* [PATCH OSSTEST] Add a weekly coverity flight
@ 2015-12-15 11:45 Ian Campbell
2016-01-04 16:47 ` Ian Jackson
0 siblings, 1 reply; 4+ messages in thread
From: Ian Campbell @ 2015-12-15 11:45 UTC (permalink / raw)
To: ian.jackson, xen-devel; +Cc: Ian Campbell
This primarily consists of ts-coverity-scan and make-coverity-flight
which constructs the sole job.
The most recently scanned revision is pushed to a new coverity-scanned
branch in the usual xen.git, tests are run on the master branch.
Move collectversions into Osstest::BuildSupport rather than
duplicating with ts-xen-build (nothing else is really duplicated)
For the cr-* integration we treat branch=coverity as a special case of
tree=xen. I didn't think tree=coverity made much sense, and would
probably reach tendrils into lots of other places (such as the
invocations of check_tested).
TODO: How to pick $c{CoverityEmail}, needs to be a real email which is
in coverity project (which security@xen.org used here is not)
At the moment actually uploading is not implemented and is gated via a
runvar which is currently set to false. Therfore for now
ts-coverity-scan justs prints the curl arguments while we sort the
rest out.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
---
Could consider running on smoked? staging is probably a step too far.
Deployment notes:
- Put cov-analysis-linux64-7.7.0.4.tar.gz in the Images
directory.
- Populate $HOME/.xen-osstest/coverity-secret with the token
- Populate xen.git#coverity-scanned with an initial baseline, update
ap-fetch-version-old to refer to it instead of master.
---
Osstest/BuildSupport.pm | 12 ++++++
ap-fetch-version | 3 ++
ap-fetch-version-old | 4 ++
ap-print-url | 2 +-
ap-push | 4 ++
cr-daily-branch | 18 +++++++-
cri-common | 1 +
crontab | 1 +
make-coverity-flight | 47 +++++++++++++++++++++
production-config | 4 ++
sg-run-job | 5 +++
ts-coverity-scan | 108 ++++++++++++++++++++++++++++++++++++++++++++++++
ts-xen-build | 11 +----
ts-xen-build-prep | 2 +-
14 files changed, 209 insertions(+), 13 deletions(-)
create mode 100755 make-coverity-flight
create mode 100755 ts-coverity-scan
diff --git a/Osstest/BuildSupport.pm b/Osstest/BuildSupport.pm
index 933f6e1..a183546 100644
--- a/Osstest/BuildSupport.pm
+++ b/Osstest/BuildSupport.pm
@@ -42,6 +42,7 @@ BEGIN {
xendist
$xendist
+ collect_xen_built_versions
submodulefixup submodule_have submodule_find
@@ -84,6 +85,17 @@ sub xendist () {
($ho, 'xendist', '', $r{"buildjob"});
}
+sub collect_xen_built_versions () {
+ my $tools="$builddir/xen/tools";
+ my $extras="$builddir/xen/extras";
+ store_revision($ho, 'qemu', "$tools/ioemu-dir", 1);
+ store_revision($ho, 'qemu', "$tools/qemu-xen-traditional-dir", 1);
+ store_revision($ho, 'qemuu', "$tools/qemu-xen-dir", 1);
+ store_revision($ho, 'seabios', "$tools/firmware/seabios-dir", 1);
+ store_revision($ho, 'ovmf', "$tools/firmware/ovmf-dir", 1);
+ store_revision($ho, 'minios', "$extras/mini-os", 1);
+}
+
#----- submodules -----
sub submodulefixup ($$$$) {
diff --git a/ap-fetch-version b/ap-fetch-version
index a7b658b..1e48b45 100755
--- a/ap-fetch-version
+++ b/ap-fetch-version
@@ -53,6 +53,9 @@ xen-4.*-testing)
repo_tree_rev_fetch_git xen \
$TREE_XEN staging-$branchcore $LOCALREV_XEN
;;
+coverity)
+ repo_tree_rev_fetch_git xen $TREE_XEN master $LOCALREV_XEN
+ ;;
qemu-mainline)
repo_tree_rev_fetch_git $branch \
$TREE_QEMU_MAINLINE master $LOCALREV_QEMU_UPSTREAM
diff --git a/ap-fetch-version-old b/ap-fetch-version-old
index e2c6b3b..9d6190f 100755
--- a/ap-fetch-version-old
+++ b/ap-fetch-version-old
@@ -59,6 +59,10 @@ xen-4.*-testing)
repo_tree_rev_fetch_git xen \
$TREE_XEN stable-$branchcore $LOCALREV_XEN
;;
+coverity)
+ #XXX doesn't exist yet, use master for now repo_tree_rev_fetch_git xen $TREE_XEN coverity-scanned $LOCALREV_XEN
+ repo_tree_rev_fetch_git xen $TREE_XEN master $LOCALREV_XEN
+ ;;
qemu-mainline)
repo_tree_rev_fetch_git $branch \
$BASE_TREE_QEMU_UPSTREAM upstream-tested $LOCALREV_QEMU_UPSTREAM
diff --git a/ap-print-url b/ap-print-url
index 4088852..6ca000d 100755
--- a/ap-print-url
+++ b/ap-print-url
@@ -31,7 +31,7 @@ if info_linux_tree "$branch"; then
fi
case "$branch" in
-xen-*)
+xen-*|coverity)
echo $TREE_XEN
;;
qemu-mainline)
diff --git a/ap-push b/ap-push
index 8def652..97510c3 100755
--- a/ap-push
+++ b/ap-push
@@ -68,6 +68,10 @@ xen-*-testing)
xenversion=${xenversion#xen-}
git push $TREE_XEN $revision:refs/heads/stable-$xenversion
;;
+coverity)
+ cd $repos/xen
+ git push $TREE_XEN $revision:refs/heads/coverity-scanned
+ ;;
qemu-mainline)
cd $repos/qemu-mainline
git push $TREE_QEMU_UPSTREAM $revision:refs/heads/upstream-tested
diff --git a/cr-daily-branch b/cr-daily-branch
index 364238c..9594e18 100755
--- a/cr-daily-branch
+++ b/cr-daily-branch
@@ -205,7 +205,22 @@ fi
case "$tree" in
xen)
realtree=$xenbranch
- NEW_REVISION=$REVISION_XEN
+
+ case $branch in
+ coverity)
+ if [ "x$TREE_COVERITY" = x ]; then
+ export TREE_COVERITY=$TREE_XEN
+ fi
+ if [ "x$REVISION_COVERITY" = x ]; then
+ determine_version REVISION_COVERITY coverity COVERITY
+ export REVISION_COVERITY
+ fi
+ NEW_REVISION=$REVISION_COVERITY
+ ;;
+ *)
+ NEW_REVISION=$REVISION_XEN
+ ;;
+ esac
;;
linux)
realtree=linux
@@ -259,6 +274,7 @@ fi
case $branch in
distros-*) makeflight=./make-distros-flight ;;
+coverity) makeflight=./make-coverity-flight ;;
*) makeflight=./make-flight ;;
esac
diff --git a/cri-common b/cri-common
index 6dfe8df..9f8bb0b 100644
--- a/cri-common
+++ b/cri-common
@@ -68,6 +68,7 @@ select_xenbranch () {
case "$branch" in
xen-unstable-smoke) tree=xen; xenbranch=$branch; qemuubranch=qemu-upstream-unstable;;
xen-*) tree=xen; xenbranch=$branch ;;
+ coverity) tree=xen; xenbranch=xen-unstable ;;
qemu-mainline) tree=qemuu; xenbranch=xen-unstable; qemuubranch=qemu-mainline;;
qemu-upstream-*) tree=qemuu; xenbranch=xen-${branch#qemu-upstream-};;
linux) tree=linux; xenbranch=xen-unstable ;;
diff --git a/crontab b/crontab
index 09b8d14..b6ced25 100755
--- a/crontab
+++ b/crontab
@@ -8,6 +8,7 @@ MAILTO=ian.jackson@citrix.com,ian.campbell@eu.citrix.com
0 * * * * cd testing.git && BRANCHES=xen-unstable-smoke ./cr-for-branches branches -q "./cr-daily-branch --real"
4-59/30 * * * * cd testing.git && ./cr-for-branches branches -q "./cr-daily-branch --real"
18 9 * * 1,3,5 cd testing.git && BRANCHES=linux-next ./cr-for-branches branches -w "./cr-daily-branch --real"
+18 9 * * 7 cd testing.git && BRANCHES=coverity ./cr-for-branches branches -w "./cr-daily-branch --real"
18 4 * * * cd testing.git && BRANCHES='linux-linus linux-mingo-tip-master linux-3.0 libvirt rumpuserxen' ./cr-for-branches branches -w "./cr-daily-branch --real"
6-59/15 * * * * cd testing.git && EXTRA_BRANCHES='linux-linus linux-3.0 rumpuserxen libvirt' ./cr-for-branches bisects -w "./cr-try-bisect --real"
#8-59/5 * * * * cd bisects/adhoc.git && with-lock-ex -q data-tree-lock bash -c "./cr-try-bisect-adhoc; exit $?"
diff --git a/make-coverity-flight b/make-coverity-flight
new file mode 100755
index 0000000..53d26b0
--- /dev/null
+++ b/make-coverity-flight
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# This is part of "osstest", an automated testing framework for Xen.
+# Copyright (C) 2015 Citrix Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+set -e -o posix
+
+branch=$1
+xenbranch=$2
+blessing=$3
+buildflight=$4
+
+flight=`./cs-flight-create $blessing $branch`
+
+. ./cri-common
+. ./ap-common
+. ./mfi-common
+
+defsuite=`getconfig DebianSuite`
+defguestsuite=`getconfig GuestDebianSuite`
+
+./cs-job-create $flight coverity-amd64 coverity \
+ tree_xen=$TREE_COVERITY \
+ revision_xen=$REVISION_COVERITY \
+ coverity_upload=false
+
+echo $flight
+
+# Local variables:
+# mode: sh
+# sh-basic-offset: 2
+# indent-tabs-mode: nil
+# End:
diff --git a/production-config b/production-config
index bb8d224..874cbba 100644
--- a/production-config
+++ b/production-config
@@ -100,6 +100,10 @@ TftpGrubVersion XXXX-XX-XX
XenUsePath /usr/groups/xencore/systems/bin/xenuse
XenUseUser osstest
+# Results might include potential vulnerabilities.
+CoverityEmail security@xen.org
+CoverityTools cov-analysis-linux64-7.7.0.4.tar.gz
+
# We use the IP address because Citrix can't manage reliable nameservice
#DebianMirrorHost debian.uk.xensource.com
#DebianMirrorHost 10.80.16.196
diff --git a/sg-run-job b/sg-run-job
index 20ebb64..7e592dd 100755
--- a/sg-run-job
+++ b/sg-run-job
@@ -445,6 +445,11 @@ proc prepare-build-host {} {
run-ts . host-build-prep ts-xen-build-prep
}
+proc need-hosts/coverity {} { return BUILD }
+proc run-job/coverity {} {
+ run-ts . = ts-coverity-scan + host
+}
+
#---------- main program ----------
jobdb::set-flight
diff --git a/ts-coverity-scan b/ts-coverity-scan
new file mode 100755
index 0000000..f8c3a81
--- /dev/null
+++ b/ts-coverity-scan
@@ -0,0 +1,108 @@
+#!/usr/bin/perl -w
+# This is part of "osstest", an automated testing framework for Xen.
+# Copyright (C) 2015 Citrix Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+use strict qw(vars);
+use DBI;
+use Osstest;
+use File::Path;
+use POSIX;
+use Osstest::TestSupport;
+use Osstest::BuildSupport;
+
+# Require explicit opt in from flight construction
+my $coverity_upload = ($r{coverity_upload}//'false') =~ m/true/ ? 1 : 0;
+
+my $tokenfile = "$ENV{HOME}/.xen-osstest/coverity-secret";
+my $submit_url = "https://scan.coverity.com/builds?project=XenProject";
+
+tsreadconfig();
+selectbuildhost(\@ARGV);
+# remaining arguments are passed as targets to "make"
+builddirsprops();
+
+sub checkout () {
+ prepbuilddirs();
+
+ build_clone($ho, 'xen', $builddir, 'xen');
+}
+
+sub covtools () {
+ target_putfile($ho, 100, "$c{Images}/$c{CoverityTools}", "$builddir/covtools.tar.gz");
+ target_cmd($ho, <<END, 100);
+set -xe
+c=$builddir/covtools
+mkdir -p \$c
+cd \$c
+tar --strip-components=1 -xaf $builddir/covtools.tar.gz
+END
+}
+
+sub build () {
+ my $make = "make $makeflags";
+
+ # Pre build things we don't want coverity to scan, but which are
+ # normally built by some other command.
+ target_cmd_build($ho, 1000, $builddir, <<END);
+cd $builddir/xen
+./configure
+$make -C tools/firmware/etherboot all
+$make mini-os-dir
+END
+
+ # Now the stuff we want coverity to look at
+ target_cmd_build($ho, 9000, $builddir, <<END);
+cd $builddir/xen
+export PATH=$builddir/covtools/bin:\$PATH
+cov-build --dir cov-int $make -C extras/mini-os/
+cov-build --dir cov-int $make xen tools
+
+tar czvf xen-coverity.tgz cov-int
+END
+
+ built_stash_file($ho, $builddir,
+ "xen-coverity.tgz", "xen/xen-coverity.tgz", 0);
+}
+
+sub upload() {
+ my $xen_version = target_cmd_output($ho, <<END, 30);
+ cd $builddir/xen
+ make xenversion
+END
+
+ my @form_args;
+ push @form_args, "token=\@$tokenfile";
+ push @form_args, "email=$c{CoverityEmail}";
+ push @form_args, "file=\@$stash/build/xen-coverity.tgz";
+ push @form_args, "version=$xen_version";
+ push @form_args, "description=$r{tree_xen} $r{built_revision_xen}";
+
+ my @args = map { ("--form", $_) } @form_args;
+ push @args, $submit_url;
+
+ if ($coverity_upload) {
+ # TODO: spawn curl here
+ die "Cannot upload for real yet"
+ } else {
+ logm("Not uploading: curl args: ".(join " ", map { qq("$_") } @args));
+ }
+}
+
+checkout();
+covtools();
+build();
+collect_xen_built_versions();
+upload();
diff --git a/ts-xen-build b/ts-xen-build
index b02e737..5c7863d 100755
--- a/ts-xen-build
+++ b/ts-xen-build
@@ -138,15 +138,6 @@ END
}
}
-sub collectversions () {
- my $tools="$builddir/xen/tools";
- store_revision($ho, 'qemu', "$tools/ioemu-dir", 1);
- store_revision($ho, 'qemu', "$tools/qemu-xen-traditional-dir", 1);
- store_revision($ho, 'qemuu', "$tools/qemu-xen-dir", 1);
- store_revision($ho, 'seabios', "$tools/firmware/seabios-dir", 1);
- store_revision($ho, 'ovmf', "$tools/firmware/ovmf-dir", 1);
-}
-
sub divide () {
# Only move hv to xeninstall, so that we can have
# xenpolicy in tools tarball.
@@ -232,7 +223,7 @@ sub trapping ($) {
checkout();
trapping(\&build);
-trapping(\&collectversions);
+trapping(\&collect_xen_built_versions);
die "*** something failed:\n\n".(join "\n\n",@probs)."\n** something failed"
if @probs;
diff --git a/ts-xen-build-prep b/ts-xen-build-prep
index b35e91b..c2383db 100755
--- a/ts-xen-build-prep
+++ b/ts-xen-build-prep
@@ -206,7 +206,7 @@ sub prep () {
autoconf automake libtool xsltproc
libxml2-utils libxml2-dev
libdevmapper-dev w3c-dtd-xhtml libxml-xpath-perl
- ccache nasm checkpolicy ebtables);
+ ccache nasm checkpolicy ebtables curl);
if ($ho->{Suite} =~ m/wheezy|squeeze|lenny/) {
push(@packages, "libnl-dev");
--
2.6.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH OSSTEST] Add a weekly coverity flight
2015-12-15 11:45 [PATCH OSSTEST] Add a weekly coverity flight Ian Campbell
@ 2016-01-04 16:47 ` Ian Jackson
2016-01-04 16:55 ` Andrew Cooper
2016-01-05 12:19 ` Ian Campbell
0 siblings, 2 replies; 4+ messages in thread
From: Ian Jackson @ 2016-01-04 16:47 UTC (permalink / raw)
To: Ian Campbell; +Cc: Andrew Cooper, xen-devel
Ian Campbell writes ("[PATCH OSSTEST] Add a weekly coverity flight"):
> Move collectversions into Osstest::BuildSupport rather than
> duplicating with ts-xen-build (nothing else is really duplicated)
This could profitably be split into a separate patch IMO.
> For the cr-* integration we treat branch=coverity as a special case of
> tree=xen. I didn't think tree=coverity made much sense, and would
> probably reach tendrils into lots of other places (such as the
> invocations of check_tested).
>
> TODO: How to pick $c{CoverityEmail}, needs to be a real email which is
> in coverity project (which security@xen.org used here is not)
I don't have an answer to this but perhaps osstest-admin@xenproject ?
Or will it get lots of annoying output ? (We could filter it to make
it go to osstest-output I guess...)
> +CoverityEmail security@xen.org
> +CoverityTools cov-analysis-linux64-7.7.0.4.tar.gz
This file needs a DEPLOYMENT NOTE I think.
The rest of this looks OK. A review from Andrew Cooper might be
worthwhile ?
Ian.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH OSSTEST] Add a weekly coverity flight
2016-01-04 16:47 ` Ian Jackson
@ 2016-01-04 16:55 ` Andrew Cooper
2016-01-05 12:19 ` Ian Campbell
1 sibling, 0 replies; 4+ messages in thread
From: Andrew Cooper @ 2016-01-04 16:55 UTC (permalink / raw)
To: Ian Jackson, Ian Campbell; +Cc: xen-devel
On 04/01/16 16:47, Ian Jackson wrote:
> Ian Campbell writes ("[PATCH OSSTEST] Add a weekly coverity flight"):
>> Move collectversions into Osstest::BuildSupport rather than
>> duplicating with ts-xen-build (nothing else is really duplicated)
> This could profitably be split into a separate patch IMO.
>
>> For the cr-* integration we treat branch=coverity as a special case of
>> tree=xen. I didn't think tree=coverity made much sense, and would
>> probably reach tendrils into lots of other places (such as the
>> invocations of check_tested).
>>
>> TODO: How to pick $c{CoverityEmail}, needs to be a real email which is
>> in coverity project (which security@xen.org used here is not)
> I don't have an answer to this but perhaps osstest-admin@xenproject ?
> Or will it get lots of annoying output ? (We could filter it to make
> it go to osstest-output I guess...)
>
>> +CoverityEmail security@xen.org
>> +CoverityTools cov-analysis-linux64-7.7.0.4.tar.gz
> This file needs a DEPLOYMENT NOTE I think.
>
> The rest of this looks OK. A review from Andrew Cooper might be
> worthwhile ?
I don't speak much perl, nor know the internals of OSSTest.
However, the snippets of shell for building look correct.
~Andrew
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH OSSTEST] Add a weekly coverity flight
2016-01-04 16:47 ` Ian Jackson
2016-01-04 16:55 ` Andrew Cooper
@ 2016-01-05 12:19 ` Ian Campbell
1 sibling, 0 replies; 4+ messages in thread
From: Ian Campbell @ 2016-01-05 12:19 UTC (permalink / raw)
To: Ian Jackson; +Cc: Andrew Cooper, xen-devel
On Mon, 2016-01-04 at 16:47 +0000, Ian Jackson wrote:
> Ian Campbell writes ("[PATCH OSSTEST] Add a weekly coverity flight"):
> > Move collectversions into Osstest::BuildSupport rather than
> > duplicating with ts-xen-build (nothing else is really duplicated)
>
> This could profitably be split into a separate patch IMO.
>
> > For the cr-* integration we treat branch=coverity as a special case of
> > tree=xen. I didn't think tree=coverity made much sense, and would
> > probably reach tendrils into lots of other places (such as the
> > invocations of check_tested).
> >
> > TODO: How to pick $c{CoverityEmail}, needs to be a real email which is
> > in coverity project (which security@xen.org used here is not)
>
> I don't have an answer to this but perhaps osstest-admin@xenproject ?
> Or will it get lots of annoying output ? (We could filter it to make
> it go to osstest-output I guess...)
It's not lots of output, but it will contain potential security
vulnerabilities.
In principal it should only contain newly introduced vulnerabilities, which
we would obviously fix before releasing, but:
a) We might not notice but someone more nefarious might
b) Some kinds of changes can cause previously discovered (but not fixed)
issues to be re-reported
> > +CoverityEmail security@xen.org
> > +CoverityTools cov-analysis-linux64-7.7.0.4.tar.gz
>
> This file needs a DEPLOYMENT NOTE I think.
Yes.
>
> The rest of this looks OK. A review from Andrew Cooper might be
> worthwhile ?
>
> Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-01-05 12:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-15 11:45 [PATCH OSSTEST] Add a weekly coverity flight Ian Campbell
2016-01-04 16:47 ` Ian Jackson
2016-01-04 16:55 ` Andrew Cooper
2016-01-05 12:19 ` Ian Campbell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.