From: Remi Gacogne Date: Wed, 25 Jan 2023 10:32:56 +0000 (+0100) Subject: Add coverity scans to our daily GitHub actions flow X-Git-Tag: dnsdist-1.8.0-rc1~71^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66c073690471ea749c744738ca24bc9108ddb15e;p=thirdparty%2Fpdns.git Add coverity scans to our daily GitHub actions flow --- diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml index 573a4862ee..4eaf434928 100644 --- a/.github/workflows/build-and-test-all.yml +++ b/.github/workflows/build-and-test-all.yml @@ -15,8 +15,11 @@ jobs: name: build auth runs-on: ubuntu-20.04 env: - UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp" ASAN_OPTIONS: detect_leaks=0 + FUZZING_TARGETS: yes + SANITIZERS: asan+ubsan + UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp" + UNIT_TESTS: yes steps: - uses: PowerDNS/pdns/set-ubuntu-mirror@meta - uses: actions/checkout@v3.1.0 @@ -58,9 +61,10 @@ jobs: matrix: sanitizers: [ubsan+asan, tsan] env: - UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp" ASAN_OPTIONS: detect_leaks=0 SANITIZERS: ${{ matrix.sanitizers }} + UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp" + UNIT_TESTS: yes defaults: run: working-directory: ./pdns/recursordist/ @@ -109,9 +113,10 @@ jobs: - sanitizers: tsan features: least env: - UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp" ASAN_OPTIONS: detect_leaks=0 SANITIZERS: ${{ matrix.sanitizers }} + UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp" + UNIT_TESTS: yes defaults: run: working-directory: ./pdns/dnsdistdist/ diff --git a/.github/workflows/misc-dailies.yml b/.github/workflows/misc-dailies.yml index 8159e831cb..1934930344 100644 --- a/.github/workflows/misc-dailies.yml +++ b/.github/workflows/misc-dailies.yml @@ -33,3 +33,83 @@ jobs: - name: Check if Debian is about to toss us off a balcony run: ./build-scripts/check-debian-autoremovals.py + + coverity-auth: + name: coverity scan of the auth + runs-on: ubuntu-20.04 + env: + FUZZING_TARGETS: no + SANITIZERS: + UNIT_TESTS: no + steps: + - uses: PowerDNS/pdns/set-ubuntu-mirror@meta + - uses: actions/checkout@v3.1.0 + with: + fetch-depth: 5 + submodules: recursive + - run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade + - run: inv install-clang + - run: inv install-auth-build-deps + - run: inv install-coverity-tools ${{ secrets.coverity_auth_token }} PowerDNS + - run: inv coverity-clang-configure + - run: inv ci-autoconf + - run: inv ci-auth-configure + - run: inv coverity-make + - run: inv coverity-tarball auth.tar.bz2 + - run: inv coverity-upload ${{ secrets.coverity_auth_token }} ${{ secrets.coverity_email }} PowerDNS auth.tar.bz2 + + coverity-dnsdist: + name: coverity scan of dnsdist + runs-on: ubuntu-20.04 + env: + SANITIZERS: + UNIT_TESTS: no + steps: + - uses: PowerDNS/pdns/set-ubuntu-mirror@meta + - uses: actions/checkout@v3.1.0 + with: + fetch-depth: 5 + submodules: recursive + - run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade + - run: inv install-clang + - run: inv install-dnsdist-build-deps + - run: inv install-coverity-tools ${{ secrets.coverity_dnsdist_token }} dnsdist + - run: inv coverity-clang-configure + - run: inv ci-autoconf + working-directory: ./pdns/dnsdistdist/ + - run: inv ci-dnsdist-configure full + working-directory: ./pdns/dnsdistdist/ + - run: inv coverity-make + working-directory: ./pdns/dnsdistdist/ + - run: inv coverity-tarball dnsdist.tar.bz2 + working-directory: ./pdns/dnsdistdist/ + - run: inv coverity-upload ${{ secrets.coverity_dnsdist_token }} ${{ secrets.coverity_email }} dnsdist dnsdist.tar.bz2 + working-directory: ./pdns/dnsdistdist/ + + coverity-rec: + name: coverity scan of the rec + runs-on: ubuntu-20.04 + env: + SANITIZERS: + UNIT_TESTS: no + steps: + - uses: PowerDNS/pdns/set-ubuntu-mirror@meta + - uses: actions/checkout@v3.1.0 + with: + fetch-depth: 5 + submodules: recursive + - run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade + - run: inv install-clang + - run: inv install-rec-build-deps + - run: inv install-coverity-tools ${{ secrets.coverity_rec_token }} 'PowerDNS+Recursor' + - run: inv coverity-clang-configure + - run: inv ci-autoconf + working-directory: ./pdns/recursordist/ + - run: inv ci-rec-configure + working-directory: ./pdns/recursordist/ + - run: inv coverity-make + working-directory: ./pdns/recursordist/ + - run: inv coverity-tarball recursor.tar.bz2 + working-directory: ./pdns/recursordist/ + - run: inv coverity-upload ${{ secrets.coverity_rec_token }} ${{ secrets.coverity_email }} 'PowerDNS+Recursor' recursor.tar.bz2 + working-directory: ./pdns/recursordist/ diff --git a/tasks.py b/tasks.py index bdabc7af11..755756feaf 100644 --- a/tasks.py +++ b/tasks.py @@ -309,6 +309,9 @@ def ci_docs_add_ssh(c, ssh_key, host_key): @task def ci_auth_configure(c): + sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) if os.getenv('SANITIZERS') != '' else '' + unittests = ' --enable-unit-tests --enable-backend-unit-tests' if os.getenv('UNIT_TESTS') == 'yes' else '' + fuzzingtargets = ' --enable-fuzz-targets' if os.getenv('FUZZING_TARGETS') == 'yes' else '' res = c.run('''CFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int" \ CXXFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int -Wp,-D_GLIBCXX_ASSERTIONS" \ ./configure \ @@ -319,8 +322,6 @@ def ci_auth_configure(c): --with-modules='bind geoip gmysql godbc gpgsql gsqlite3 ldap lmdb lua2 pipe remote tinydns' \ --enable-systemd \ --enable-tools \ - --enable-unit-tests \ - --enable-backend-unit-tests \ --enable-fuzz-targets \ --enable-experimental-pkcs11 \ --enable-experimental-gss-tsig \ @@ -331,22 +332,20 @@ def ci_auth_configure(c): --prefix=/opt/pdns-auth \ --enable-ixfrdist \ --enable-fortify-source=auto \ - --enable-auto-var-init=pattern \ - --enable-asan \ - --enable-ubsan''', warn=True) + --enable-auto-var-init=pattern ''' + sanitizers + unittests + fuzzingtargets, warn=True) if res.exited != 0: c.run('cat config.log') raise UnexpectedExit(res) @task def ci_rec_configure(c): - sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) + sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) if os.getenv('SANITIZERS') != '' else '' + unittests = ' --enable-unit-tests' if os.getenv('UNIT_TESTS') == 'yes' else '' res = c.run(''' CFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int" \ CXXFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int -Wp,-D_GLIBCXX_ASSERTIONS" \ ./configure \ CC='clang-12' \ CXX='clang++-12' \ --enable-option-checking=fatal \ - --enable-unit-tests \ --enable-nod \ --enable-systemd \ --prefix=/opt/pdns-recursor \ @@ -356,7 +355,7 @@ def ci_rec_configure(c): --with-net-snmp \ --enable-fortify-source=auto \ --enable-auto-var-init=pattern \ - --enable-dns-over-tls ''' + sanitizers, warn=True) + --enable-dns-over-tls ''' + sanitizers + unittests, warn=True) if res.exited != 0: c.run('cat config.log') raise UnexpectedExit(res) @@ -422,7 +421,8 @@ def ci_dnsdist_configure(c, features): -DDISABLE_HASHED_CREDENTIALS \ -DDISABLE_FALSE_SHARING_PADDING \ -DDISABLE_NPN' - sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) + unittests = ' --enable-unit-tests' if os.getenv('UNIT_TESTS') == 'yes' else '' + sanitizers = ' '.join('--enable-'+x for x in os.getenv('SANITIZERS').split('+')) if os.getenv('SANITIZERS') != '' else '' cflags = '-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Werror=string-plus-int' cxxflags = cflags + ' -Wp,-D_GLIBCXX_ASSERTIONS ' + additional_flags res = c.run('''CFLAGS="%s" \ @@ -433,11 +433,10 @@ def ci_dnsdist_configure(c, features): CC='clang-12' \ CXX='clang++-12' \ --enable-option-checking=fatal \ - --enable-unit-tests \ --enable-fortify-source=auto \ --enable-auto-var-init=pattern \ --enable-lto=thin \ - --prefix=/opt/dnsdist %s %s''' % (cflags, cxxflags, features_set, sanitizers), warn=True) + --prefix=/opt/dnsdist %s %s %s''' % (cflags, cxxflags, features_set, sanitizers, unittests), warn=True) if res.exited != 0: c.run('cat config.log') raise UnexpectedExit(res) @@ -616,6 +615,31 @@ def install_swagger_tools(c): def swagger_syntax_check(c): c.run('api-spec-converter docs/http-api/swagger/authoritative-api-swagger.yaml -f swagger_2 -t openapi_3 -s json -c') +@task +def install_coverity_tools(c, token, project): + c.sudo(f'curl -s https://scan.coverity.com/download/linux64 --data "token={token}&project={project}" | gunzip | sudo tar xvf /dev/stdin --strip-components=1 --no-same-owner -C /usr/local') + +@task +def coverity_clang_configure(c): + c.sudo('/usr/local/bin/cov-configure --template --comptype clangcc --compiler clang++-12') + +@task +def coverity_make(c): + c.run('/usr/local/bin/cov-build --dir cov-int make -j8 -k') + +@task +def coverity_tarball(c, tarball): + c.run(f'tar caf {tarball} cov-int') + +@task +def coverity_upload(c, token, email, project, tarball): + c.run(f'curl --form token={token} \ + --form email="{email}" \ + --form file=@{tarball} \ + --form version="$(./builder-support/gen-version)" \ + --form description="master build" \ + https://scan.coverity.com/builds?project={project}') + # this is run always def setup(): if '/usr/lib/ccache' not in os.environ['PATH']: