| - job: | |
| name: tf-a-coverity | |
| node: docker-amd64-tf-a-bionic | |
| project-type: freestyle | |
| concurrent: true | |
| disabled: false | |
| defaults: global | |
| description: | | |
| Run the Coverity tool on Trusted Firmware and submit the resulting | |
| tarball to <a href="https://scan.coverity.com/projects/arm-software-arm-trusted-firmware">Coverity Scan Online</a>. | |
| <br/> | |
| This job runs <b>every weekday</b> and by default uses the <b>integration</b> branch on trustedfirmware.org. | |
| properties: | |
| - build-discarder: | |
| days-to-keep: 14 | |
| - authorization: | |
| !include: authorization.yaml.inc | |
| parameters: | |
| - string: | |
| name: TF_GERRIT_PROJECT | |
| default: 'TF-A/trusted-firmware-a' | |
| - string: | |
| name: TF_GERRIT_BRANCH | |
| default: 'refs/heads/integration' | |
| - string: | |
| name: TF_GERRIT_REFSPEC | |
| default: '+refs/heads/integration:refs/remotes/origin/integration' | |
| - string: | |
| name: CI_REFSPEC | |
| default: '+refs/heads/master:refs/remotes/origin/master' | |
| - string: | |
| name: COVERITY_VERSION | |
| default: '2022.6.0' | |
| - bool: | |
| name: UPLOAD_TO_COVERITY_SCAN_ONLINE | |
| default: false | |
| - string: | |
| name: SHARE_FOLDER | |
| default: '/srv/shared/${JOB_NAME}/${BUILD_NUMBER}' | |
| description: 'Folder containing shared repositories for downstream pipeline jobs' | |
| wrappers: | |
| - timestamps | |
| - credentials-binding: | |
| - text: | |
| credential-id: TF-COVERITY-SCAN-TOKEN | |
| variable: TF_COVERITY_SCAN_TOKEN | |
| builders: | |
| - shell: | |
| !include-raw: scripts/clone.sh | |
| - shell: | | |
| #!/bin/bash | |
| set -e | |
| # Install crypto library | |
| CRYPTOCELL_LIB_PATH=/arm/projectscratch/ssg/trusted-fw | |
| mkdir -p ${CRYPTOCELL_LIB_PATH} | |
| cd ${CRYPTOCELL_LIB_PATH} | |
| curl --connect-timeout 5 --retry 5 --retry-delay 1 \ | |
| -sLSO -C - https://downloads.trustedfirmware.org/tf-a/dummy-crypto-lib.tar | |
| tar xf dummy-crypto-lib.tar | |
| # Fetch coverity tool and untar it | |
| cd ${WORKSPACE} | |
| wget https://scan.coverity.com/download/linux64 \ | |
| --quiet \ | |
| --post-data "token=${TF_COVERITY_SCAN_TOKEN}&project=ARM-software%2Farm-trusted-firmware" \ | |
| -O coverity_tool.tgz | |
| tar -xzf coverity_tool.tgz | |
| mv cov-analysis-linux64-${COVERITY_VERSION} coverity | |
| export PATH=${WORKSPACE}/coverity/bin:${PATH} | |
| # Run coverity | |
| cd ${WORKSPACE}/trusted-firmware-a | |
| ${WORKSPACE}/tf-a-ci-scripts/script/tf-coverity/run_coverity_on_tf.py --tf $(pwd) | |
| - conditional-step: | |
| condition-kind: boolean-expression | |
| condition-expression: "${UPLOAD_TO_COVERITY_SCAN_ONLINE}" | |
| on-evaluation-failure: dont-run | |
| steps: | |
| - shell: | | |
| #!/bin/bash | |
| echo "Uploading tarball to Coverity Scan Online..." | |
| GIT_COMMIT=$(git rev-parse HEAD) | |
| curl \ | |
| --form token=${{TF_COVERITY_SCAN_TOKEN}} \ | |
| --form email=sandrine.bailleux@arm.com \ | |
| --form file=@"arm-tf-coverity-results.tgz" \ | |
| --form version="Commit ${{GIT_COMMIT}}" \ | |
| --form description="Build ${{BUILD_DISPLAY_NAME}}" \ | |
| https://scan.coverity.com/builds?project=ARM-software%2Farm-trusted-firmware | |
| publishers: | |
| - archive: | |
| artifacts: 'trusted-firmware-a/arm-tf-coverity-results.tgz, trusted-firmware-a/tf_coverage.log' | |
| - groovy-postbuild: | |
| script: | |
| !include-raw: | |
| - tf-a-coverity/postbuild.groovy |