-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add coverity push script #165
base: main
Are you sure you want to change the base?
Add coverity push script #165
Conversation
Signed-off-by: Paul Elliott <[email protected]>
One possible improvment (although not yet required) would be to parameterise the project so that we can easily use this on other projects, however I'm not sure how many coverity scan projects we are allowed to have! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've read the code, but not tried to run it (I'll do that when I re-review). This looks good from a high-level view, but there are several places where I found the code hard to follow. Some places seem to reinvent standard library functions, and some places have difficult-to-understand error handling that looks like it could be simpler. Generally, in Python, prefer context handlers (with …
) if possible.
Signed-off-by: Paul Elliott <[email protected]>
Mistaken usage of hashlib.md5(), much simpler form is available. Signed-off-by: Paul Elliott <[email protected]>
-j without a number means unlimited, and is likely a bad idea on limited systems. Signed-off-by: Paul Elliott <[email protected]>
(Rather than empty string) Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Refactor previous function as now too small to really be required (error handling now done by exceptions thrown by run(), and only a single API call now required) Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Also make branch change recurse into submodules, as we now have one. Signed-off-by: Paul Elliott <[email protected]>
Use 'with' context, copy to backup file if required. Signed-off-by: Paul Elliott <[email protected]>
The addition of the framework necessitates this. Signed-off-by: Paul Elliott <[email protected]>
Missed as logic causes the script to just redownload the tools. Signed-off-by: Paul Elliott <[email protected]>
Instead of erroring out if the specified backup directory is non-existent, just create it. Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Useful for debug more than anything else. Signed-off-by: Paul Elliott <[email protected]>
.. and update documentation to add new options. Signed-off-by: Paul Elliott <[email protected]>
If config.h was changed upstream, it would be backed up prior to these changes being applied locally, and then restored into the wrong state. Signed-off-by: Paul Elliott <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates! On code inspection, I believe I now understand what the code is doing, and would be able to maintain it going forward.
I haven't tried running the script yet (and there's a typo that looks like it would fail midway).
I wonder how to test it: how far can we go before consuming a limited Coverity credit: is that consumed by the build request? By triggering? Could we have a test mode in the script that does everything except the credit-consuming step, and leaves behind or prints out all necessary information to do the credit-consuming step manually?
The token can either be passed in as an argument with -t, or via the environment | ||
in the variable 'COVERITY_TOKEN' | ||
|
||
Other options: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[non-blocker] It might be better to leave out the list of options here. They're already documented through the argparse
calls and I fear that we'll forget to update the text here.
Build the MBed TLS source located in the passed in dir, using the tools specified, using the | ||
given pre-build and build commands. Tar the results up into the given file name, as required by | ||
coverity. | ||
""" | ||
|
||
os.chdir(mbedtls_dir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[non-blocker] Because of the chdir
call here, I'm not sure how the each command line arguments will be interpreted if they're relative paths, or if they even can be relative paths. It would be more robust to not call chdir
and pass cwd=mbedtls_dir
to subprocess.run
calls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm really unsure on this one, the scripts themselves generally assume being run from the root MBedTLS dir, so this is how I made it, I haven't noticed any issues up till now.
Moving the backup of config files fixed the previous issue, but created another one. Signed-off-by: Paul Elliott <[email protected]>
Signed-off-by: Paul Elliott <[email protected]>
Enable testing without consuming a coverity credit Signed-off-by: Paul Elliott <[email protected]>
I have added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ran the script locally with --no-upload
and it worked, producing a plausible-looking mbedtls-24-12-06.tar.gz
in the --backupdir
directory. So this looks good to me both on code reading and on execution apart from possibly the upload step. I'd still like to check that the upload step works for me while you're still partly around, but not today, and in the meantime I can approve this PR already, we can take it from there.
With the addition of tf-psa-crypto as a submodule, which itself has framework as a submodule, git submodule calls now need to be recursive Signed-off-by: Paul Elliott <[email protected]>
Description
This is the script to allow us to push coverity builds from Jenkins (or anyone's machine come to that)
Functionality is documented within the script, but to test:
either:
or
The token can be found from the coverity web interface, and for the email address I would use your own email address for now (email address is unfortunately compulsary). Conversations are ongoing about which address to use for notifications in the future, the notification email will look like this:
Should new defects be found, another email will be generated, but this will go to the whole team (this is specified within coverity itself)
WARNING - the mbedtls directory specified will be switched to the latest version of the branch specified, any outstanding differences will currently cause the script to fail (in my opinion better than forcing anything).
This constitutes stage 1 of getting coverity push back into CI, getting this script reviewed so that we can at least check its in the correct shape, then stage 2 will be adding the groovy and testing in the repo. I currently envisage this to be added shortly after the existing push from
development
tocoverity_scan
branches in the nightly runs.