shell/maven-coverity.sh

   1 #!/bin/bash
   2
   3 # Copyright 2019 Samsung Electronics Co., Ltd.
   4 #
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 # http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16
  17 set -Eeuxo pipefail
  18 PS4='+['$(readlink -f "$0")' ${FUNCNAME[0]%main}#$LINENO] '
  19
  20 echo '---> maven-coverity.sh'
  21
  22 SUBMISSION_ATTEMPTS=5
  23 SUBMISSION_INITIAL_REST_INTERVAL=30 # seconds, will be doubled after each attempt
  24
  25 #-----------------------------------------------------------------------------
  26 # Process parameters for JS/TS/Python/Ruby/PHP files analysis
  27
  28 if [ -n "${SEARCH_PATHS:=}" ]; then
  29   for SEARCH_PATH in ${SEARCH_PATHS}; do
  30     if [ -d "${SEARCH_PATH}" ]; then
  31       FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS:=} --fs-capture-search '${SEARCH_PATH}'"
  32     else
  33       echo "'${SEARCH_PATH}' from \$SEARCH_PATHS is not an existing directory." >&2
  34       exit 1
  35     fi
  36   done
  37
  38   for EXCLUDE_REGEX in ${SEARCH_EXCLUDE_REGEXS:=}; do
  39     EXCLUDE_REGEX=${EXCLUDE_REGEX//\'/\'\\\'\'} # escape single quote "'"
  40     FS_CAPTURE_SEARCH_PARAMS="${FS_CAPTURE_SEARCH_PARAMS} --fs-capture-search-exclude-regex '${EXCLUDE_REGEX}'"
  41
  42     # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
  43     # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
  44     # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
  45     # parameter is fixed on Coverity side.
  46     FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS="${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=} --tu-pattern 'file('\\''${EXCLUDE_REGEX}'\\'')'"
  47   done
  48 fi
  49
  50 #-----------------------------------------------------------------------------
  51 # Check if we are allowed to submit results to Coverity Scan service
  52 # and have not exceeded our upload quota limits
  53 # See also: https://scan.coverity.com/faq#frequency
  54
  55 CURL_OUTPUT=$(
  56   curl \
  57     --verbose \
  58     --silent \
  59     --show-error \
  60     --fail \
  61     --form "project=${COVERITY_PROJECT_NAME}" \
  62     --form "token=${COVERITY_TOKEN}" \
  63     'https://scan.coverity.com/api/upload_permitted'
  64 )
  65
  66 IS_COVERITY_UPLOAD_PERMITTED=$(
  67   echo "${CURL_OUTPUT}" \
  68   | jq '.upload_permitted'
  69 )
  70 if [ x"${IS_COVERITY_UPLOAD_PERMITTED}" != x'true' ]; then
  71   echo "Upload quota reached. Next upload permitted at "$(echo "${CURL_OUTPUT}" | jq '.next_upload_permitted_at') >&2
  72   exit 1
  73 fi
  74
  75 #-----------------------------------------------------------------------------
  76 # Get Coverity Scan build tool
  77
  78 curl \
  79   --verbose \
  80   --silent \
  81   --show-error \
  82   --fail \
  83   --form "project=${COVERITY_PROJECT_NAME}" \
  84   --form "token=${COVERITY_TOKEN}" \
  85   --output 'coverity_tool.tgz' \
  86   'https://scan.coverity.com/download/linux64'
  87
  88 curl \
  89   --verbose \
  90   --silent \
  91   --show-error \
  92   --fail \
  93   --form "project=${COVERITY_PROJECT_NAME}" \
  94   --form "token=${COVERITY_TOKEN}" \
  95   --form 'md5=1' \
  96   --output 'coverity_tool.md5' \
  97   'https://scan.coverity.com/download/linux64'
  98
  99 echo -n ' coverity_tool.tgz' >> 'coverity_tool.md5'
 100 md5sum --check 'coverity_tool.md5'
 101
 102 tar \
 103   --extract \
 104   --gunzip \
 105   --file='coverity_tool.tgz'
 106
 107 COVERITY_BUILD_TOOL_DIRECTORY=$(
 108   head -1 <( \
 109     tar \
 110       --list \
 111       --gunzip \
 112       --file='coverity_tool.tgz'
 113   )
 114 )
 115 COVERITY_BINARY_DIRECTORY="${COVERITY_BUILD_TOOL_DIRECTORY}bin"
 116 test -d "${COVERITY_BINARY_DIRECTORY}" \
 117   || exit 1
 118 export PATH="${PATH}:${COVERITY_BINARY_DIRECTORY}"
 119
 120 rm 'coverity_tool.tgz'
 121
 122 #-----------------------------------------------------------------------------
 123 # Build
 124
 125 export MAVEN_OPTS
 126
 127 eval cov-build \
 128   --dir 'cov-int' \
 129   --append-log \
 130   ${FS_CAPTURE_SEARCH_PARAMS:=} \
 131   "${MVN}" clean install \
 132     --errors \
 133     --global-settings "${GLOBAL_SETTINGS_FILE}" \
 134     --settings "${SETTINGS_FILE}" \
 135     ${MAVEN_OPTIONS:=} \
 136     ${MAVEN_PARAMS:=}
 137
 138 # FIXME: a hack to deal with temporary(?) non-functional filter to ignore
 139 # specific source code parts by Coverity Scan ("--fs-capture-search-exclude-regex"
 140 # CLI parameter for "cov-build" tool). The hack can be removed when this CLI
 141 # parameter is fixed on Coverity side.
 142 if [ -n "${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS:=}" ]; then
 143   eval cov-manage-emit \
 144     --dir 'cov-int' \
 145     ${FS_CAPTURE_SEARCH_EXCLUDE_HACK_PARAMS} \
 146     delete
 147 fi
 148
 149 # Extract git data for analysed files
 150 cov-import-scm \
 151   --dir 'cov-int' \
 152   --scm 'git'
 153
 154 # List all analysed files from the project
 155 cov-manage-emit \
 156   --dir cov-int \
 157   list \
 158 | grep \
 159   --invert-match \
 160   '^Translation unit:$' \
 161 | sed \
 162   's!^[[:digit:]]\+ -> !!' \
 163 | sort \
 164 > 'coverity-scan-analysed-files.log'
 165
 166 #-----------------------------------------------------------------------------
 167 # Submit results to Coverity service
 168
 169 tar \
 170   --create \
 171   --gzip \
 172   --file='results.tgz' \
 173   'cov-int'
 174
 175 for (( ATTEMPT=1; ATTEMPT<=SUBMISSION_ATTEMPTS; ATTEMPT++ )); do
 176   CURL_OUTPUT=$(
 177     curl \
 178       --verbose \
 179       --silent \
 180       --show-error \
 181       --fail \
 182       --write-out '\n%{http_code}' \
 183       --form "project=${COVERITY_PROJECT_NAME}" \
 184       --form "email=${COVERITY_USER_EMAIL}" \
 185       --form "token=${COVERITY_TOKEN}" \
 186       --form 'file=@results.tgz' \
 187       --form "version=${GIT_COMMIT:0:7}" \
 188       --form "description=${GIT_BRANCH}" \
 189       'https://scan.coverity.com/builds'
 190   )
 191   HTTP_RESPONSE_CODE=$(echo -n "${CURL_OUTPUT}" | tail -1)
 192   test x"${HTTP_RESPONSE_CODE}" = x"200" \
 193     && break
 194
 195   sleep "${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL}"
 196
 197   SUBMISSION_REST_INTERVAL=$(( ${SUBMISSION_REST_INTERVAL:-$SUBMISSION_INITIAL_REST_INTERVAL} * 2 ))
 198 done
 199
 200 HTTP_RESPONSE=$(echo -n "${CURL_OUTPUT}" | head -n -1 | tr -d '\n')
 201 if [ x"${HTTP_RESPONSE}" != x"Build successfully submitted." ]; then
 202   echo "Coverity Scan service responded with '${HTTP_RESPONSE}' while 'Build successfully submitted.' expected." >&2
 203   exit 1
 204 fi
 205
 206 #-----------------------------------------------------------------------------
 207
 208 exit 0