coverity-scan #1413
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: coverity-scan | |
on: | |
schedule: | |
- cron: '0 18 * * *' # Daily at 18:00 UTC | |
push: | |
branches: main | |
permissions: | |
contents: read | |
jobs: | |
latest: | |
runs-on: ubuntu-20.04 | |
env: | |
CC: clang | |
CXX: clang++ | |
TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install dependencies | |
run: | | |
sudo apt-get update -q | |
sudo apt-get remove -y clang | |
sudo apt-get install -y clang-10 autoconf-archive flex bison libjson-c-dev | |
- name: Get Xen version | |
id: get-xen-hash | |
run: | | |
echo XEN_HASH=$(git submodule | grep xen | awk '{ print $1 }') >> $GITHUB_OUTPUT | |
- name: Cache Xen debball | |
id: cache-xen | |
uses: actions/cache@v3 | |
with: | |
path: xen/dist | |
key: ${{ steps.get-xen-hash.outputs.XEN_HASH }} | |
- name: Create Xen debball | |
if: steps.cache-xen.outputs.cache-hit != 'true' | |
run: | | |
sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \ | |
iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \ | |
make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \ | |
libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \ | |
libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \ | |
ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \ | |
libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \ | |
libtool libfuse-dev liblzma-dev ninja-build \ | |
kpartx python3-dev python3-pip golang python-dev libsystemd-dev | |
git submodule update --init xen | |
cd xen | |
./configure --enable-githttp --enable-systemd --disable-pvshim | |
make -j4 debball | |
cd .. | |
- name: Install Xen debball | |
run: | | |
sudo dpkg -i xen/dist/xen-*.deb | |
- name: Install LibVMI | |
run: | | |
git submodule update --init libvmi | |
cd libvmi | |
autoreconf -vif | |
./configure --disable-kvm --disable-file --disable-bareflank --disable-examples --disable-vmifs | |
make -j2 | |
sudo make install | |
sudo ldconfig | |
cd .. | |
- name: Download Coverity hash | |
id: hash | |
run: | | |
wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=tklengyel%2Fdrakvuf&md5=1" -O coverity_tool.md5 | |
echo hash=$(cat coverity_tool.md5) >> $GITHUB_OUTPUT | |
- uses: actions/cache@v3 | |
id: cache-coverity | |
with: | |
path: coverity | |
key: ${{ steps.hash.outputs.hash }} | |
- name: Download Coverity Build Tool | |
if: steps.cache-coverity.outputs.cache-hit != 'true' | |
run: | | |
wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=tklengyel%2Fdrakvuf" -O coverity_tool.tgz | |
mkdir -p coverity | |
tar xzf coverity_tool.tgz --strip 1 -C coverity | |
- name: Fixed world writable dirs | |
run: | | |
chmod go-w $HOME | |
sudo chmod -R go-w /usr/share | |
- name: Run autoreconf | |
run: autoreconf -vif | |
- name: Configure | |
run: ./configure --enable-debug | |
- name: Build with cov-build | |
run: | | |
export PATH=`pwd`/coverity/bin:$PATH | |
cov-build --dir cov-int make | |
- name: Submit the result to Coverity Scan | |
run: | | |
tar czvf drakvuf.tgz cov-int | |
curl \ | |
--form token=$TOKEN \ | |
--form [email protected] \ | |
--form [email protected] \ | |
--form version=main \ | |
--form description="`git describe --always`" \ | |
https://scan.coverity.com/builds?project=tklengyel%2Fdrakvuf |