TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / ci / tf-m-job-configs.git / 472f5d842f38e1ce4c06c639b0d6a810de0af324^! / . / tf-m-coverity.yaml
commit472f5d842f38e1ce4c06c639b0d6a810de0af324[log] [tgz]
authorLeonardo Sandoval <leonardo.sandoval@linaro.org>Mon Nov 30 11:24:13 2020 -0600
committerKarl Zhang <karl.zhang@arm.com>Thu Dec 03 09:28:35 2020 +0000
tree943d1f348853ea99c64ebfa858c3cbf56962f9f7
parenta66dc1cd9cbbff99597f043d588c25f5253f532d [diff] [blame]
Coverity: Introduce Job Definition (JJB)

Introduce job definition (JJB) for Coverity Scan. The JJB is defined as
timed (cron) job, which is triggered in a daily basis, from Monday to
Friday. An executed job is at [1], where scan results were pushed to [4].
Currently, code coverage is quite reduced, 12% of all project
files, and the reason is that only a single platform is built [2], so
following efforts should include the rest of the project platforms.

This work is part of the TF OpenCI effort [1], in particular 'M2 TF-M
Static Analysis Integration (TF-M ID1)'.

[1] https://ci.staging.trustedfirmware.org/job/lsandov1-tf-m-coverity/18/console
[2] https://review.trustedfirmware.org/c/ci/tf-m-ci-scripts/+/5296
[3] https://developer.trustedfirmware.org/w/collaboration/openci/
[4] https://scan.coverity.com/projects/trusted-firmware-m-35b064f0-65c2-4afb-9ba9-24aa432fb7fa?tab=overview

Signed-off-by: Leonardo Sandoval <leonardo.sandoval@linaro.org>
Change-Id: Iff58a2091a2ebd0247f026f18bb4f5ede900552d

diff --git a/tf-m-coverity.yaml b/tf-m-coverity.yaml
new file mode 100644
index 0000000..5886256
--- /dev/null
+++ b/tf-m-coverity.yaml

@@ -0,0 +1,117 @@
+- scm:
+    name: tf-m-ci-scripts
+    scm:
+        - git:
+            url: https://git.trustedfirmware.org/ci/tf-m-ci-scripts.git
+            refspec: +refs/heads/master:refs/remotes/origin/master
+            name: origin
+            branches:
+                - refs/heads/master
+            basedir: tf-m-ci-scripts
+            skip-tag: true
+            shallow-clone: true
+            wipe-workspace: false
+- scm:
+    name: trusted-firmware-m
+    scm:
+        - git:
+            url: https://review.trustedfirmware.org/${TF_GERRIT_PROJECT}
+            refspec: ${TF_GERRIT_REFSPEC}
+            name: origin
+            branches:
+                - ${TF_GERRIT_BRANCH}
+            basedir: trusted-firmware-m
+            skip-tag: true
+            shallow-clone: false
+            wipe-workspace: false
+- job:
+    name: tf-m-coverity
+    node: docker-amd64-tf-m-bionic
+    project-type: freestyle
+    concurrent: true
+    disabled: false
+    defaults: global
+    description: |
+      Run the Coverity tool on Trusted Firmware M and submit the resulting
+      tarball to <a href="https://scan.coverity.com/projects/trusted-firmware-m-35b064f0-65c2-4afb-9ba9-24aa432fb7fa">Coverity Scan Online</a>.
+      <br/>
+      This job runs <b>every weekday</b> and by default uses the <b>master</b> branch on trustedfirmware.org.
+    properties:
+        - build-discarder:
+            days-to-keep: 180
+            num-to-keep: 180
+        - authorization:
+            anonymous:
+              - job-discover
+              - job-read
+              - job-extended-read
+              - job-workspace
+            lsandov1:
+              - job-read
+              - job-extended-read
+              - job-build
+              - job-cancel
+              - run-update
+    parameters:
+        - string:
+            name: TF_GERRIT_PROJECT
+            default: 'TF-M/trusted-firmware-m'
+        - string:
+            name: TF_GERRIT_BRANCH
+            default: 'refs/heads/master'
+        - string:
+            name: TF_GERRIT_REFSPEC
+            default: '+refs/heads/master:refs/remotes/origin/master'
+        - bool:
+            name: UPLOAD_TO_COVERITY_SCAN_ONLINE
+            default: false
+    scm:
+        - tf-m-ci-scripts
+        - trusted-firmware-m
+    wrappers:
+        - timestamps
+        - credentials-binding:
+          - text:
+              credential-id: TF-M-COVERITY-SCAN-TOKEN
+              variable: TF_M_COVERITY_SCAN_TOKEN
+    builders:
+        - shell: |-
+            #!/bin/bash
+            set -e
+
+            # Fetch coverity tool and untar it
+            COVERITY_VERSION=2019.03
+            cd ${WORKSPACE}
+            wget https://scan.coverity.com/download/linux64 \
+                --quiet \
+                --post-data "token=${TF_M_COVERITY_SCAN_TOKEN}&project=Trusted+Firmware-M" \
+                -O coverity_tool.tgz
+            tar -xzf coverity_tool.tgz
+            mv cov-analysis-linux64-${COVERITY_VERSION} coverity
+            export PATH=${WORKSPACE}/coverity/bin:${PATH}
+
+            # Run coverity
+            cd ${WORKSPACE}/trusted-firmware-m
+            ${WORKSPACE}/tf-m-ci-scripts/run-coverity.py --tf $(pwd)
+
+        - conditional-step:
+            condition-kind: boolean-expression
+            condition-expression: "${UPLOAD_TO_COVERITY_SCAN_ONLINE}"
+            on-evaluation-failure: dont-run
+            steps:
+            - shell: |-
+                #!/bin/bash
+
+                echo "Uploading tarball to Coverity Scan Online..."
+                cd ${WORKSPACE}/trusted-firmware-m
+                GIT_COMMIT=$(git rev-parse HEAD)
+
+                curl \
+                  --form token=${TF_M_COVERITY_SCAN_TOKEN} \
+                  --form email=Karl.Zhang@arm.com \
+                  --form file=@"arm-tf-coverity-results.tgz" \
+                  --form version="Commit ${GIT_COMMIT}" \
+                  --form description="Build ${BUILD_DISPLAY_NAME}" \
+                  https://scan.coverity.com/builds?project=Trusted+Firmware-M
+    triggers:
+    - timed: H H(4-6) * * 1-5