From a56b6230d0b1901c01e355320c7afdbf5a6ae01b Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 25 Sep 2023 11:50:57 +0000 Subject: [PATCH 1/6] ci: add a GitHub workflow to submit Coverity scans Coverity is a static analysis tool that detects and generates reports on various security and code quality issues. It is particularly useful when diagnosing memory safety issues which may be used as part of exploiting a security vulnerability. Coverity's website provides a service that accepts "builds" (which contains the object files generated during a standard build as well as a database generated by Coverity's scan tool). Let's add a GitHub workflow to automate all of this. To avoid running it without appropriate Coverity configuration (e.g. the token required to use Coverity's services), the job only runs when the repository variable "ENABLE_COVERITY_SCAN_FOR_BRANCHES" has been configured accordingly (see https://docs.github.com/en/actions/learn-github-actions/variables for details how to configure repository variables): It is expected to be a valid JSON array of branch strings, e.g. `["main", "next"]`. In addition, this workflow requires two repository secrets: - COVERITY_SCAN_EMAIL: the email to send the report to, and - COVERITY_SCAN_TOKEN: the Coverity token (look in the Project Settings tab of your Coverity project). Note: The initial version of this patch used `vapier/coverity-scan-action` to benefit from that Action's caching of the Coverity tool, which is rather large. Sadly, that Action only supports Linux, and we want to have the option of building on Windows, too. Besides, in the meantime Coverity requires `cov-configure` to be runantime, and that Action was not adjusted accordingly, i.e. it seems not to be maintained actively. Therefore it would seem prudent to implement the steps manually instead of using that Action. Initial-patch-by: Taylor Blau Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- .github/workflows/coverity.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/coverity.yml diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000000..d8d1e32857 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,58 @@ +name: Coverity + +# This GitHub workflow automates submitting builds to Coverity Scan. To enable it, +# set the repository variable `ENABLE_COVERITY_SCAN_FOR_BRANCHES` (for details, see +# https://docs.github.com/en/actions/learn-github-actions/variables) to a JSON +# string array containing the names of the branches for which the workflow should be +# run, e.g. `["main", "next"]`. +# +# In addition, two repository secrets must be set (for details how to add secrets, see +# https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions): +# `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the +# email to which the Coverity reports should be sent and the latter can be +# obtained from the Project Settings tab of the Coverity project). + +on: + push: + +jobs: + coverity: + if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) + runs-on: ubuntu-latest + env: + COVERITY_PROJECT: git + COVERITY_LANGUAGE: cxx + COVERITY_PLATFORM: linux64 + steps: + - uses: actions/checkout@v3 + - run: ci/install-dependencies.sh + env: + runs_on_pool: ubuntu-latest + + - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}}) + run: | + curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ + --fail --no-progress-meter \ + --output $RUNNER_TEMP/cov-analysis.tgz \ + --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ + --form project="$COVERITY_PROJECT" + - name: extract the Coverity Build Tool + run: | + mkdir $RUNNER_TEMP/cov-analysis && + tar -xzf $RUNNER_TEMP/cov-analysis.tgz --strip 1 -C $RUNNER_TEMP/cov-analysis + - name: build with cov-build + run: | + export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" && + cov-configure --gcc && + cov-build --dir cov-int make -j$(nproc) + - name: package the build + run: tar -czvf cov-int.tgz cov-int + - name: submit the build to Coverity Scan + run: | + curl \ + --fail \ + --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ + --form email='${{ secrets.COVERITY_SCAN_EMAIL }}' \ + --form file=@cov-int.tgz \ + --form version='${{ github.sha }}' \ + "https://scan.coverity.com/builds?project=$COVERITY_PROJECT" From 002e5e9ad163f30e1664a2bf37e45097c8ab6be5 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 25 Sep 2023 11:50:58 +0000 Subject: [PATCH 2/6] coverity: cache the Coverity Build Tool It would add a 1GB+ download for every run, better cache it. This is inspired by the GitHub Action `vapier/coverity-scan-action`, however, it uses the finer-grained `restore`/`save` method to be able to cache the Coverity Build Tool even if an unrelated step in the GitHub workflow fails later on. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- .github/workflows/coverity.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index d8d1e32857..4bc1572f04 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -29,7 +29,28 @@ jobs: env: runs_on_pool: ubuntu-latest + # The Coverity site says the tool is usually updated twice yearly, so the + # MD5 of download can be used to determine whether there's been an update. + - name: get the Coverity Build Tool hash + id: lookup + run: | + MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ + --fail \ + --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ + --form project="$COVERITY_PROJECT" \ + --form md5=1) && + echo "hash=$MD5" >>$GITHUB_OUTPUT + + # Try to cache the tool to avoid downloading 1GB+ on every run. + # A cache miss will add ~30s to create, but a cache hit will save minutes. + - name: restore the Coverity Build Tool + id: cache + uses: actions/cache/restore@v3 + with: + path: ${{ runner.temp }}/cov-analysis + key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} - name: download the Coverity Build Tool (${{ env.COVERITY_LANGUAGE }} / ${{ env.COVERITY_PLATFORM}}) + if: steps.cache.outputs.cache-hit != 'true' run: | curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ --fail --no-progress-meter \ @@ -37,9 +58,16 @@ jobs: --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ --form project="$COVERITY_PROJECT" - name: extract the Coverity Build Tool + if: steps.cache.outputs.cache-hit != 'true' run: | mkdir $RUNNER_TEMP/cov-analysis && tar -xzf $RUNNER_TEMP/cov-analysis.tgz --strip 1 -C $RUNNER_TEMP/cov-analysis + - name: cache the Coverity Build Tool + if: steps.cache.outputs.cache-hit != 'true' + uses: actions/cache/save@v3 + with: + path: ${{ runner.temp }}/cov-analysis + key: cov-build-${{ env.COVERITY_LANGUAGE }}-${{ env.COVERITY_PLATFORM }}-${{ steps.lookup.outputs.hash }} - name: build with cov-build run: | export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" && From 7bc49e8f553c0f76cccd142c33715ee8f1b15811 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 25 Sep 2023 11:50:59 +0000 Subject: [PATCH 3/6] coverity: allow overriding the Coverity project By default, the builds are submitted to the `git` project at https://scan.coverity.com/projects/git. The Git for Windows project would like to use this workflow, too, though, and needs the builds to be submitted to the `git-for-windows` Coverity project. To that end, allow configuring the Coverity project name via the repository variable, you guessed it, `COVERITY_PROJECT`. The default if that variable is not configured or has an empty value is still `git`. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- .github/workflows/coverity.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 4bc1572f04..55a3a8f5ac 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -11,6 +11,9 @@ name: Coverity # `COVERITY_SCAN_EMAIL` and `COVERITY_SCAN_TOKEN`. The former specifies the # email to which the Coverity reports should be sent and the latter can be # obtained from the Project Settings tab of the Coverity project). +# +# By default, the builds are submitted to the Coverity project `git`. To override this, +# set the repository variable `COVERITY_PROJECT`. on: push: @@ -20,7 +23,7 @@ jobs: if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) runs-on: ubuntu-latest env: - COVERITY_PROJECT: git + COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }} COVERITY_LANGUAGE: cxx COVERITY_PLATFORM: linux64 steps: From d3c3ffa6249adce1f007ac43374cb540524fe767 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 25 Sep 2023 11:51:00 +0000 Subject: [PATCH 4/6] coverity: support building on Windows By adding the repository variable `ENABLE_COVERITY_SCAN_ON_OS` with a value, say, `["windows-latest"]`, this GitHub workflow now runs on Windows, allowing to analyze Windows-specific issues. This allows, say, the Git for Windows fork to submit Windows builds to Coverity Scan instead of Linux builds. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- .github/workflows/coverity.yml | 57 ++++++++++++++++++++++++++++++---- 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 55a3a8f5ac..ca364c3d69 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -12,31 +12,62 @@ name: Coverity # email to which the Coverity reports should be sent and the latter can be # obtained from the Project Settings tab of the Coverity project). # +# The workflow runs on `ubuntu-latest` by default. This can be overridden by setting +# the repository variable `ENABLE_COVERITY_SCAN_ON_OS` to a JSON string array specifying +# the operating systems, e.g. `["ubuntu-latest", "windows-latest"]`. +# # By default, the builds are submitted to the Coverity project `git`. To override this, # set the repository variable `COVERITY_PROJECT`. on: push: +defaults: + run: + shell: bash + jobs: coverity: if: contains(fromJSON(vars.ENABLE_COVERITY_SCAN_FOR_BRANCHES || '[""]'), github.ref_name) - runs-on: ubuntu-latest + strategy: + matrix: + os: ${{ fromJSON(vars.ENABLE_COVERITY_SCAN_ON_OS || '["ubuntu-latest"]') }} + runs-on: ${{ matrix.os }} env: COVERITY_PROJECT: ${{ vars.COVERITY_PROJECT || 'git' }} COVERITY_LANGUAGE: cxx - COVERITY_PLATFORM: linux64 + COVERITY_PLATFORM: overridden-below steps: - uses: actions/checkout@v3 + - name: install minimal Git for Windows SDK + if: contains(matrix.os, 'windows') + uses: git-for-windows/setup-git-for-windows-sdk@v1 - run: ci/install-dependencies.sh + if: contains(matrix.os, 'ubuntu') env: - runs_on_pool: ubuntu-latest + runs_on_pool: ${{ matrix.os }} # The Coverity site says the tool is usually updated twice yearly, so the # MD5 of download can be used to determine whether there's been an update. - name: get the Coverity Build Tool hash id: lookup run: | + case "${{ matrix.os }}" in + *windows*) + COVERITY_PLATFORM=win64 + COVERITY_TOOL_FILENAME=cov-analysis.zip + ;; + *ubuntu*) + COVERITY_PLATFORM=linux64 + COVERITY_TOOL_FILENAME=cov-analysis.tgz + ;; + *) + echo '::error::unhandled OS ${{ matrix.os }}' >&2 + exit 1 + ;; + esac + echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV + echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ --fail \ --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ @@ -57,14 +88,28 @@ jobs: run: | curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ --fail --no-progress-meter \ - --output $RUNNER_TEMP/cov-analysis.tgz \ + --output $RUNNER_TEMP/$COVERITY_TOOL_FILENAME \ --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ --form project="$COVERITY_PROJECT" - name: extract the Coverity Build Tool if: steps.cache.outputs.cache-hit != 'true' run: | - mkdir $RUNNER_TEMP/cov-analysis && - tar -xzf $RUNNER_TEMP/cov-analysis.tgz --strip 1 -C $RUNNER_TEMP/cov-analysis + case "$COVERITY_TOOL_FILENAME" in + *.tgz) + mkdir $RUNNER_TEMP/cov-analysis && + tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis + ;; + *.zip) + cd $RUNNER_TEMP && + mkdir cov-analysis-tmp && + unzip -d cov-analysis-tmp $COVERITY_TOOL_FILENAME && + mv cov-analysis-tmp/* cov-analysis + ;; + *) + echo "::error::unhandled archive type: $COVERITY_TOOL_FILENAME" >&2 + exit 1 + ;; + esac - name: cache the Coverity Build Tool if: steps.cache.outputs.cache-hit != 'true' uses: actions/cache/save@v3 From c13d2adf8b4e5e364224b97c3ec6cbe29a7f23ed Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 25 Sep 2023 11:51:01 +0000 Subject: [PATCH 5/6] coverity: allow running on macOS For completeness' sake, let's add support for submitting macOS builds to Coverity Scan. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- .github/workflows/coverity.yml | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index ca364c3d69..53f9ee6a41 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -43,7 +43,7 @@ jobs: if: contains(matrix.os, 'windows') uses: git-for-windows/setup-git-for-windows-sdk@v1 - run: ci/install-dependencies.sh - if: contains(matrix.os, 'ubuntu') + if: contains(matrix.os, 'ubuntu') || contains(matrix.os, 'macos') env: runs_on_pool: ${{ matrix.os }} @@ -56,10 +56,17 @@ jobs: *windows*) COVERITY_PLATFORM=win64 COVERITY_TOOL_FILENAME=cov-analysis.zip + MAKEFLAGS=-j$(nproc) + ;; + *macos*) + COVERITY_PLATFORM=macOSX + COVERITY_TOOL_FILENAME=cov-analysis.dmg + MAKEFLAGS=-j$(sysctl -n hw.physicalcpu) ;; *ubuntu*) COVERITY_PLATFORM=linux64 COVERITY_TOOL_FILENAME=cov-analysis.tgz + MAKEFLAGS=-j$(nproc) ;; *) echo '::error::unhandled OS ${{ matrix.os }}' >&2 @@ -68,6 +75,7 @@ jobs: esac echo "COVERITY_PLATFORM=$COVERITY_PLATFORM" >>$GITHUB_ENV echo "COVERITY_TOOL_FILENAME=$COVERITY_TOOL_FILENAME" >>$GITHUB_ENV + echo "MAKEFLAGS=$MAKEFLAGS" >>$GITHUB_ENV MD5=$(curl https://scan.coverity.com/download/$COVERITY_LANGUAGE/$COVERITY_PLATFORM \ --fail \ --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ @@ -99,6 +107,16 @@ jobs: mkdir $RUNNER_TEMP/cov-analysis && tar -xzf $RUNNER_TEMP/$COVERITY_TOOL_FILENAME --strip 1 -C $RUNNER_TEMP/cov-analysis ;; + *.dmg) + cd $RUNNER_TEMP && + attach="$(hdiutil attach $COVERITY_TOOL_FILENAME)" && + volume="$(echo "$attach" | cut -f 3 | grep /Volumes/)" && + mkdir cov-analysis && + cd cov-analysis && + sh "$volume"/cov-analysis-macosx-*.sh && + ls -l && + hdiutil detach "$volume" + ;; *.zip) cd $RUNNER_TEMP && mkdir cov-analysis-tmp && @@ -120,7 +138,7 @@ jobs: run: | export PATH="$RUNNER_TEMP/cov-analysis/bin:$PATH" && cov-configure --gcc && - cov-build --dir cov-int make -j$(nproc) + cov-build --dir cov-int make - name: package the build run: tar -czvf cov-int.tgz cov-int - name: submit the build to Coverity Scan From 3349520e1a1ffd268347ec0ebb720830428f872e Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 25 Sep 2023 11:51:02 +0000 Subject: [PATCH 6/6] coverity: detect and report when the token or project is incorrect When trying to obtain the MD5 of the Coverity Scan Tool (in order to decide whether a cached version can be used or a new version has to be downloaded), it is possible to get a 401 (Authorization required) due to either an incorrect token, or even more likely due to an incorrect Coverity project name. Seeing an authorization failure that is caused by an incorrect project name was somewhat surprising to me when developing the Coverity workflow, as I found such a failure suggestive of an incorrect token instead. So let's provide a helpful error message about that specifically when encountering authentication issues. Signed-off-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- .github/workflows/coverity.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 53f9ee6a41..e5532d381b 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -80,7 +80,18 @@ jobs: --fail \ --form token='${{ secrets.COVERITY_SCAN_TOKEN }}' \ --form project="$COVERITY_PROJECT" \ - --form md5=1) && + --form md5=1) + case $? in + 0) ;; # okay + 22) # 40x, i.e. access denied + echo "::error::incorrect token or project?" >&2 + exit 1 + ;; + *) # other error + echo "::error::Failed to retrieve MD5" >&2 + exit 1 + ;; + esac echo "hash=$MD5" >>$GITHUB_OUTPUT # Try to cache the tool to avoid downloading 1GB+ on every run.