shell/maven-coverity.sh

   1 #!/bin/bash
   2
   3 # Copyright 2019 Samsung Electronics Co., Ltd.
   4 #
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 # http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16
  17 set -Eeuxo pipefail
  18 PS4='+['$(readlink -f "$0")' ${FUNCNAME[0]%main}#$LINENO] '
  19
  20 echo '---> maven-coverity.sh'
  21
  22 SUBMISSION_ATTEMPTS=5
  23 SUBMISSION_INITIAL_REST_INTERVAL=30 # seconds, will be doubled after each attempt
  24
  25 #-----------------------------------------------------------------------------
  26 # Check for git repo changes within the last $MAX_GIT_REPO_AGE_HOURS hours
  27 #
  28 # It makes sense to set the value twice the 'cron' interval for the job (e.g.
  29 # if 'cron: @daily', then MAX_GIT_REPO_AGE_HOURS=48)
  30
  31 if ! [[ "${MAX_GIT_REPO_AGE_HOURS:=0}" =~ ^[0-9]+$ ]]; then
  32   echo '[ERROR] MAX_GIT_REPO_AGE_HOURS must be non-negative integer.' \
  33     >&2
  34   exit 1
  35 fi
  36
  37 if [ ${MAX_GIT_REPO_AGE_HOURS:=0} -ne 0 ]; then
  38   LAST_COMMIT_AGE=$(( $(date +%s) - $(git log -1 --pretty=format:%ct) ))
  39
  40   if [ $LAST_COMMIT_AGE -le $(( MAX_GIT_REPO_AGE_HOURS *60*60 )) ]; then
  41     echo '[NOTICE] Git repository did not have any commits last' \
  42       "${MAX_GIT_REPO_AGE_HOURS} hours - no need to re-analyse it." \
  43       >&2
  44     exit 0
  45   fi
  46 fi
  47
  48 #-----------------------------------------------------------------------------
  49 # Process parameters for JS/TS/Python/Ruby/PHP files analysis
  50
  51 if [ -n "${SEARCH_PATHS:=}" ]; then
  52   for SEARCH_PATH in ${SEARCH_PATHS}; do
  53     if [ -d "${SEARCH_PATH}" ]; then
  54       FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS:=} --fs-capture-search '${SEARCH_PATH}'"
  55     else
  56       echo "[ERROR] '${SEARCH_PATH}' from \$SEARCH_PATHS is not an" \
  57         "existing directory." \
  58         >&2
  59       exit 1
  60     fi
  61   done
  62
  63   for EXCLUDE_REGEX in ${SEARCH_EXCLUDE_REGEXS:=}; do
  64     EXCLUDE_REGEX=${EXCLUDE_REGEX//\'/\'\\\'\'} # escape single quote "'"
  65     FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS} --fs-capture-search-exclude-regex '${EXCLUDE_REGEX}'"
  66
  67     # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
  68     # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
  69     # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
  70     # parameter is fixed on Coverity side.
  71     FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS="${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=} --tu-pattern 'file('\\''${EXCLUDE_REGEX}'\\'')'"
  72   done
  73 fi
  74
  75 #-----------------------------------------------------------------------------
  76 # Check if we are allowed to submit results to Coverity Scan service
  77 # and have not exceeded our upload quota limits
  78 # See also: https://scan.coverity.com/faq#frequency
  79
  80 if [ "${DRY_RUN}" != 'true' ]; then
  81   CURL_OUTPUT=$(
  82     curl \
  83       --verbose \
  84       --silent \
  85       --show-error \
  86       --fail \
  87       --form "project=${COVERITY_PROJECT_NAME}" \
  88       --form "token=${COVERITY_TOKEN}" \
  89       'https://scan.coverity.com/api/upload_permitted'
  90   )
  91
  92   IS_COVERITY_UPLOAD_PERMITTED=$(
  93     echo "${CURL_OUTPUT}" \
  94     | jq '.upload_permitted'
  95   )
  96   if [ x"${IS_COVERITY_UPLOAD_PERMITTED}" != x'true' ]; then
  97     echo "[WARNING] Upload quota reached. Next upload permitted at" \
  98       $(echo "${CURL_OUTPUT}" | jq '.next_upload_permitted_at') \
  99       >&2
 100     exit 1
 101   fi
 102 fi
 103
 104 #-----------------------------------------------------------------------------
 105 # Get Coverity Scan build tool
 106
 107 curl \
 108   --verbose \
 109   --silent \
 110   --show-error \
 111   --fail \
 112   --form "project=${COVERITY_PROJECT_NAME}" \
 113   --form "token=${COVERITY_TOKEN}" \
 114   --output 'coverity_tool.tgz' \
 115   'https://scan.coverity.com/download/linux64'
 116
 117 curl \
 118   --verbose \
 119   --silent \
 120   --show-error \
 121   --fail \
 122   --form "project=${COVERITY_PROJECT_NAME}" \
 123   --form "token=${COVERITY_TOKEN}" \
 124   --form 'md5=1' \
 125   --output 'coverity_tool.md5' \
 126   'https://scan.coverity.com/download/linux64'
 127
 128 echo -n ' coverity_tool.tgz' >> 'coverity_tool.md5'
 129 md5sum --check 'coverity_tool.md5'
 130
 131 tar \
 132   --extract \
 133   --gunzip \
 134   --file='coverity_tool.tgz'
 135
 136 COVERITY_BUILD_TOOL_DIRECTORY=$(
 137   head -1 <( \
 138     tar \
 139       --list \
 140       --gunzip \
 141       --file='coverity_tool.tgz'
 142   )
 143 )
 144 COVERITY_BINARY_DIRECTORY="${COVERITY_BUILD_TOOL_DIRECTORY}bin"
 145 test -d "${COVERITY_BINARY_DIRECTORY}" \
 146   || exit 1
 147 export PATH="${PATH}:${COVERITY_BINARY_DIRECTORY}"
 148
 149 rm 'coverity_tool.tgz'
 150
 151 #-----------------------------------------------------------------------------
 152 # Build
 153
 154 export MAVEN_OPTS
 155
 156 eval cov-build \
 157   --dir 'cov-int' \
 158   --append-log \
 159   ${FS_CAPTURE_SEARCH_PARAMS:=} \
 160   "${MVN}" clean install \
 161     --errors \
 162     --global-settings "${GLOBAL_SETTINGS_FILE}" \
 163     --settings "${SETTINGS_FILE}" \
 164     ${MAVEN_OPTIONS:=} \
 165     ${MAVEN_PARAMS:=}
 166
 167 # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
 168 # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
 169 # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
 170 # parameter is fixed on Coverity side.
 171 if [ -n "${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=}" ]; then
 172   eval cov-manage-emit \
 173     --dir 'cov-int' \
 174     ${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS} \
 175     delete
 176 fi
 177
 178 # Extract git data for analysed files
 179 cov-import-scm \
 180   --dir 'cov-int' \
 181   --scm 'git'
 182
 183 # List all analysed files from the project
 184 cov-manage-emit \
 185   --dir cov-int \
 186   list \
 187 | grep \
 188   --invert-match \
 189   '^Translation unit:$' \
 190 | sed \
 191   --regexp-extended \
 192   's!^[[:digit:]]+ -> !!' \
 193 | sort \
 194 > 'cov-int/coverity-scan-analysed-files.txt'
 195
 196 # List all analyzed files that are not tracked by SCM repository
 197 cov-manage-emit \
 198   --dir cov-int \
 199   list-scm-unknown \
 200 | sed \
 201   --regexp-extended \
 202   's!^[^ ]+ !!' \
 203 | sort \
 204 > 'cov-int/scm-untracked-files.txt'
 205
 206 if [ -s 'cov-int/scm-untracked-files.txt' ]; then
 207   echo '[WARNING] There are some files analysed but not tracked by SCM repository.' \
 208     'There might be 3rd-party or auto-generated sources. See details in' \
 209     '"cov-int/scm-untracked-files.txt" file.' \
 210     >&2
 211 fi
 212
 213 #-----------------------------------------------------------------------------
 214 # Submit results to Coverity service
 215
 216 if [ "${DRY_RUN}" != 'true' ]; then
 217   tar \
 218     --create \
 219     --gzip \
 220     --file='results.tgz' \
 221     'cov-int'
 222
 223   for (( ATTEMPT=1; ATTEMPT<=SUBMISSION_ATTEMPTS; ATTEMPT++ )); do
 224     CURL_OUTPUT=$(
 225       curl \
 226         --verbose \
 227         --silent \
 228         --show-error \
 229         --fail \
 230         --write-out '\n%{http_code}' \
 231         --form "project=${COVERITY_PROJECT_NAME}" \
 232         --form "email=${COVERITY_USER_EMAIL}" \
 233         --form "token=${COVERITY_TOKEN}" \
 234         --form 'file=@results.tgz' \
 235         --form "version=${GIT_COMMIT:0:7}" \
 236         --form "description=${GIT_BRANCH}" \
 237         'https://scan.coverity.com/builds'
 238     )
 239     HTTP_RESPONSE_CODE=$(echo -n "${CURL_OUTPUT}" | tail -1)
 240     test x"${HTTP_RESPONSE_CODE}" = x"200" \
 241       && break
 242
 243     sleep "${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL}"
 244
 245     SUBMISSION_REST_INTERVAL=$(( ${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL} * 2 ))
 246   done
 247
 248   HTTP_RESPONSE=$(echo -n "${CURL_OUTPUT}" | head -n -1 | tr -d '\n')
 249   if [ x"${HTTP_RESPONSE}" != x"Build successfully submitted." ]; then
 250     echo "[ERROR] Coverity Scan service responded with '${HTTP_RESPONSE}'" \
 251       "while 'Build successfully submitted.' expected." \
 252       >&2
 253     exit 1
 254   fi
 255
 256   echo "[INFO] Build successfully submitted to Coverity Scan server." >&2
 257 fi
 258
 259 #-----------------------------------------------------------------------------
 260 exit 0