tf-m-coverity.yaml

#-------------------------------------------------------------------------------
# Copyright (c) 2020-2023, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
#-------------------------------------------------------------------------------

- scm:
    name: tf-m-ci-scripts
    scm:
        - git:
            url: ${CI_SCRIPTS_REPO}
            branches:
                - ${CI_SCRIPTS_BRANCH}
            basedir: tf-m-ci-scripts
            skip-tag: true
            shallow-clone: true
            wipe-workspace: false
- job:
    name: tf-m-coverity
    node: docker-amd64-tf-m-bionic
    project-type: freestyle
    concurrent: true
    disabled: false
    defaults: global
    description: |
      Run the Coverity tool on Trusted Firmware M and submit the resulting
      tarball to <a href="https://scan.coverity.com/projects/trusted-firmware-m-35b064f0-65c2-4afb-9ba9-24aa432fb7fa">Coverity Scan Online</a>.
      <br/>
      This job runs <b>every weekday</b> and by default uses the <b>master</b> branch on trustedfirmware.org.
    properties:
        - build-discarder:
            days-to-keep: 180
            num-to-keep: 180
    parameters:
        - string:
            name: CODE_REPO
            default: 'https://git.trustedfirmware.org/TF-M/trusted-firmware-m'
        - string:
            name: GERRIT_REFSPEC
            default: 'refs/heads/main'
        - string:
            name: CI_SCRIPTS_REPO
            default: 'https://git.trustedfirmware.org/ci/tf-m-ci-scripts'
        - string:
            name: CI_SCRIPTS_BRANCH
            default: 'master'
        - string:
            name: MBEDTLS_VERSION
            default: ''
        - string:
            name: MBEDTLS_URL
            default: 'https://git.trustedfirmware.org/mirror/mbed-tls.git'
        - string:
            name: MCUBOOT_REFSPEC
            default: ''
        - string:
            name: MCUBOOT_URL
            default: 'https://git.trustedfirmware.org/mirror/mcuboot.git'
        - string:
            name: TFM_TESTS_URL
            default: 'https://git.trustedfirmware.org/TF-M/tf-m-tests.git'
        - string:
            name: TFM_TESTS_REFSPEC
            default: ''
        - string:
            name: TFM_EXTRAS_URL
            default: 'https://git.trustedfirmware.org/TF-M/tf-m-extras.git'
        - string:
            name: TFM_EXTRAS_REFSPEC
            default: ''
        - string:
            name: PSA_ARCH_TESTS_URL
            default: 'https://git.trustedfirmware.org/mirror/psa-arch-tests.git'
        - string:
            name: PSA_ARCH_TESTS_VERSION
            default: ''
        - string:
            name: QCBOR_URL
            default: 'https://github.com/laurencelundblade/QCBOR.git'
        - string:
            name: QCBOR_VERSION
            default: ''
        - string:
            name: SHARE_FOLDER
            default: '/srv/shared/${JOB_NAME}/${BUILD_NUMBER}'
        - bool:
            name: UPLOAD_TO_COVERITY_SCAN_ONLINE
            default: true
    scm:
        - tf-m-ci-scripts
    wrappers:
        - timestamps
        - credentials-binding:
          - text:
              credential-id: TF-M-COVERITY-SCAN-TOKEN
              variable: TF_M_COVERITY_SCAN_TOKEN
    builders:
        - shell: |-
            #!/bin/bash
            set -e

            cd ${WORKSPACE}

            # Add compiler path to sys path
            export PATH=$GCC_10_3_PATH:${PATH}

            # Download TF-M dependencies to avoid git clone in each config
            ${WORKSPACE}/tf-m-ci-scripts/clone.sh

            cnt=$(ls trusted-firmware-m/lib/ext/mbedcrypto/*.patch 2> /dev/null | wc -l)
            if [ "$cnt" != "0" ] ; then
                cd mbedtls
                git apply ../trusted-firmware-m/lib/ext/mbedcrypto/*.patch
                cd -
            fi

            # Fetch coverity tool and untar it
            wget https://scan.coverity.com/download/linux64 \
                --quiet \
                --post-data "token=${TF_M_COVERITY_SCAN_TOKEN}&project=Trusted+Firmware-M" \
                -O coverity_tool.tgz
            tar -xzf coverity_tool.tgz
            mv cov-analysis-linux64* coverity
            export PATH=${WORKSPACE}/coverity/bin:${PATH}

            # Run coverity
            cd ${WORKSPACE}/trusted-firmware-m
            ${WORKSPACE}/tf-m-ci-scripts/run-coverity.py --tf $(pwd)

        - conditional-step:
            condition-kind: boolean-expression
            condition-expression: "${UPLOAD_TO_COVERITY_SCAN_ONLINE}"
            on-evaluation-failure: dont-run
            steps:
            - shell: |-
                #!/bin/bash

                echo "Uploading tarball to Coverity Scan Online..."
                cd ${WORKSPACE}/trusted-firmware-m
                GIT_COMMIT=$(git rev-parse HEAD)

                curl \
                  --form token=${TF_M_COVERITY_SCAN_TOKEN} \
                  --form email=xinyu.zhang@arm.com \
                  --form file=@"arm-tf-coverity-results.tgz" \
                  --form version="Commit ${GIT_COMMIT}" \
                  --form description="Build ${BUILD_DISPLAY_NAME}" \
                  https://scan.coverity.com/builds?project=Trusted+Firmware-M
    triggers:
    - timed: H H(4-6) * * 1-5