3 # Copyright 2019 Samsung Electronics Co., Ltd.
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
18 PS4='+['$(readlink -f "$0")' ${FUNCNAME[0]%main}#$LINENO] '
20 echo '---> maven-coverity.sh'
23 SUBMISSION_INITIAL_REST_INTERVAL=30 # seconds, will be doubled after each attempt
25 #-----------------------------------------------------------------------------
26 # Check for git repo changes within the last $MAX_GIT_REPO_AGE_HOURS hours
28 # It makes sense to set the value twice the 'cron' interval for the job (e.g.
29 # if 'cron: @daily', then MAX_GIT_REPO_AGE_HOURS=48)
31 if ! [[ "${MAX_GIT_REPO_AGE_HOURS:=0}" =~ ^[0-9]+$ ]]; then
32 echo '[ERROR] MAX_GIT_REPO_AGE_HOURS must be non-negative integer.' \
37 if [ ${MAX_GIT_REPO_AGE_HOURS:=0} -ne 0 ]; then
38 LAST_COMMIT_AGE=$(( $(date +%s) - $(git log -1 --pretty=format:%ct) ))
40 if [ $LAST_COMMIT_AGE -gt $(( MAX_GIT_REPO_AGE_HOURS *60*60 )) ]; then
41 echo '[NOTICE] Git repository did not have any commits last' \
42 "${MAX_GIT_REPO_AGE_HOURS} hours - no need to re-analyse it." \
48 #-----------------------------------------------------------------------------
49 # Process parameters for JS/TS/Python/Ruby/PHP files analysis
51 if [ -n "${SEARCH_PATHS:=}" ]; then
52 for SEARCH_PATH in ${SEARCH_PATHS}; do
53 if [ -d "${SEARCH_PATH}" ]; then
54 FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS:=} --fs-capture-search '${SEARCH_PATH}'"
56 echo "[ERROR] '${SEARCH_PATH}' from \$SEARCH_PATHS is not an" \
57 "existing directory." \
63 for EXCLUDE_REGEX in ${SEARCH_EXCLUDE_REGEXS:=}; do
64 EXCLUDE_REGEX=${EXCLUDE_REGEX//\'/\'\\\'\'} # escape single quote "'"
65 FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS} --fs-capture-search-exclude-regex '${EXCLUDE_REGEX}'"
67 # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
68 # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
69 # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
70 # parameter is fixed on Coverity side.
71 FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS="${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=} --tu-pattern 'file('\\''${EXCLUDE_REGEX}'\\'')'"
75 #-----------------------------------------------------------------------------
76 # Check if we are allowed to submit results to Coverity Scan service
77 # and have not exceeded our upload quota limits
78 # See also: https://scan.coverity.com/faq#frequency
80 if [ "${DRY_RUN}" != 'true' ]; then
87 --form "project=${COVERITY_PROJECT_NAME}" \
88 --form "token=${COVERITY_TOKEN}" \
89 'https://scan.coverity.com/api/upload_permitted'
92 IS_COVERITY_UPLOAD_PERMITTED=$(
93 echo "${CURL_OUTPUT}" \
94 | jq '.upload_permitted'
96 if [ x"${IS_COVERITY_UPLOAD_PERMITTED}" != x'true' ]; then
97 echo "[WARNING] Upload quota reached. Next upload permitted at" \
98 $(echo "${CURL_OUTPUT}" | jq '.next_upload_permitted_at') \
104 #-----------------------------------------------------------------------------
105 # Get Coverity Scan build tool
112 --form "project=${COVERITY_PROJECT_NAME}" \
113 --form "token=${COVERITY_TOKEN}" \
114 --output '/tmp/coverity_tool.tgz' \
115 'https://scan.coverity.com/download/linux64'
122 --form "project=${COVERITY_PROJECT_NAME}" \
123 --form "token=${COVERITY_TOKEN}" \
125 --output '/tmp/coverity_tool.md5' \
126 'https://scan.coverity.com/download/linux64'
128 echo -n ' /tmp/coverity_tool.tgz' >> '/tmp/coverity_tool.md5'
129 md5sum --check '/tmp/coverity_tool.md5'
134 --file='/tmp/coverity_tool.tgz' \
137 COVERITY_BUILD_TOOL_DIRECTORY='/tmp/'$(
142 --file='/tmp/coverity_tool.tgz'
145 COVERITY_BINARY_DIRECTORY="${COVERITY_BUILD_TOOL_DIRECTORY}bin"
146 test -d "${COVERITY_BINARY_DIRECTORY}" \
148 export PATH="${PATH}:${COVERITY_BINARY_DIRECTORY}"
150 rm '/tmp/coverity_tool.tgz'
152 #-----------------------------------------------------------------------------
160 ${FS_CAPTURE_SEARCH_PARAMS:=} \
161 "${MVN}" clean install \
163 --global-settings "${GLOBAL_SETTINGS_FILE}" \
164 --settings "${SETTINGS_FILE}" \
168 # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
169 # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
170 # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
171 # parameter is fixed on Coverity side.
172 if [ -n "${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=}" ]; then
173 eval cov-manage-emit \
175 ${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS} \
179 # Extract git data for analysed files
184 # List all analysed files from the project
190 '^Translation unit:$' \
193 's!^[[:digit:]]+ -> !!' \
195 > 'cov-int/coverity-scan-analysed-files.txt'
197 # List all analyzed files that are not tracked by SCM repository
205 > 'cov-int/scm-untracked-files.txt'
207 if [ -s 'cov-int/scm-untracked-files.txt' ]; then
208 echo '[WARNING] There are some files analysed but not tracked by SCM repository.' \
209 'There might be 3rd-party or auto-generated sources. See details in' \
210 '"cov-int/scm-untracked-files.txt" file.' \
214 #-----------------------------------------------------------------------------
215 # Submit results to Coverity service
217 if [ "${DRY_RUN}" != 'true' ]; then
221 --file='results.tgz' \
224 for (( ATTEMPT=1; ATTEMPT<=SUBMISSION_ATTEMPTS; ATTEMPT++ )); do
231 --write-out '\n%{http_code}' \
232 --form "project=${COVERITY_PROJECT_NAME}" \
233 --form "email=${COVERITY_USER_EMAIL}" \
234 --form "token=${COVERITY_TOKEN}" \
235 --form 'file=@results.tgz' \
236 --form "version=${GIT_COMMIT:0:7}" \
237 --form "description=${GIT_BRANCH}" \
238 'https://scan.coverity.com/builds'
240 HTTP_RESPONSE_CODE=$(echo -n "${CURL_OUTPUT}" | tail -1)
241 test x"${HTTP_RESPONSE_CODE}" = x"200" \
244 sleep "${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL}"
246 SUBMISSION_REST_INTERVAL=$(( ${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL} * 2 ))
249 HTTP_RESPONSE=$(echo -n "${CURL_OUTPUT}" | head -n -1 | tr -d '\n')
250 if [ x"${HTTP_RESPONSE}" != x"Build successfully submitted." ]; then
251 echo "[ERROR] Coverity Scan service responded with '${HTTP_RESPONSE}'" \
252 "while 'Build successfully submitted.' expected." \
257 echo "[INFO] Build successfully submitted to Coverity Scan server." >&2
260 #-----------------------------------------------------------------------------