Re: [Qemu-devel] [PATCH 2/3] scripts/run-coverity-scan: Script to run Coverity Scan build

[Alex Bennée]

Peter Maydell <address@hidden> writes:

> Add a new script to automate the process of running the Coverity
> Scan build tools and uploading the resulting tarball to the
> website. This is primarily intended to be driven from Travis,
> but it can be run locally (if you are a maintainer of the
> QEMU project on the Coverity Scan website and have the secret
> upload token).
>
> Signed-off-by: Peter Maydell <address@hidden>

Reviewed-by: Alex Bennée <address@hidden>

> ---
>  scripts/run-coverity-scan | 170 
> ++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 170 insertions(+)
>  create mode 100755 scripts/run-coverity-scan
>
> diff --git a/scripts/run-coverity-scan b/scripts/run-coverity-scan
> new file mode 100755
> index 0000000..e6d5fc5
> --- /dev/null
> +++ b/scripts/run-coverity-scan
> @@ -0,0 +1,170 @@
> +#!/bin/sh -e
> +
> +# Upload a created tarball to Coverity Scan, as per
> +# https://scan.coverity.com/projects/qemu/builds/new
> +
> +# This work is licensed under the terms of the GNU GPL version 2,
> +# or (at your option) any later version.
> +# See the COPYING file in the top-level directory.
> +#
> +# Copyright (c) 2017 Linaro Limited
> +# Written by Peter Maydell
> +
> +# Note that this script will automatically download and
> +# run the (closed-source) coverity build tools, so don't
> +# use it if you don't trust them!
> +
> +# This script assumes that you're running it from a QEMU source
> +# tree, and that tree is a fresh clean one, because we do an in-tree
> +# build. (This is necessary so that the filenames that the Coverity
> +# Scan server sees are relative paths that match up with the component
> +# regular expressions it uses; an out-of-tree build won't work for this.)
> +# The host machine should have as many of QEMU's dependencies
> +# installed as possible, for maximum coverity coverage.
> +
> +# You need to pass the following environment variables to the script:
> +#  COVERITY_TOKEN -- this is the secret 8 digit hex string which lets
> +#                    you upload to Coverity Scan. If you're a maintainer
> +#                    in Coverity then the web UI will tell you this.
> +#  COVERITY_EMAIL -- the email address to use for uploads
> +
> +# and optionally
> +#  COVERITY_DRYRUN -- set to not actually do the upload
> +#  COVERITY_BUILD_CMD -- make command (defaults to 'make -j8')
> +#  COVERITY_TOOL_BASE -- set to directory to put coverity tools
> +#                        (defaults to /tmp/coverity-tools)
> +
> +# The primary purpose of this script is to be run as part of
> +# a Travis build, but it is possible to run it manually locally.
> +
> +if [ -z "$COVERITY_TOKEN" ]; then
> +    echo "COVERITY_TOKEN environment variable not set"
> +    exit 1
> +fi
> +
> +if [ -z "$COVERITY_EMAIL" ]; then
> +    echo "COVERITY_EMAIL environment variable not set"
> +    exit 1
> +fi
> +
> +if [ -z "$COVERITY_BUILD_CMD" ]; then
> +    echo "COVERITY_BUILD_CMD: using default 'make -j8'"
> +    COVERITY_BUILD_CMD="make -j8"
> +fi
> +
> +if [ -z "$COVERITY_TOOL_BASE" ]; then
> +    echo "COVERITY_TOOL_BASE: using default /tmp/coverity-tools"
> +    COVERITY_TOOL_BASE=/tmp/coverity-tools
> +fi
> +
> +PROJTOKEN="$COVERITY_TOKEN"
> +PROJNAME=QEMU
> +TARBALL=cov-int.tar.xz
> +SRCDIR="$(pwd)"
> +
> +echo "Checking this is a QEMU source tree..."
> +if ! [ -e VERSION ]; then
> +    echo "Not in a QEMU source tree?"
> +    exit 1
> +fi
> +
> +echo "Checking upload permissions..."
> +
> +if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted 
> --post-data "token=$PROJTOKEN&project=$PROJNAME" -q -O -)"; then
> +    echo "Coverity Scan API access denied: bad token?"
> +    exit 1
> +fi
> +
> +# Really up_perm is a JSON response with either
> +# {upload_permitted:true} or {next_upload_permitted_at:<date>}
> +# We do some hacky string parsing instead of properly parsing it.
> +case "$up_perm" in
> +    *upload_permitted*true*)
> +        echo "Coverity Scan: upload permitted"
> +        ;;
> +    *next_upload_permitted_at*)
> +        if [ -z "$COVERITY_DRYRUN" ]; then
> +            echo "Coverity Scan: upload quota reached; stopping here"
> +            # Exit success as this isn't a build error.
> +            exit 0
> +        else
> +            echo "Coverity Scan: upload quota reached, continuing dry run"
> +        fi
> +        ;;
> +    *)
> +        echo "Coverity Scan upload check: unexpected result $up_perm"
> +        exit 1
> +        ;;
> +esac
> +
> +mkdir -p "$COVERITY_TOOL_BASE"
> +cd "$COVERITY_TOOL_BASE"
> +
> +echo "Checking for new version of coverity build tools..."
> +wget https://scan.coverity.com/download/linux64 --post-data 
> "token=$PROJTOKEN&project=$PROJNAME&md5=1" -O coverity_tool.md5.new
> +
> +if ! cmp -s coverity_tool.md5 coverity_tool.md5.new; then
> +    # out of date md5 or no md5: download new build tool
> +    # blow away the old build tool
> +    echo "Downloading coverity build tools..."
> +    rm -rf coverity_tool coverity_tool.tgz
> +    wget https://scan.coverity.com/download/linux64 --post-data 
> "token=$PROJTOKEN&project=$PROJNAME" -O coverity_tool.tgz
> +    if ! (cat coverity_tool.md5.new; echo "  coverity_tool.tgz") | md5sum -c 
> --status; then
> +        echo "Downloaded tarball didn't match md5sum!"
> +        exit 1
> +    fi
> +    # extract the new one, keeping it corralled in a 'coverity_tool' 
> directory
> +    echo "Unpacking coverity build tools..."
> +    mkdir -p coverity_tool
> +    cd coverity_tool
> +    tar xf ../coverity_tool.tgz
> +    cd ..
> +    mv coverity_tool.md5.new coverity_tool.md5
> +fi
> +
> +rm -f coverity_tool.md5.new
> +
> +TOOLBIN="$(echo $(pwd)/coverity_tool/cov-analysis-*/bin)"
> +
> +if ! test -x "$TOOLBIN/cov-build"; then
> +    echo "Couldn't find cov-build in the coverity build-tool directory??"
> +    exit 1
> +fi
> +
> +export PATH="$TOOLBIN:$PATH"
> +
> +cd "$SRCDIR"
> +
> +echo "Doing make distclean..."
> +make distclean
> +
> +echo "Configuring..."
> +./configure --audio-drv-list=oss,alsa,sdl,pa --disable-werror
> +
> +echo "Making libqemustub.a..."
> +make libqemustub.a
> +
> +echo "Running cov-build..."
> +rm -rf cov-int
> +mkdir cov-int
> +cov-build --dir cov-int $COVERITY_BUILD_CMD
> +
> +echo "Creating results tarball..."
> +tar cvf - cov-int | xz > "$TARBALL"
> +
> +echo "Uploading results tarball..."
> +
> +VERSION="$(git describe --always HEAD)"
> +DESCRIPTION="$(git rev-parse HEAD)"
> +
> +if ! [ -z "$COVERITY_DRYRUN" ]; then
> +    echo "Dry run only, not uploading $TARBALL"
> +    exit 0
> +fi
> +
> +curl --form token="$PROJTOKEN" --form email="$COVERITY_EMAIL" \
> +     --form file=@"$TARBALL" --form version="$VERSION" \
> +     --form description="$DESCRIPTION" \
> +     https://scan.coverity.com/builds?project="$PROJNAME";
> +
> +echo "Done."


--
Alex Bennée