Maydell case "$1" in 175*2f3e5e4cSPaolo Bonzini --check-upload-only) 176*2f3e5e4cSPaolo Bonzini shift 177*2f3e5e4cSPaolo Bonzini DRYRUN=check 178*2f3e5e4cSPaolo Bonzini ;; 1799c263d07SPeter Maydell --dry-run) 1809c263d07SPeter Maydell shift 1819c263d07SPeter Maydell DRYRUN=yes 1829c263d07SPeter Maydell ;; 183b99b0079SPaolo Bonzini --no-update-tools) 184b99b0079SPaolo Bonzini shift 185b99b0079SPaolo Bonzini UPDATE=no 186b99b0079SPaolo Bonzini ;; 1879c263d07SPeter Maydell --update-tools-only) 1889c263d07SPeter Maydell shift 189b99b0079SPaolo Bonzini UPDATE=only 1909c263d07SPeter Maydell ;; 1919c263d07SPeter Maydell --version) 1929c263d07SPeter Maydell shift 1939c263d07SPeter Maydell if [ $# -eq 0 ]; then 1949c263d07SPeter Maydell echo "--version needs an argument" 1959c263d07SPeter Maydell exit 1 1969c263d07SPeter Maydell fi 1979c263d07SPeter Maydell VERSION="$1" 1989c263d07SPeter Maydell shift 1999c263d07SPeter Maydell ;; 2009c263d07SPeter Maydell --description) 2019c263d07SPeter Maydell shift 2029c263d07SPeter Maydell if [ $# -eq 0 ]; then 2039c263d07SPeter Maydell echo "--description needs an argument" 2049c263d07SPeter Maydell exit 1 2059c263d07SPeter Maydell fi 2069c263d07SPeter Maydell DESCRIPTION="$1" 2079c263d07SPeter Maydell shift 2089c263d07SPeter Maydell ;; 2099c263d07SPeter Maydell --tokenfile) 2109c263d07SPeter Maydell shift 2119c263d07SPeter Maydell if [ $# -eq 0 ]; then 2129c263d07SPeter Maydell echo "--tokenfile needs an argument" 2139c263d07SPeter Maydell exit 1 2149c263d07SPeter Maydell fi 2159c263d07SPeter Maydell COVERITY_TOKEN="$(cat "$1")" 2169c263d07SPeter Maydell shift 2179c263d07SPeter Maydell ;; 2189c263d07SPeter Maydell --srcdir) 2199c263d07SPeter Maydell shift 2209c263d07SPeter Maydell if [ $# -eq 0 ]; then 2219c263d07SPeter Maydell echo "--srcdir needs an argument" 2229c263d07SPeter Maydell exit 1 2239c263d07SPeter Maydell fi 2249c263d07SPeter Maydell SRCDIR="$1" 2259c263d07SPeter Maydell shift 2269c263d07SPeter Maydell ;; 2279c263d07SPeter Maydell --results-tarball) 2289c263d07SPeter Maydell shift 2299c263d07SPeter Maydell if [ $# -eq 0 ]; then 2309c263d07SPeter Maydell echo "--results-tarball needs an argument" 2319c263d07SPeter Maydell exit 1 2329c263d07SPeter Maydell fi 2339c263d07SPeter Maydell RESULTSTARBALL="$1" 2349c263d07SPeter Maydell shift 2359c263d07SPeter Maydell ;; 2369edfa358SPeter Maydell --src-tarball) 2379edfa358SPeter Maydell shift 2389edfa358SPeter Maydell if [ $# -eq 0 ]; then 2399edfa358SPeter Maydell echo "--src-tarball needs an argument" 2409edfa358SPeter Maydell exit 1 2419edfa358SPeter Maydell fi 2429edfa358SPeter Maydell SRCTARBALL="$1" 2439edfa358SPeter Maydell shift 2449edfa358SPeter Maydell ;; 2459edfa358SPeter Maydell --docker) 2469edfa358SPeter Maydell DOCKER=yes 24772659059SPaolo Bonzini DOCKER_ENGINE=auto 24872659059SPaolo Bonzini shift 24972659059SPaolo Bonzini ;; 25072659059SPaolo Bonzini --docker-engine) 25172659059SPaolo Bonzini shift 25272659059SPaolo Bonzini if [ $# -eq 0 ]; then 25372659059SPaolo Bonzini echo "--docker-engine needs an argument" 25472659059SPaolo Bonzini exit 1 25572659059SPaolo Bonzini fi 25672659059SPaolo Bonzini DOCKER=yes 25772659059SPaolo Bonzini DOCKER_ENGINE="$1" 2589edfa358SPeter Maydell shift 2599edfa358SPeter Maydell ;; 2609c263d07SPeter Maydell *) 2619c263d07SPeter Maydell echo "Unexpected argument '$1'" 2629c263d07SPeter Maydell exit 1 2639c263d07SPeter Maydell ;; 2649c263d07SPeter Maydell esac 2659c263d07SPeter Maydelldone 2669c263d07SPeter Maydell 2679c263d07SPeter Maydellif [ -z "$COVERITY_TOKEN" ]; then 2686ed4075cSPaolo Bonzini COVERITY_TOKEN="$(git config coverity.token)" 2696ed4075cSPaolo Bonzinifi 2706ed4075cSPaolo Bonziniif [ -z "$COVERITY_TOKEN" ]; then 2719c263d07SPeter Maydell echo "COVERITY_TOKEN environment variable not set" 2729c263d07SPeter Maydell exit 1 2739c263d07SPeter Maydellfi 2749c263d07SPeter Maydell 275*2f3e5e4cSPaolo Bonziniif [ "$DRYRUN" = check ]; then 276*2f3e5e4cSPaolo Bonzini upload_permitted 277*2f3e5e4cSPaolo Bonzini exit $? 278*2f3e5e4cSPaolo Bonzinifi 279*2f3e5e4cSPaolo Bonzini 2809c263d07SPeter Maydellif [ -z "$COVERITY_BUILD_CMD" ]; then 2819c263d07SPeter Maydell NPROC=$(nproc) 2829c263d07SPeter Maydell COVERITY_BUILD_CMD="make -j$NPROC" 2839c263d07SPeter Maydell echo "COVERITY_BUILD_CMD: using default '$COVERITY_BUILD_CMD'" 2849c263d07SPeter Maydellfi 2859c263d07SPeter Maydell 2869c263d07SPeter Maydellif [ -z "$COVERITY_TOOL_BASE" ]; then 2879c263d07SPeter Maydell echo "COVERITY_TOOL_BASE: using default /tmp/coverity-tools" 2889c263d07SPeter Maydell COVERITY_TOOL_BASE=/tmp/coverity-tools 2899c263d07SPeter Maydellfi 2909c263d07SPeter Maydell 2919c263d07SPeter Maydellif [ -z "$SRCDIR" ]; then 2929c263d07SPeter Maydell SRCDIR="$PWD" 2939c263d07SPeter Maydellfi 2949c263d07SPeter Maydell 2959c263d07SPeter MaydellTARBALL=cov-int.tar.xz 2969c263d07SPeter Maydell 297b99b0079SPaolo Bonziniif [ "$UPDATE" = only ]; then 2989c263d07SPeter Maydell # Just do the tools update; we don't need to check whether 2999c263d07SPeter Maydell # we are in a source tree or have upload rights for this, 3009c263d07SPeter Maydell # so do it before some of the command line and source tree checks. 301fbb84f07SPaolo Bonzini 302fbb84f07SPaolo Bonzini if [ "$DOCKER" = yes ] && [ ! -z "$SRCTARBALL" ]; then 303fbb84f07SPaolo Bonzini echo --update-tools-only --docker is incompatible with --src-tarball. 304fbb84f07SPaolo Bonzini exit 1 305fbb84f07SPaolo Bonzini fi 306fbb84f07SPaolo Bonzini 3079c263d07SPeter Maydell update_coverity_tools 3089c263d07SPeter Maydell exit 0 3099c263d07SPeter Maydellfi 3109c263d07SPeter Maydell 3119edfa358SPeter Maydellif [ ! -e "$SRCDIR" ]; then 3129edfa358SPeter Maydell mkdir "$SRCDIR" 3139edfa358SPeter Maydellfi 3149edfa358SPeter Maydell 3159c263d07SPeter Maydellcd "$SRCDIR" 3169c263d07SPeter Maydell 3179edfa358SPeter Maydellif [ ! -z "$SRCTARBALL" ]; then 3189edfa358SPeter Maydell echo "Untarring source tarball into $SRCDIR..." 3199edfa358SPeter Maydell tar xvf "$SRCTARBALL" 3209edfa358SPeter Maydellfi 3219edfa358SPeter Maydell 3229c263d07SPeter Maydellecho "Checking this is a QEMU source tree..." 3239c263d07SPeter Maydellif ! [ -e "$SRCDIR/VERSION" ]; then 3249c263d07SPeter Maydell echo "Not in a QEMU source tree?" 3259c263d07SPeter Maydell exit 1 3269c263d07SPeter Maydellfi 3279c263d07SPeter Maydell 3289c263d07SPeter Maydell# Fill in defaults used by the non-update-only process 3299c263d07SPeter Maydellif [ -z "$VERSION" ]; then 3309c263d07SPeter Maydell VERSION="$(git describe --always HEAD)" 3319c263d07SPeter Maydellfi 3329c263d07SPeter Maydell 3339c263d07SPeter Maydellif [ -z "$DESCRIPTION" ]; then 3349c263d07SPeter Maydell DESCRIPTION="$(git rev-parse HEAD)" 3359c263d07SPeter Maydellfi 3369c263d07SPeter Maydell 3379c263d07SPeter Maydellif [ -z "$COVERITY_EMAIL" ]; then 3386ed4075cSPaolo Bonzini COVERITY_EMAIL="$(git config coverity.email)" 3396ed4075cSPaolo Bonzinifi 3406ed4075cSPaolo Bonziniif [ -z "$COVERITY_EMAIL" ]; then 3419c263d07SPeter Maydell COVERITY_EMAIL="$(git config user.email)" 3429c263d07SPeter Maydellfi 3439c263d07SPeter Maydell 3442e90470eSPaolo Bonzini# Otherwise, continue with the full build and upload process. 3452e90470eSPaolo Bonzini 3462e90470eSPaolo Bonzinicheck_upload_permissions 3472e90470eSPaolo Bonzini 3482e90470eSPaolo Bonziniif [ "$UPDATE" != no ]; then 3492e90470eSPaolo Bonzini update_coverity_tools 3502e90470eSPaolo Bonzinifi 3512e90470eSPaolo Bonzini 3529edfa358SPeter Maydell# Run ourselves inside docker if that's what the user wants 3539edfa358SPeter Maydellif [ "$DOCKER" = yes ]; then 3549edfa358SPeter Maydell # Put the Coverity token into a temporary file that only 3559edfa358SPeter Maydell # we have read access to, and then pass it to docker build 35672659059SPaolo Bonzini # using a volume. A volume is enough for the token not to 35772659059SPaolo Bonzini # leak into the Docker image. 3589edfa358SPeter Maydell umask 077 3599edfa358SPeter Maydell SECRETDIR=$(mktemp -d) 3609edfa358SPeter Maydell if [ -z "$SECRETDIR" ]; then 3619edfa358SPeter Maydell echo "Failed to create temporary directory" 3629edfa358SPeter Maydell exit 1 3639edfa358SPeter Maydell fi 3649edfa358SPeter Maydell trap 'rm -rf "$SECRETDIR"' INT TERM EXIT 3659edfa358SPeter Maydell echo "Created temporary directory $SECRETDIR" 3669edfa358SPeter Maydell SECRET="$SECRETDIR/token" 3679edfa358SPeter Maydell echo "$COVERITY_TOKEN" > "$SECRET" 3689edfa358SPeter Maydell echo "Archiving sources to be analyzed..." 3699edfa358SPeter Maydell ./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz" 3703077453cSPaolo Bonzini ARGS="--no-update-tools" 3719edfa358SPeter Maydell if [ "$DRYRUN" = yes ]; then 3723077453cSPaolo Bonzini ARGS="$ARGS --dry-run" 3739edfa358SPeter Maydell fi 3749edfa358SPeter Maydell echo "Running scanner..." 3759edfa358SPeter Maydell # If we need to capture the output tarball, get the inner run to 3769edfa358SPeter Maydell # save it to the secrets directory so we can copy it out before the 3779edfa358SPeter Maydell # directory is cleaned up. 3789edfa358SPeter Maydell if [ ! -z "$RESULTSTARBALL" ]; then 3793077453cSPaolo Bonzini ARGS="$ARGS --results-tarball /work/cov-int.tar.xz" 3809edfa358SPeter Maydell fi 3819edfa358SPeter Maydell # Arrange for this docker run to get access to the sources with -v. 3829edfa358SPeter Maydell # We pass through all the configuration from the outer script to the inner. 3839edfa358SPeter Maydell export COVERITY_EMAIL COVERITY_BUILD_CMD 38472659059SPaolo Bonzini tests/docker/docker.py run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \ 3859edfa358SPeter Maydell -v "$SECRETDIR:/work" coverity-scanner \ 3869edfa358SPeter Maydell ./run-coverity-scan --version "$VERSION" \ 3873077453cSPaolo Bonzini --description "$DESCRIPTION" $ARGS --tokenfile /work/token \ 3883077453cSPaolo Bonzini --srcdir /qemu --src-tarball /work/qemu-sources.tgz 3899edfa358SPeter Maydell if [ ! -z "$RESULTSTARBALL" ]; then 3909edfa358SPeter Maydell echo "Copying results tarball to $RESULTSTARBALL..." 3919edfa358SPeter Maydell cp "$SECRETDIR/cov-int.tar.xz" "$RESULTSTARBALL" 3929edfa358SPeter Maydell fi 3939edfa358SPeter Maydell echo "Docker work complete." 3949edfa358SPeter Maydell exit 0 3959edfa358SPeter Maydellfi 3969edfa358SPeter Maydell 3979c263d07SPeter MaydellTOOLBIN="$(cd "$COVERITY_TOOL_BASE" && echo $PWD/coverity_tool/cov-analysis-*/bin)" 3989c263d07SPeter Maydell 3999c263d07SPeter Maydellif ! test -x "$TOOLBIN/cov-build"; then 4009c263d07SPeter Maydell echo "Couldn't find cov-build in the coverity build-tool directory??" 4019c263d07SPeter Maydell exit 1 4029c263d07SPeter Maydellfi 4039c263d07SPeter Maydell 4049c263d07SPeter Maydellexport PATH="$TOOLBIN:$PATH" 4059c263d07SPeter Maydell 4069c263d07SPeter Maydellcd "$SRCDIR" 4079c263d07SPeter Maydell 408dd52af17SPaolo Bonziniecho "Nuking build directory..." 409dd52af17SPaolo Bonzinirm -rf +build 410dd52af17SPaolo Bonzinimkdir +build 411dd52af17SPaolo Bonzinicd +build 4129c263d07SPeter Maydell 4139c263d07SPeter Maydellecho "Configuring..." 4149c263d07SPeter Maydell# We configure with a fixed set of enables here to ensure that we don't 4159c263d07SPeter Maydell# accidentally reduce the scope of the analysis by doing the build on 4169c263d07SPeter Maydell# the system that's missing a dependency that we need to build part of 4179c263d07SPeter Maydell# the codebase. 418dd52af17SPaolo Bonzini../configure --disable-modules --enable-sdl --enable-gtk \ 4199c263d07SPeter Maydell --enable-opengl --enable-vte --enable-gnutls \ 4209c263d07SPeter Maydell --enable-nettle --enable-curses --enable-curl \ 4219c263d07SPeter Maydell --audio-drv-list=oss,alsa,sdl,pa --enable-virtfs \ 42295f8510eSKshitij Suri --enable-vnc --enable-vnc-sasl --enable-vnc-jpeg --enable-png \ 4239c263d07SPeter Maydell --enable-xen --enable-brlapi \ 4249c263d07SPeter Maydell --enable-linux-aio --enable-attr \ 4259c263d07SPeter Maydell --enable-cap-ng --enable-trace-backends=log --enable-spice --enable-rbd \ 426a5730b8bSThomas Huth --enable-libusb --enable-usb-redir \ 4279c263d07SPeter Maydell --enable-libiscsi --enable-libnfs --enable-seccomp \ 4289c263d07SPeter Maydell --enable-tpm --enable-libssh --enable-lzo --enable-snappy --enable-bzip2 \ 4299c263d07SPeter Maydell --enable-numa --enable-rdma --enable-smartcard --enable-virglrenderer \ 4309e8be4c5SMichael Tokarev --enable-mpath --enable-glusterfs \ 4319c263d07SPeter Maydell --enable-virtfs --enable-zstd 4329c263d07SPeter Maydell 4339c263d07SPeter Maydellecho "Running cov-build..." 4349c263d07SPeter Maydellrm -rf cov-int 4359c263d07SPeter Maydellmkdir cov-int 4369c263d07SPeter Maydellcov-build --dir cov-int $COVERITY_BUILD_CMD 4379c263d07SPeter Maydell 4389c263d07SPeter Maydellecho "Creating results tarball..." 4399c263d07SPeter Maydelltar cvf - cov-int | xz > "$TARBALL" 4409c263d07SPeter Maydell 4419c263d07SPeter Maydellif [ ! -z "$RESULTSTARBALL" ]; then 4429c263d07SPeter Maydell echo "Copying results tarball to $RESULTSTARBALL..." 4439c263d07SPeter Maydell cp "$TARBALL" "$RESULTSTARBALL" 4449c263d07SPeter Maydellfi 4459c263d07SPeter Maydell 4469c263d07SPeter Maydellecho "Uploading results tarball..." 4479c263d07SPeter Maydell 4489c263d07SPeter Maydellif [ "$DRYRUN" = yes ]; then 4499c263d07SPeter Maydell echo "Dry run only, not uploading $TARBALL" 4509c263d07SPeter Maydell exit 0 4519c263d07SPeter Maydellfi 4529c263d07SPeter Maydell 4536ed4075cSPaolo Bonzinicurl --form token="$COVERITY_TOKEN" --form email="$COVERITY_EMAIL" \ 4549c263d07SPeter Maydell --form file=@"$TARBALL" --form version="$VERSION" \ 4559c263d07SPeter Maydell --form description="$DESCRIPTION" \ 4569c263d07SPeter Maydell https://scan.coverity.com/builds?project="$PROJNAME" 4579c263d07SPeter Maydell 4589c263d07SPeter Maydellecho "Done." 459