Skip to content

Commit

Permalink
Merge pull request PowerDNS#12479 from rgacogne/coverity-gh
Browse files Browse the repository at this point in the history 
Add coverity scans to our daily GitHub actions flow, remove them from Circle CI
  • Loading branch information
@rgacogne
rgacogne authored Jan 27, 2023
2 parents 1bc7684 + df23d4b commit ae00786
Show file tree
Hide file tree
Showing 4 changed files with 128 additions and 242 deletions.
228 changes: 0 additions & 228 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,6 @@ commands:
apt-get update
apt-get -qq -t buster-backports --no-install-recommends install clang-8 llvm-8
install-coverity-tools:
description: Install the coverity tools to /usr/local
steps:
- run:
name: Install Coverity tools
command: curl -s https://scan.coverity.com/download/linux64 --data "token=${COVERITY_TOKEN}&project=${COVERITY_PROJECT}" | gunzip | tar xvf /dev/stdin --strip-components=1 --no-same-owner -C /usr/local

# FIXME: the build-essential wart below is misformatted intentionally to remind us to replace the remotebackend testing deps with Debian packages
auth-regress-setup:
description: Prepare the environment for auth regression tests
Expand Down Expand Up @@ -610,229 +603,8 @@ jobs:
context: geoip
doroot: false

coverity-auth:
docker:
- image: debian:buster
auth:
username: powerdnsreadonly
password: $DOCKERHUB_PASSWORD
steps:
- install-auth-dev-deps
- install-coverity-tools
- checkout-shallow
- run:
name: autoconf
working_directory: /opt/project/
command: BUILDER_VERSION=0.0.0-git1 autoreconf -vfi
- run:
name: configure
working_directory: /opt/project/
command: |
CFLAGS="-O1 -Werror=vla -Wformat=2 -Werror=format-security" \
CXXFLAGS="-O1 -Werror=vla -Wformat=2 -Werror=format-security -Wp,-D_GLIBCXX_ASSERTIONS" \
./configure \
--enable-option-checking=fatal \
--disable-systemd \
--with-modules='bind lmdb ldap gmysql gsqlite3 gpgsql godbc tinydns' \
--enable-tools \
--with-lmdb=/usr \
--with-libsodium \
--prefix=/opt/pdns-auth
- run:
name: build
working_directory: /opt/project/
command: /usr/local/bin/cov-build --dir cov-int make -j2 -k
- run:
name: Create Coverity tarball
working_directory: /opt/project/
command: tar caf auth.tar.bz2 cov-int
- run:
name: Upload tarball to coverity
working_directory: /opt/project/
command: |
curl --form token=${COVERITY_TOKEN} \
--form email="${COVERITY_EMAIL}" \
--form [email protected] \
--form version="$(./builder-support/gen-version)" \
--form description="master build" \
https://scan.coverity.com/builds?project=${COVERITY_PROJECT}
coverity-dnsdist:
docker:
- image: debian:buster
auth:
username: powerdnsreadonly
password: $DOCKERHUB_PASSWORD
steps:
- run:
name: Install dependencies
command: |
apt-get update && apt-get -qq --no-install-recommends install \
autoconf \
automake \
bison \
bzip2 \
ca-certificates \
curl \
flex \
g++ \
git \
libboost-all-dev \
libcap-dev \
libcdb-dev \
libedit-dev \
libfstrm-dev \
libgnutls28-dev \
liblmdb-dev \
libluajit-5.1-dev \
libnghttp2-dev \
libre2-dev \
libsnmp-dev \
libsodium-dev \
libssl-dev \
libsystemd-dev \
libtool \
make \
pkg-config \
ragel \
python3-venv
- install-coverity-tools
- checkout-shallow
- run:
name: autoconf
command: BUILDER_VERSION=0.0.0-git1 autoreconf -vfi
working_directory: /opt/project/pdns/dnsdistdist
- run:
name: configure
command: |
CFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security" \
CXXFLAGS="-O1 -Werror=vla -Werror=shadow -Wformat=2 -Werror=format-security -Wp,-D_GLIBCXX_ASSERTIONS" \
./configure \
--enable-option-checking=fatal \
--disable-systemd \
--disable-unit-tests \
--enable-dnstap \
--enable-dnscrypt \
--enable-dns-over-tls \
--prefix=/opt/dnsdist \
--with-gnutls \
--with-libsodium \
--with-lua=luajit \
--with-libcap \
--with-nghttp2 \
--with-re2
working_directory: /opt/project/pdns/dnsdistdist
- run:
name: build
command: /usr/local/bin/cov-build --dir cov-int make -j2 -k
working_directory: /opt/project/pdns/dnsdistdist
- run:
name: Create Coverity tarball
command: tar caf dnsdist.tar.bz2 cov-int
working_directory: /opt/project/pdns/dnsdistdist
- run:
name: Upload tarball to coverity
working_directory: /opt/project/
command: |
curl --form token=${COVERITY_TOKEN} \
--form email="${COVERITY_EMAIL}" \
--form file=@pdns/dnsdistdist/dnsdist.tar.bz2 \
--form version="$(./builder-support/gen-version)" \
--form description="master build" \
https://scan.coverity.com/builds?project=${COVERITY_PROJECT}
coverity-recursor:
docker:
- image: debian:buster
auth:
username: powerdnsreadonly
password: $DOCKERHUB_PASSWORD
steps:
- run:
name: Install dependencies
command: |
apt-get update && apt-get -qq --no-install-recommends install \
autoconf \
automake \
ca-certificates \
curl \
bison \
bzip2 \
flex \
g++ \
git \
libboost-all-dev \
libcap-dev \
libcurl4-openssl-dev \
libluajit-5.1-dev \
libfstrm-dev \
libsnmp-dev \
libsodium-dev \
libssl-dev \
libsystemd-dev \
libtool \
make \
pkg-config \
ragel \
python3-venv
- install-coverity-tools
- checkout-shallow
- run:
name: autoconf
command: BUILDER_VERSION=0.0.0-git1 autoreconf -vfi
working_directory: /opt/project/pdns/recursordist
- run:
name: configure
command: |
CFLAGS="-O1 -Werror=vla -Wformat=2 -Werror=format-security" \
CXXFLAGS="-O1 -Werror=vla -Wformat=2 -Werror=format-security -Wp,-D_GLIBCXX_ASSERTIONS" \
./configure \
--enable-option-checking=fatal \
--disable-systemd \
--disable-unit-tests \
--prefix=/opt/pdns-recursor \
--with-libsodium \
--with-lua=luajit \
--with-libcap \
--with-net-snmp \
--enable-dnstap \
--enable-dns-over-tls
working_directory: /opt/project/pdns/recursordist
- run:
name: build
command: /usr/local/bin/cov-build --dir cov-int make -j2 -k
working_directory: /opt/project/pdns/recursordist
- run:
name: Create Coverity tarball
command: tar caf recursor.tar.bz2 cov-int
working_directory: /opt/project/pdns/recursordist
- run:
name: Upload tarball to coverity
working_directory: /opt/project/
command: |
curl --form token=${COVERITY_TOKEN} \
--form email="${COVERITY_EMAIL}" \
--form file=@pdns/recursordist/recursor.tar.bz2 \
--form version="$(./builder-support/gen-version)" \
--form description="master build" \
https://scan.coverity.com/builds?project=${COVERITY_PROJECT}
workflows:
version: 2
coverity:
triggers:
- schedule:
cron: "0 0 * * *"
filters:
branches:
only: master
jobs:
- coverity-auth:
context: auth-coverity
- coverity-dnsdist:
context: dnsdist-coverity
- coverity-recursor:
context: recursor-coverity

build-and-test-all:
jobs:
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/build-and-test-all.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,11 @@ jobs:
name: build auth
runs-on: ubuntu-20.04
env:
UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
ASAN_OPTIONS: detect_leaks=0
FUZZING_TARGETS: yes
SANITIZERS: asan+ubsan
UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
UNIT_TESTS: yes
steps:
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- uses: actions/[email protected]
Expand Down Expand Up @@ -58,9 +61,10 @@ jobs:
matrix:
sanitizers: [ubsan+asan, tsan]
env:
UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
ASAN_OPTIONS: detect_leaks=0
SANITIZERS: ${{ matrix.sanitizers }}
UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
UNIT_TESTS: yes
defaults:
run:
working-directory: ./pdns/recursordist/
Expand Down Expand Up @@ -109,9 +113,10 @@ jobs:
- sanitizers: tsan
features: least
env:
UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
ASAN_OPTIONS: detect_leaks=0
SANITIZERS: ${{ matrix.sanitizers }}
UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1:suppressions=${{ github.workspace }}/build-scripts/UBSan.supp"
UNIT_TESTS: yes
defaults:
run:
working-directory: ./pdns/dnsdistdist/
Expand Down
83 changes: 83 additions & 0 deletions .github/workflows/misc-dailies.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,86 @@ jobs:

- name: Check if Debian is about to toss us off a balcony
run: ./build-scripts/check-debian-autoremovals.py

coverity-auth:
name: coverity scan of the auth
runs-on: ubuntu-20.04
env:
COVERITY_TOKEN: ${{ secrets.coverity_auth_token }}
FUZZING_TARGETS: no
SANITIZERS:
UNIT_TESTS: no
steps:
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- uses: actions/[email protected]
with:
fetch-depth: 5
submodules: recursive
- run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade
- run: inv install-clang
- run: inv install-auth-build-deps
- run: inv install-coverity-tools PowerDNS
- run: inv coverity-clang-configure
- run: inv ci-autoconf
- run: inv ci-auth-configure
- run: inv coverity-make
- run: inv coverity-tarball auth.tar.bz2
- run: inv coverity-upload ${{ secrets.coverity_email }} PowerDNS auth.tar.bz2

coverity-dnsdist:
name: coverity scan of dnsdist
runs-on: ubuntu-20.04
env:
COVERITY_TOKEN: ${{ secrets.coverity_dnsdist_token }}
SANITIZERS:
UNIT_TESTS: no
steps:
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- uses: actions/[email protected]
with:
fetch-depth: 5
submodules: recursive
- run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade
- run: inv install-clang
- run: inv install-dnsdist-build-deps
- run: inv install-coverity-tools dnsdist
- run: inv coverity-clang-configure
- run: inv ci-autoconf
working-directory: ./pdns/dnsdistdist/
- run: inv ci-dnsdist-configure full
working-directory: ./pdns/dnsdistdist/
- run: inv coverity-make
working-directory: ./pdns/dnsdistdist/
- run: inv coverity-tarball dnsdist.tar.bz2
working-directory: ./pdns/dnsdistdist/
- run: inv coverity-upload ${{ secrets.coverity_email }} dnsdist dnsdist.tar.bz2
working-directory: ./pdns/dnsdistdist/

coverity-rec:
name: coverity scan of the rec
runs-on: ubuntu-20.04
env:
COVERITY_TOKEN: ${{ secrets.coverity_rec_token }}
SANITIZERS:
UNIT_TESTS: no
steps:
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta
- uses: actions/[email protected]
with:
fetch-depth: 5
submodules: recursive
- run: build-scripts/gh-actions-setup-inv # this runs apt update+upgrade
- run: inv install-clang
- run: inv install-rec-build-deps
- run: inv install-coverity-tools 'PowerDNS+Recursor'
- run: inv coverity-clang-configure
- run: inv ci-autoconf
working-directory: ./pdns/recursordist/
- run: inv ci-rec-configure
working-directory: ./pdns/recursordist/
- run: inv coverity-make
working-directory: ./pdns/recursordist/
- run: inv coverity-tarball recursor.tar.bz2
working-directory: ./pdns/recursordist/
- run: inv coverity-upload ${{ secrets.coverity_email }} 'PowerDNS+Recursor' recursor.tar.bz2
working-directory: ./pdns/recursordist/
Loading

0 comments on commit ae00786

Please sign in to comment.