Skip to content
Snippets Groups Projects
Commit a5dffe2f authored by Vladimír Čunát's avatar Vladimír Čunát
Browse files

Merge !1259: .gitlab-ci: Coverity scan

Implements #450
parents cd4a1212 c8ce9e05
Branches
Tags
1 merge request!1259.gitlab-ci: Coverity scan
Pipeline #95750 passed with warnings with stages
in 2 hours, 49 minutes, and 48 seconds
......@@ -254,6 +254,23 @@ lint:tidy:
script:
- ninja -C build_ci* tidy
# Coverity reference: https://www.synopsys.com/blogs/software-security/integrating-coverity-scan-with-gitlab-ci/
lint:coverity:
<<: *sanity
image: $CI_REGISTRY/knot/knot-resolver/ci/debian-11-coverity:knot-$KNOT_VERSION
only:
refs:
- nightly@knot/knot-resolver
- coverity@knot/knot-resolver
script:
- meson build_ci_cov --prefix=$PREFIX
- /opt/cov-analysis/bin/cov-build --dir cov-int ninja -C build_ci_cov
- tar cfz cov-int.tar.gz cov-int
- curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
--form token=$COVERITY_SCAN_TOKEN --form email="knot-resolver@labs.nic.cz"
--form file=@cov-int.tar.gz --form version="`git describe --tags`"
--form description="`git describe --tags` / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
.kres-gen: &kres-gen
<<: *sanity
script:
......
......@@ -5,4 +5,9 @@ CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
source "${CURRENT_DIR}"/vars.sh "$@"
set -ex
docker build --no-cache -t "${FULL_NAME}" "${IMAGE}" --build-arg KNOT_BRANCH=${KNOT_BRANCH}
if [ -n "$COVERITY_SCAN_TOKEN" ]; then
SECRETS="$SECRETS --secret id=coverity-token,env=COVERITY_SCAN_TOKEN"
fi
export DOCKER_BUILDKIT=1 # Enables using secrets in docker-build
docker build --no-cache -t "${FULL_NAME}" "${IMAGE}" --build-arg KNOT_BRANCH=${KNOT_BRANCH} $SECRETS
# SPDX-License-Identifier: GPL-3.0-or-later
FROM debian:bullseye
MAINTAINER Knot Resolver <knot-resolver@labs.nic.cz>
# >= 3.0 needed because of --enable-xdp=yes
ARG KNOT_BRANCH=3.1
ARG COVERITY_SCAN_PROJECT_NAME=CZ-NIC/knot-resolver
ENV DEBIAN_FRONTEND=noninteractive
WORKDIR /root
CMD ["/bin/bash"]
# generic cleanup
RUN apt-get update -qq
# Knot and Knot Resolver dependencies
RUN apt-get install -y -qqq git make cmake pkg-config meson \
build-essential bsdmainutils libtool autoconf libcmocka-dev \
liburcu-dev libgnutls28-dev libedit-dev liblmdb-dev libcap-ng-dev libsystemd-dev \
libelf-dev libmnl-dev libidn11-dev libuv1-dev \
libluajit-5.1-dev lua-http libssl-dev libnghttp2-dev
# LuaJIT binary for stand-alone scripting
RUN apt-get install -y -qqq luajit
# build and install latest version of Knot DNS
RUN git clone --depth=1 --branch=$KNOT_BRANCH https://gitlab.nic.cz/knot/knot-dns.git /tmp/knot
WORKDIR /tmp/knot
RUN pwd
RUN autoreconf -if
RUN ./configure --prefix=/usr --enable-xdp=yes
RUN CFLAGS="-g" make
RUN make install
RUN ldconfig
# curl and tar (for downloading Coverity tools and uploading logs)
RUN apt-get install -y curl tar
RUN --mount=type=secret,id=coverity-token \
curl -o /tmp/cov-analysis-linux64.tar.gz https://scan.coverity.com/download/cxx/linux64 \
--form project=$COVERITY_SCAN_PROJECT_NAME --form token=$(cat /run/secrets/coverity-token)
RUN tar xfz /tmp/cov-analysis-linux64.tar.gz
RUN mv cov-analysis-linux64-* /opt/cov-analysis
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment