mirror of https://gitlab.com/qemu-project/qemu
run-coverity-scan: use docker.py
Our trusted docker wrapper allows run-coverity-scan to run with both docker and podman. For the "run" phase this is transparent; for the "build" phase however scripts are replaced with a bind mount (-v). This is not an issue because the secret option is meant for secrets stored globally in the system and bind mounts are a valid substitute for secrets that are known to whoever builds the container. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
parent
6ed4075c3c
commit
7265905940
|
@ -128,4 +128,4 @@ RUN rpm -q $PACKAGES | sort > /packages.txt
|
||||||
ENV PATH $PATH:/usr/libexec/python3-sphinx/
|
ENV PATH $PATH:/usr/libexec/python3-sphinx/
|
||||||
ENV COVERITY_TOOL_BASE=/coverity-tools
|
ENV COVERITY_TOOL_BASE=/coverity-tools
|
||||||
COPY run-coverity-scan run-coverity-scan
|
COPY run-coverity-scan run-coverity-scan
|
||||||
RUN --mount=type=secret,id=coverity.token,required ./run-coverity-scan --update-tools-only --tokenfile /run/secrets/coverity.token
|
RUN ./run-coverity-scan --update-tools-only --tokenfile /work/token
|
||||||
|
|
|
@ -29,7 +29,9 @@
|
||||||
|
|
||||||
# Command line options:
|
# Command line options:
|
||||||
# --dry-run : run the tools, but don't actually do the upload
|
# --dry-run : run the tools, but don't actually do the upload
|
||||||
# --docker : create and work inside a docker container
|
# --docker : create and work inside a container
|
||||||
|
# --docker-engine : specify the container engine to use (docker/podman/auto);
|
||||||
|
# implies --docker
|
||||||
# --update-tools-only : update the cached copy of the tools, but don't run them
|
# --update-tools-only : update the cached copy of the tools, but don't run them
|
||||||
# --tokenfile : file to read Coverity token from
|
# --tokenfile : file to read Coverity token from
|
||||||
# --version ver : specify version being analyzed (default: ask git)
|
# --version ver : specify version being analyzed (default: ask git)
|
||||||
|
@ -197,6 +199,17 @@ while [ "$#" -ge 1 ]; do
|
||||||
;;
|
;;
|
||||||
--docker)
|
--docker)
|
||||||
DOCKER=yes
|
DOCKER=yes
|
||||||
|
DOCKER_ENGINE=auto
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--docker-engine)
|
||||||
|
shift
|
||||||
|
if [ $# -eq 0 ]; then
|
||||||
|
echo "--docker-engine needs an argument"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
DOCKER=yes
|
||||||
|
DOCKER_ENGINE="$1"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
@ -283,9 +296,8 @@ if [ "$DOCKER" = yes ]; then
|
||||||
# build docker container including the coverity-scan tools
|
# build docker container including the coverity-scan tools
|
||||||
# Put the Coverity token into a temporary file that only
|
# Put the Coverity token into a temporary file that only
|
||||||
# we have read access to, and then pass it to docker build
|
# we have read access to, and then pass it to docker build
|
||||||
# using --secret. This requires at least Docker 18.09.
|
# using a volume. A volume is enough for the token not to
|
||||||
# Mostly what we are trying to do here is ensure we don't leak
|
# leak into the Docker image.
|
||||||
# the token into the Docker image.
|
|
||||||
umask 077
|
umask 077
|
||||||
SECRETDIR=$(mktemp -d)
|
SECRETDIR=$(mktemp -d)
|
||||||
if [ -z "$SECRETDIR" ]; then
|
if [ -z "$SECRETDIR" ]; then
|
||||||
|
@ -300,12 +312,10 @@ if [ "$DOCKER" = yes ]; then
|
||||||
# TODO: This re-downloads the tools every time, rather than
|
# TODO: This re-downloads the tools every time, rather than
|
||||||
# caching and reusing the image produced with the downloaded tools.
|
# caching and reusing the image produced with the downloaded tools.
|
||||||
# Not sure why.
|
# Not sure why.
|
||||||
# TODO: how do you get 'docker build' to print the output of the
|
tests/docker/docker.py --engine ${DOCKER_ENGINE} build \
|
||||||
# commands it is running to its stdout? This would be useful for debug.
|
-t coverity-scanner -f scripts/coverity-scan/coverity-scan.docker \
|
||||||
DOCKER_BUILDKIT=1 docker build -t coverity-scanner \
|
-v "$SECRETDIR:/work" \
|
||||||
--secret id=coverity.token,src="$SECRET" \
|
--extra-files scripts/coverity-scan/run-coverity-scan
|
||||||
-f scripts/coverity-scan/coverity-scan.docker \
|
|
||||||
scripts/coverity-scan
|
|
||||||
echo "Archiving sources to be analyzed..."
|
echo "Archiving sources to be analyzed..."
|
||||||
./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz"
|
./scripts/archive-source.sh "$SECRETDIR/qemu-sources.tgz"
|
||||||
if [ "$DRYRUN" = yes ]; then
|
if [ "$DRYRUN" = yes ]; then
|
||||||
|
@ -323,7 +333,7 @@ if [ "$DOCKER" = yes ]; then
|
||||||
# Arrange for this docker run to get access to the sources with -v.
|
# Arrange for this docker run to get access to the sources with -v.
|
||||||
# We pass through all the configuration from the outer script to the inner.
|
# We pass through all the configuration from the outer script to the inner.
|
||||||
export COVERITY_EMAIL COVERITY_BUILD_CMD
|
export COVERITY_EMAIL COVERITY_BUILD_CMD
|
||||||
docker run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \
|
tests/docker/docker.py run -it --env COVERITY_EMAIL --env COVERITY_BUILD_CMD \
|
||||||
-v "$SECRETDIR:/work" coverity-scanner \
|
-v "$SECRETDIR:/work" coverity-scanner \
|
||||||
./run-coverity-scan --version "$VERSION" \
|
./run-coverity-scan --version "$VERSION" \
|
||||||
--description "$DESCRIPTION" $DRYRUNARG --tokenfile /work/token \
|
--description "$DESCRIPTION" $DRYRUNARG --tokenfile /work/token \
|
||||||
|
|
Loading…
Reference in New Issue