From: Steffan Karger <steffan.karger@fox-it.com>
Date: Tue, 8 Aug 2017 15:55:41 +0000 (+0200)
Subject: Add coverity static analysis to Travis CI config
X-Git-Tag: v2.5_beta1~602
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a05f15c9aafe314ae4d3642813ebf234c09276e;p=thirdparty%2Fopenvpn.git

Add coverity static analysis to Travis CI config

Enable coverity analysis for the release/2.4 branch.

We can only do a limited number of coverity scans per week with our FOSS
account, but since we only occasionally push commits, that should work out
fine.  But this limit is the reason we don't use the standard travis addon,
because that would cause the coverity script to run on all of our matrix
builds.  That would cause us to reach our limit faster, and waste travis'
resources.

Since our FOSS coverity account doesn't handle multiple branches very well,
we have to pick one branch to run coverity on.  I think it's best to use
the most recent stable branch for that (i.e. for now, release/2.4).
Though for ease of maintenance, it's probably best to apply the patch to
both master and release/2.4.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <1502207741-31750-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15176.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
---

diff --git a/.travis.yml b/.travis.yml
index 0b5315290..79aa8c990 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -21,10 +21,13 @@ env:
     - OPENSSL_VERSION="1.0.2l"
     - OPENSSL_CFLAGS="-I${PREFIX}/include"
     - OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto"
+    # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
+    #   via the "travis encrypt" command using the project repo's public key
+    - secure: "l9mSnEW4LJqjxftH5i1NdDaYfGmQB1mPXnSB3DXnsjzkCWZ+yJLfBemfQ0tx/wS7chBYxqUaUIMT0hw4zJVp/LANFJo2vfh//ymTS6h0uApRY1ofg9Pp1BFcV1laG6/u8pwSZ2EBy/GhCd3DS436oE8sYBRaFM9FU62L/oeQBfJ7r4ID/0eB1b8bqlbD4paty9MHui2P8EZJwR+KAD84prtfpZOcrSMxPh9OUhJxzxUvvVoP4s4+lZ5Kgg1bBQ3yzKGDqe8VOgK2BWCEuezqhMMc8oeKmAe7CUkoz5gsGYH++k3I9XzP9Z4xeJKoQnC/82qi4xkJmlaOxdionej9bHIcjfRt7D8j1J0U+wOj4p8VrDy7yHaxuN2fi0K5MGa/CaXQSrkna8dePniCng+xQ2MY/zxuRX2gA6xPNLUyQLU9LqIug7wj4z84Hk9iWib4L20MoPjeEo+vAUNq8FtjOPxMuHNpv4iGGx6kgJm7RXl5vC5hxfK6MprrnYe2U5Mcd8jpzagKBaKHL3zV2FxX9k0jRO9Mccz7M2WnaV0MQ6zcngzTN4+s0kCjhfGKd2F2ANT2Gkhj3Me36eNHfuE0dBbvYCMh4b3Mgd7b/OuXwQWdJ8PjJ1WHXjSOw5sHw1suaV6cEO2Meyz5j1tOkyOi0M9QF+LFenQ9vLH4sBCww8U="
 
 matrix:
   include:
-    - env: SSLLIB="openssl"
+    - env: SSLLIB="openssl" RUN_COVERITY="1"
       os: linux
       compiler: gcc
     - env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0f"
@@ -91,5 +94,8 @@ install:
   - if [ ! -z "${CHOST}" ]; then unset CC; fi
   - .travis/build-deps.sh > build-deps.log 2>&1 || (cat build-deps.log && exit 1)
 
+before_script:
+  - .travis/coverity.sh
+
 script:
   - .travis/build-check.sh
diff --git a/.travis/coverity.sh b/.travis/coverity.sh
new file mode 100755
index 000000000..8bb40f481
--- /dev/null
+++ b/.travis/coverity.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -eu
+
+RUN_COVERITY="${RUN_COVERITY:-0}"
+
+export COVERITY_SCAN_PROJECT_NAME="OpenVPN/openvpn"
+export COVERITY_SCAN_BRANCH_PATTERN="release\/2.4"
+export COVERITY_SCAN_NOTIFICATION_EMAIL="scan-reports@openvpn.net"
+export COVERITY_SCAN_BUILD_COMMAND_PREPEND="autoreconf -vi && ./configure --enable-iproute2 && make clean"
+export COVERITY_SCAN_BUILD_COMMAND="make"
+
+if [ "${RUN_COVERITY}" = "1" ]; then
+    # Ignore exit code, script exits with 1 if we're not on the right branch
+    curl -s "https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh" | bash || true
+else
+    echo "Skipping coverity scan because \$RUN_COVERITY != \"1\""
+fi