diff mbox series

[ovs-dev] GitHub: Add Coverity scan as a daily GitHub action.

Message ID 94acd2e49687b0b182bc5cfb71af14d469ed7559.1713253492.git.echaudro@redhat.com
State Under Review
Delegated to: Eelco Chaudron
Headers show
Series [ovs-dev] GitHub: Add Coverity scan as a daily GitHub action. | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/intel-ovs-compilation success test: success

Commit Message

Eelco Chaudron April 16, 2024, 7:44 a.m. UTC 
This patch adds a daily Coverity run for the OVS main branch
to the GitHub actions. The result of the runs can be found here:

  https://scan.coverity.com/projects/openvswitch

Before applying, we need to add the following two actions secrets
to the GitHub openvswitch project:

- COVERITY_SCAN_TOKEN; The secret token from the project page
- COVERITY_SCAN_EMAIL; The maintainer's email alias

Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
---
 .github/workflows/coverity.yml | 131 +++++++++++++++++++++++++++++++++
 Makefile.am                    |   1 +
 README.rst                     |   2 +
 3 files changed, 134 insertions(+)
 create mode 100644 .github/workflows/coverity.yml

Comments

Simon Horman April 26, 2024, 8:57 a.m. UTC | #1 
On Tue, Apr 16, 2024 at 09:44:52AM +0200, Eelco Chaudron wrote:
> This patch adds a daily Coverity run for the OVS main branch
> to the GitHub actions. The result of the runs can be found here:
> 
>   https://scan.coverity.com/projects/openvswitch
> 
> Before applying, we need to add the following two actions secrets
> to the GitHub openvswitch project:
> 
> - COVERITY_SCAN_TOKEN; The secret token from the project page
> - COVERITY_SCAN_EMAIL; The maintainer's email alias
> 
> Signed-off-by: Eelco Chaudron <echaudro@redhat.com>

Hi Eelco,

I'm fine with this patch in it's current form.

Acked-by: Simon Horman <horms@ovn.org>

But I do have a few questions.

1. Would it be useful to provide instructions to
   allow people to become involved in addressing warnings?

   It seems that a signup to scan.coverity.com is required
   to see information on warnings.

2. Is there any plan to address warnings?

3. See below.

> ---
>  .github/workflows/coverity.yml | 131 +++++++++++++++++++++++++++++++++
>  Makefile.am                    |   1 +
>  README.rst                     |   2 +
>  3 files changed, 134 insertions(+)
>  create mode 100644 .github/workflows/coverity.yml
> 
> diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
> new file mode 100644
> index 000000000..ae28920de
> --- /dev/null
> +++ b/.github/workflows/coverity.yml
> @@ -0,0 +1,131 @@
> +name: Coverity scan
> +on:
> +  schedule:
> +    - cron: '0 0 * * *'
> +
> +env:
> +  python_default: 3.12
> +
> +jobs:
> +  build-dpdk:
> +    env:
> +      dependencies: gcc libbpf-dev libnuma-dev libpcap-dev ninja-build pkgconf
> +      CC: gcc
> +      DPDK_GIT: https://dpdk.org/git/dpdk
> +      DPDK_VER: 23.11
> +    name: dpdk gcc
> +    outputs:
> +      dpdk_key: ${{ steps.gen_dpdk_key.outputs.key }}
> +    runs-on: ubuntu-22.04
> +    timeout-minutes: 30
> +
> +    steps:
> +    - name: checkout
> +      uses: actions/checkout@v4
> +
> +    - name: update PATH
> +      run: |
> +        echo "$HOME/bin"        >> $GITHUB_PATH
> +        echo "$HOME/.local/bin" >> $GITHUB_PATH
> +
> +    - name: create ci signature file for the dpdk cache key
> +      # This will collect most of DPDK related lines, so hash will be different
> +      # if something changed in a way we're building DPDK including DPDK_VER.
> +      # This also allows us to use cache from any branch as long as version
> +      # and a way we're building DPDK stays the same.
> +      run: |
> +        cat .ci/dpdk-* > dpdk-ci-signature
> +        grep -rwE 'DPDK_GIT|DPDK_VER' .github/ >> dpdk-ci-signature
> +        if [ "${DPDK_VER##refs/*/}" != "${DPDK_VER}" ]; then
> +            git ls-remote --heads $DPDK_GIT $DPDK_VER >> dpdk-ci-signature
> +        fi
> +        cat dpdk-ci-signature
> +
> +    - name: generate ci DPDK key
> +      id: gen_dpdk_key
> +      env:
> +        ci_key: ${{ hashFiles('dpdk-ci-signature') }}
> +      run: echo 'key=dpdk-${{ env.ci_key }}' >> $GITHUB_OUTPUT

The above two steps seem both complex and somewhat different to
the implementation in build-and-test.yml.

Would it be worth introducing some sort of helper to generate
the key? Perhaps a script that lives in .ci/

> +
> +    - name: cache
> +      id: dpdk_cache
> +      uses: actions/cache@v4
> +      with:
> +        path: dpdk-dir
> +        key: ${{ steps.gen_dpdk_key.outputs.key }}

...
Ilya Maximets April 29, 2024, 12:59 p.m. UTC | #2 
On 4/16/24 09:44, Eelco Chaudron wrote:
> This patch adds a daily Coverity run for the OVS main branch
> to the GitHub actions. The result of the runs can be found here:
> 
>   https://scan.coverity.com/projects/openvswitch
> 
> Before applying, we need to add the following two actions secrets
> to the GitHub openvswitch project:
> 
> - COVERITY_SCAN_TOKEN; The secret token from the project page
> - COVERITY_SCAN_EMAIL; The maintainer's email alias
> 
> Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
> ---
>  .github/workflows/coverity.yml | 131 +++++++++++++++++++++++++++++++++
>  Makefile.am                    |   1 +
>  README.rst                     |   2 +
>  3 files changed, 134 insertions(+)
>  create mode 100644 .github/workflows/coverity.yml

Thanks, Eelco for bringing this up.  Though, continuing the
offline discussion, I'm not sure having coverity scans as
a GitHub action has any benefits for OVS community.

A few issues:

1. Reports are not available to people outside of the OVS
   Coverity project.  Adding everyone there doesn't seem
   reasonable.  Also a potential security concern.

2. Workflow cannot be used in forks due to organization secrets.
   (IIUC, current implementation will just fail once a day
   annoying people who didn't disable that workflow.)

3. Necessity to have secrets in the organization.  We currently
   don't have any, and from a security standpoint not having
   any secrets is always better.

4. A decent amount of code duplication for this workflow.
   (Reusable workflows maybe?)

In its current form, I think, the same functionality can be
provided by the 0-day robot that could submit sources once
a day for the scan.  And it could also send some emails with
build details if necessary (again, there may be some security
concerns in case coverity discovers a genuine security issue).

With the total amount of code in the project, IIUC, we could
submit up to 21 builds a week with no more than 3 per day
(Coverity claims that it checked just under 300K lines in OVS).
So, technically, we could create a bit more complex logic
for 0-day bot to run a check per patch set (probably, not per
patch though).  In most cases we would fit within the limit
with the current patch rate.  Maybe reserving one run a week
for the main branch.  Such logic would be harder to implement
with GHA.

All in all, using GHA just for scheduling of a job that wider
community can't take advantage of seems a little unjustified.

Thoughts?

Best regards, Ilya Maximets.
diff mbox series

Patch

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
new file mode 100644
index 000000000..ae28920de
--- /dev/null
+++ b/.github/workflows/coverity.yml
@@ -0,0 +1,131 @@ 
+name: Coverity scan
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+env:
+  python_default: 3.12
+
+jobs:
+  build-dpdk:
+    env:
+      dependencies: gcc libbpf-dev libnuma-dev libpcap-dev ninja-build pkgconf
+      CC: gcc
+      DPDK_GIT: https://dpdk.org/git/dpdk
+      DPDK_VER: 23.11
+    name: dpdk gcc
+    outputs:
+      dpdk_key: ${{ steps.gen_dpdk_key.outputs.key }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+
+    - name: update PATH
+      run: |
+        echo "$HOME/bin"        >> $GITHUB_PATH
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: create ci signature file for the dpdk cache key
+      # This will collect most of DPDK related lines, so hash will be different
+      # if something changed in a way we're building DPDK including DPDK_VER.
+      # This also allows us to use cache from any branch as long as version
+      # and a way we're building DPDK stays the same.
+      run: |
+        cat .ci/dpdk-* > dpdk-ci-signature
+        grep -rwE 'DPDK_GIT|DPDK_VER' .github/ >> dpdk-ci-signature
+        if [ "${DPDK_VER##refs/*/}" != "${DPDK_VER}" ]; then
+            git ls-remote --heads $DPDK_GIT $DPDK_VER >> dpdk-ci-signature
+        fi
+        cat dpdk-ci-signature
+
+    - name: generate ci DPDK key
+      id: gen_dpdk_key
+      env:
+        ci_key: ${{ hashFiles('dpdk-ci-signature') }}
+      run: echo 'key=dpdk-${{ env.ci_key }}' >> $GITHUB_OUTPUT
+
+    - name: cache
+      id: dpdk_cache
+      uses: actions/cache@v4
+      with:
+        path: dpdk-dir
+        key: ${{ steps.gen_dpdk_key.outputs.key }}
+
+    - name: set up python
+      if: steps.dpdk_cache.outputs.cache-hit != 'true'
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ env.python_default }}
+
+    - name: update APT cache
+      if: steps.dpdk_cache.outputs.cache-hit != 'true'
+      run: sudo apt update || true
+    - name: install common dependencies
+      if: steps.dpdk_cache.outputs.cache-hit != 'true'
+      run: sudo apt install -y ${{ env.dependencies }}
+
+    - name: prepare
+      if: steps.dpdk_cache.outputs.cache-hit != 'true'
+      run: ./.ci/dpdk-prepare.sh
+
+    - name: build
+      if: steps.dpdk_cache.outputs.cache-hit != 'true'
+      run: ./.ci/dpdk-build.sh
+
+  build-coverity:
+    needs: build-dpdk
+    env:
+      dependencies: |
+        automake bc clang-tools libbpf-dev libnuma-dev libpcap-dev \
+        libunbound-dev libunwind-dev libssl-dev libtool llvm-dev \
+        selinux-policy-dev
+      CC: gcc
+      DPDK: dpdk
+    name: coverity
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+
+    - name: update PATH
+      run: |
+        echo "$HOME/bin"        >> $GITHUB_PATH
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: set up python
+      uses: actions/setup-python@v5
+      with:
+        python-version: ${{ env.python_default }}
+
+    - name: get cached dpdk-dir
+      uses: actions/cache/restore@v4
+      with:
+        path: dpdk-dir
+        key: ${{ needs.build-dpdk.outputs.dpdk_key }}
+
+    - name: update APT cache
+      run: sudo apt update || true
+
+    - name: install common dependencies
+      run: sudo apt install -y ${{ env.dependencies }}
+
+    - name: prepare
+      run: ./.ci/linux-prepare.sh
+
+    - name: build
+      run: ./.ci/linux-build.sh
+
+    - name: pre-coverity cleanup
+      run: make clean
+
+    - name: coverity scan
+      uses: vapier/coverity-scan-action@v1
+      with:
+        token: ${{ secrets.COVERITY_SCAN_TOKEN }}
+        email: ${{ secrets.COVERITY_SCAN_EMAIL }}
+        command: make -j4
diff --git a/Makefile.am b/Makefile.am
index e6c90a911..cf5d24f8c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -86,6 +86,7 @@  EXTRA_DIST = \
 	.cirrus.yml \
 	.editorconfig \
 	.github/workflows/build-and-test.yml \
+	.github/workflows/coverity.yml \
 	.readthedocs.yaml \
 	appveyor.yml \
 	boot.sh \
diff --git a/README.rst b/README.rst
index ca9e386c2..713ca91ff 100644
--- a/README.rst
+++ b/README.rst
@@ -14,6 +14,8 @@  Open vSwitch
     :target: https://cirrus-ci.com/github/openvswitch/ovs
 .. image:: https://readthedocs.org/projects/openvswitch/badge/?version=latest
     :target: https://docs.openvswitch.org/en/latest/
+.. image:: https://scan.coverity.com/projects/7290/badge.svg
+    :target: https://scan.coverity.com/projects/openvswitch
 
 What is Open vSwitch?
 ---------------------