shell/maven-coverity.sh

   1 #!/bin/bash
   2
   3 # Copyright 2019 Samsung Electronics Co., Ltd.
   4 #
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 # http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16
  17 set -Eeuxo pipefail
  18 PS4='+['$(readlink -f "$0")' ${FUNCNAME[0]%main}#$LINENO] '
  19
  20 echo '---> maven-coverity.sh'
  21
  22 SUBMISSION_ATTEMPTS=5
  23 SUBMISSION_INITIAL_REST_INTERVAL=30 # seconds, will be doubled after each attempt
  24
  25 #-----------------------------------------------------------------------------
  26 # Process parameters for JS/TS/Python/Ruby/PHP files analysis
  27
  28 if [ -n "${SEARCH_PATHS:=}" ]; then
  29   for SEARCH_PATH in ${SEARCH_PATHS}; do
  30     if [ -d "${SEARCH_PATH}" ]; then
  31       FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS:=} --fs-capture-search '${SEARCH_PATH}'"
  32     else
  33       echo "'${SEARCH_PATH}' from \$SEARCH_PATHS is not an existing directory." >&2
  34       exit 1
  35     fi
  36   done
  37
  38   for EXCLUDE_REGEX in ${SEARCH_EXCLUDE_REGEXS:=}; do
  39     EXCLUDE_REGEX=${EXCLUDE_REGEX//\'/\'\\\'\'} # escape single quote "'"
  40     FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS} --fs-capture-search-exclude-regex '${EXCLUDE_REGEX}'"
  41
  42     # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
  43     # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
  44     # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
  45     # parameter is fixed on Coverity side.
  46     FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS="${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=} --tu-pattern 'file('\\''${EXCLUDE_REGEX}'\\'')'"
  47   done
  48 fi
  49
  50 #-----------------------------------------------------------------------------
  51 # Check if we are allowed to submit results to Coverity Scan service
  52 # and have not exceeded our upload quota limits
  53 # See also: https://scan.coverity.com/faq#frequency
  54
  55 if [ "${DRY_RUN}" != 'true' ]; then
  56   CURL_OUTPUT=$(
  57     curl \
  58       --verbose \
  59       --silent \
  60       --show-error \
  61       --fail \
  62       --form "project=${COVERITY_PROJECT_NAME}" \
  63       --form "token=${COVERITY_TOKEN}" \
  64       'https://scan.coverity.com/api/upload_permitted'
  65   )
  66
  67   IS_COVERITY_UPLOAD_PERMITTED=$(
  68     echo "${CURL_OUTPUT}" \
  69     | jq '.upload_permitted'
  70   )
  71   if [ x"${IS_COVERITY_UPLOAD_PERMITTED}" != x'true' ]; then
  72     echo "Upload quota reached. Next upload permitted at "$(echo "${CURL_OUTPUT}" | jq '.next_upload_permitted_at') >&2
  73     exit 1
  74   fi
  75 fi
  76
  77 #-----------------------------------------------------------------------------
  78 # Get Coverity Scan build tool
  79
  80 curl \
  81   --verbose \
  82   --silent \
  83   --show-error \
  84   --fail \
  85   --form "project=${COVERITY_PROJECT_NAME}" \
  86   --form "token=${COVERITY_TOKEN}" \
  87   --output 'coverity_tool.tgz' \
  88   'https://scan.coverity.com/download/linux64'
  89
  90 curl \
  91   --verbose \
  92   --silent \
  93   --show-error \
  94   --fail \
  95   --form "project=${COVERITY_PROJECT_NAME}" \
  96   --form "token=${COVERITY_TOKEN}" \
  97   --form 'md5=1' \
  98   --output 'coverity_tool.md5' \
  99   'https://scan.coverity.com/download/linux64'
 100
 101 echo -n ' coverity_tool.tgz' >> 'coverity_tool.md5'
 102 md5sum --check 'coverity_tool.md5'
 103
 104 tar \
 105   --extract \
 106   --gunzip \
 107   --file='coverity_tool.tgz'
 108
 109 COVERITY_BUILD_TOOL_DIRECTORY=$(
 110   head -1 <( \
 111     tar \
 112       --list \
 113       --gunzip \
 114       --file='coverity_tool.tgz'
 115   )
 116 )
 117 COVERITY_BINARY_DIRECTORY="${COVERITY_BUILD_TOOL_DIRECTORY}bin"
 118 test -d "${COVERITY_BINARY_DIRECTORY}" \
 119   || exit 1
 120 export PATH="${PATH}:${COVERITY_BINARY_DIRECTORY}"
 121
 122 rm 'coverity_tool.tgz'
 123
 124 #-----------------------------------------------------------------------------
 125 # Build
 126
 127 export MAVEN_OPTS
 128
 129 eval cov-build \
 130   --dir 'cov-int' \
 131   --append-log \
 132   ${FS_CAPTURE_SEARCH_PARAMS:=} \
 133   "${MVN}" clean install \
 134     --errors \
 135     --global-settings "${GLOBAL_SETTINGS_FILE}" \
 136     --settings "${SETTINGS_FILE}" \
 137     ${MAVEN_OPTIONS:=} \
 138     ${MAVEN_PARAMS:=}
 139
 140 # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
 141 # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
 142 # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
 143 # parameter is fixed on Coverity side.
 144 if [ -n "${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=}" ]; then
 145   eval cov-manage-emit \
 146     --dir 'cov-int' \
 147     ${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS} \
 148     delete
 149 fi
 150
 151 # Extract git data for analysed files
 152 cov-import-scm \
 153   --dir 'cov-int' \
 154   --scm 'git'
 155
 156 # List all analysed files from the project
 157 cov-manage-emit \
 158   --dir cov-int \
 159   list \
 160 | grep \
 161   --invert-match \
 162   '^Translation unit:$' \
 163 | sed \
 164   --regexp-extended \
 165   's!^[[:digit:]]+ -> !!' \
 166 | sort \
 167 > 'cov-int/coverity-scan-analysed-files.txt'
 168
 169 # List all analyzed files that are not tracked by SCM repository
 170 cov-manage-emit \
 171   --dir cov-int \
 172   list-scm-unknown \
 173 | sed \
 174   --regexp-extended \
 175   's!^[^ ]+ !!' \
 176 | sort \
 177 > 'cov-int/scm-untracked-files.txt'
 178
 179 if [ -s 'cov-int/scm-untracked-files.txt' ]; then
 180   echo '[WARNING] There are some files analysed but not tracked by SCM repository.' \
 181     'There might be 3rd-party or auto-generated sources. See details in' \
 182     '"cov-int/scm-untracked-files.txt" file.' \
 183     >&2
 184 fi
 185
 186 #-----------------------------------------------------------------------------
 187 # Submit results to Coverity service
 188
 189 if [ "${DRY_RUN}" != 'true' ]; then
 190   tar \
 191     --create \
 192     --gzip \
 193     --file='results.tgz' \
 194     'cov-int'
 195
 196   for (( ATTEMPT=1; ATTEMPT<=SUBMISSION_ATTEMPTS; ATTEMPT++ )); do
 197     CURL_OUTPUT=$(
 198       curl \
 199         --verbose \
 200         --silent \
 201         --show-error \
 202         --fail \
 203         --write-out '\n%{http_code}' \
 204         --form "project=${COVERITY_PROJECT_NAME}" \
 205         --form "email=${COVERITY_USER_EMAIL}" \
 206         --form "token=${COVERITY_TOKEN}" \
 207         --form 'file=@results.tgz' \
 208         --form "version=${GIT_COMMIT:0:7}" \
 209         --form "description=${GIT_BRANCH}" \
 210         'https://scan.coverity.com/builds'
 211     )
 212     HTTP_RESPONSE_CODE=$(echo -n "${CURL_OUTPUT}" | tail -1)
 213     test x"${HTTP_RESPONSE_CODE}" = x"200" \
 214       && break
 215
 216     sleep "${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL}"
 217
 218     SUBMISSION_REST_INTERVAL=$(( ${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL} * 2 ))
 219   done
 220
 221   HTTP_RESPONSE=$(echo -n "${CURL_OUTPUT}" | head -n -1 | tr -d '\n')
 222   if [ x"${HTTP_RESPONSE}" != x"Build successfully submitted." ]; then
 223     echo "Coverity Scan service responded with '${HTTP_RESPONSE}' while 'Build successfully submitted.' expected." >&2
 224     exit 1
 225   fi
 226 fi
 227
 228 #-----------------------------------------------------------------------------
 229
 230 exit 0