Update and fix the coverity.yml (#310)

FIX: Update the coverity scan - Update Coverity.yml by adding 3rd party library workaround. - Update Coverity.yml to build without unit tests as this is not a point of interest. - Minor GitHub actions versions and flags update - Updated scan-dependency-review - Fixes to Super-Linter regarding speed and configuration symbolic links --------- Signed-off-by: Milosz Linkiewicz <[email protected]>
OpenVisualCloud · Jan 17, 2025 · 05492f8 · 05492f8
1 parent 587bee2
commit 05492f8
Show file tree

Hide file tree

Showing 11 changed files with 56 additions and 28 deletions.
diff --git a/.github/configs/super-linter/.clang-format b/.github/configs/super-linter/.clang-format
diff --git a/.github/configs/super-linter/.clang-format b/.github/configs/super-linter/.clang-format
@@ -0,0 +1 @@
+../../../.clang-format
diff --git a/.github/configs/super-linter/.shellcheckrc b/.github/configs/super-linter/.shellcheckrc
@@ -0,0 +1 @@
+../../../.shellcheckrc
diff --git a/.github/scripts/github_common.sh b/.github/scripts/github_common.sh
@@ -3,10 +3,10 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright 2024 Intel Corporation
 
-script_dir=$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")
-repository_root=$(readlink -f "${script_dir}/../..")
+script_dir="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
+repository_root="$(readlink -f "${script_dir}/../..")"
 
-# shellcheck source="../../scripts/common.sh"
+# shellcheck source="SCRIPTDIR/../../scripts/common.sh"
 . "${repository_root}/scripts/common.sh"
 
 allow_non_ascii_filenames="false"
@@ -16,21 +16,20 @@ function get_main_sha()
   log_info "Getting origin/main commit SHA"
   git_origin_main=$(git rev-parse --verify origin/main)
   log_info "running against origin/master=${git_origin_main}"
-  echo $git_origin_main
+  echo "$git_origin_main"
 }
 
 function get_head_sha()
 {
   log_info "Getting HEAD commit SHA"
-  if $(git rev-parse --verify HEAD >/dev/null 2>&1)
-  then
+  if git rev-parse --verify HEAD >/dev/null 2>&1; then
     git_current_hash=$(git rev-parse --verify HEAD)
   else
     echo "This is first commit, nothing to check, exiting"
     exit 0
   fi
   log_info "running against HEAD=${git_current_hash}"
-  echo $git_current_hash
+  echo "${git_current_hash}"
 }
 
 function check_nonascii_files()
@@ -41,7 +40,7 @@ function check_nonascii_files()
 
   if [ "$allow_non_ascii" == "false" ]
   then
-    if test $(git diff --diff-filter=AR --relative --name-only -z $github_origin_main $github_current_hash | LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+    if test "$(git diff --diff-filter=AR --relative --name-only -z "${github_origin_main}" "${github_current_hash}" | LC_ALL=C tr -d '[ -~]\0' | wc -c)" != 0
     then
       cat <<EOF
 Error: You attempted to add a non-ASCII file name.
@@ -59,10 +58,10 @@ function check_file_subdir_type()
 
   if [ -z "$modified_file" ]
   then
-    printf "Function check_file_subdir_type requires exacly 1 valid argument." 1>&2
+    printf "Function check_file_subdir_type requires exactly 1 valid argument." 1>&2
     exit 1
   fi
-  printf "${modified_file}" | cut -d'/' "-f${fields_range}"
+  printf "%s" "${modified_file}" | cut -d'/' "-f${fields_range}"
 }
 
 function files_subdir_types()
@@ -72,7 +71,7 @@ function files_subdir_types()
 
 # diff-filter params, uppercase include, lowercase exclude:
 # Added (A), Copied (C), Deleted (D), Modified (M), Renamed (R), changed (T), Unmerged (U), Unknown (X), pairing Broken (B)
-  modified_file_list="$(git diff --diff-filter=dxb --relative --name-only -z $github_origin_main $github_current_hash | xargs -0)"
+  modified_file_list="$(git diff --diff-filter=dxb --relative --name-only -z "${github_origin_main}" "${github_current_hash}" | xargs -0)"
 
   for pt in $modified_file_list
   do
@@ -180,12 +179,14 @@ function other_file_check() {
   log_info "Other file path, not categorized. ${filepath}"
 }
 
-function start_git_head_parsing() {
-  cd "${repository_root}"
+function start_git_head_parsing()
+{
+  pushd "${repository_root}" || exit 10
   git_current_hash="$(get_head_sha)"
   git_origin_main="$(get_main_sha)"
-  check_nonascii_files "$git_origin_main" "$git_current_hash" allow_non_ascii_filenames
+  check_nonascii_files "$git_origin_main" "$git_current_hash" "${allow_non_ascii_filenames}"
   files_subdir_types "$git_origin_main" "$git_current_hash" || true
+  popd || exit 11
 }
 
 start_git_head_parsing
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -51,7 +51,7 @@ jobs:
 
     - name: 'Check local dependencies build cache'
       id: load-local-dependencies-cache
-      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: ${{ env.BUILD_DIR }}
         key: ${{ runner.os }}-${{ hashFiles('versions.env') }}-${{ hashFiles('scripts/setup*.sh') }}
@@ -90,7 +90,7 @@ jobs:
     - name: 'Save local dependencies build cache'
       if: env.TRY_CACHE_REFRESH == 'true' && steps.load-local-dependencies-cache.outputs.cache-hit != 'true'
       id: save-local-dependencies-cache
-      uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: ${{ env.BUILD_DIR }}
         key: ${{ runner.os }}-${{ hashFiles('versions.env') }}-${{ hashFiles('scripts/setup*.sh') }}

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -44,7 +44,7 @@ jobs:
 
     - name: 'Check local dependencies build cache'
       id: load-local-dependencies-cache
-      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: ${{ env.BUILD_DIR }}
         key: ${{ runner.os }}-${{ hashFiles('versions.env') }}-${{ hashFiles('scripts/setup*.sh') }}
@@ -80,6 +80,16 @@ jobs:
     - name: 'Build gRPC and dependencies'
       run: eval 'source scripts/setup_build_env.sh && lib_install_grpc'
 
+    - name: 'Configure ffmpeg and dependencies'
+      run: |
+        sed -i 's/strlen (MEMIF_DEFAULT_APP_NAME)/(sizeof(MEMIF_DEFAULT_APP_NAME) - 1)/g' ${{ github.workspace }}/sdk/3rdparty/libmemif/src/memif_private.h && \
+        ${{ github.workspace }}/build.sh && \
+        ${{ github.workspace }}/ffmpeg-plugin/configure-ffmpeg.sh "6.1" --disable-doc --disable-debug && \
+        ${{ github.workspace }}/ffmpeg-plugin/configure-ffmpeg.sh "7.0" --disable-doc --disable-debug && \
+        rm -rf ${{ github.workspace }}/_build/mcm
+        echo "\"${{ github.workspace }}/ffmpeg-plugin/build-ffmpeg.sh\" \"6.1\"" > ${{ github.workspace }}/build.sh
+        echo "\"${{ github.workspace }}/ffmpeg-plugin/build-ffmpeg.sh\" \"7.0\"" > ${{ github.workspace }}/build.sh
+
     - name: 'Run coverity'
       uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1.8.0
       with:
@@ -88,10 +98,7 @@ jobs:
         token: ${{ secrets.COVERITY_SCAN_TOKEN }}
         build_language: 'cxx'
         build_platform: 'linux64'
-        command: |
-            ${{ github.workspace }}/build.sh && \
-            ${{ github.workspace }}/ffmpeg-plugin/configure-ffmpeg.sh && \
-            ${{ github.workspace }}/ffmpeg-plugin/build-ffmpeg.sh
+        command: ${{ github.workspace }}/build.sh
 
     - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,12 +1,26 @@
 # Source repository: https://github.com/actions/dependency-review-action
 
 name: scan-dependency-review
-on: [pull_request]
+on:
+  pull_request:
+  workflow_call:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to run the scans on'
+        default: 'main'
+        type: string
+      all_codebase:
+        description: 'Validate all codebase or changes/diff only'
+        default: 'false'
+        type: string
 
 permissions:
   contents: read
 env:
+  INPUT_BRANCH: ${{ inputs.branch || github.sha }}
   LINTER_RULES_PATH: .github/configs/super-linter
+  VALIDATE_ALL_CODEBASE: ${{ inputs.all_codebase || 'false' }}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
@@ -56,7 +70,8 @@ jobs:
       uses: super-linter/super-linter/slim@e1cb86b6e8d119f789513668b4b30bf17fe1efe4 # v7.2.0 x-release-please-version
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        DISABLE_ERRORS: true
+        DISABLE_ERRORS: false
+        BASH_SEVERITY: "warning"
         VALIDATE_PROTOBUF: true
         VALIDATE_MARKDOWN: true
         VALIDATE_MARKDOWN_PRETTIER: true

diff --git a/.github/workflows/ubuntu-build.yml b/.github/workflows/ubuntu-build.yml
@@ -43,7 +43,7 @@ jobs:
 
     - name: 'Check local dependencies build cache'
       id: load-local-dependencies-cache
-      uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
         path: ${{ env.BUILD_DIR }}
         key: ${{ runner.os }}-${{ hashFiles('versions.env') }}-${{ hashFiles('scripts/setup*.sh') }}
@@ -85,13 +85,13 @@ jobs:
     - name: 'Build FFmpeg 6.1 with MCM plugin'
       working-directory: ${{ github.workspace }}/ffmpeg-plugin
       run: |
-        ./configure-ffmpeg.sh "6.1" && \
+        ./configure-ffmpeg.sh "6.1" --disable-doc --disable-debug && \
         ./build-ffmpeg.sh "6.1"
 
     - name: 'Build FFmpeg 7.0 with MCM plugin'
       working-directory: ${{ github.workspace }}/ffmpeg-plugin
       run: |
-        ./configure-ffmpeg.sh "7.0" && \
+        ./configure-ffmpeg.sh "7.0" --disable-doc --disable-debug && \
         ./build-ffmpeg.sh "7.0"
 
     - name: 'Scanner: Send to VirusTotal for analysis'

diff --git a/.gitignore b/.gitignore
@@ -35,3 +35,5 @@ media-proxy/tests/memif_test_rx
 media-proxy/tests/memif_test_tx
 tests/single-node-sample-apps/error_*
 tests/single-node-sample-apps/out
+
+cov-int*
diff --git a/media-proxy/Dockerfile b/media-proxy/Dockerfile
@@ -16,6 +16,7 @@ ARG MTL_VER=""
 ARG DPDK_VER=""
 ARG GPRC_VER=""
 ARG JPEGXS_VER=""
+ARG LIBFABRIC_VER=""
 
 ARG MCM_DIR="/opt/mcm"
 ARG MTL_DIR="/opt/mtl"

diff --git a/media-proxy/tests/ffmpeg_test.sh b/media-proxy/tests/ffmpeg_test.sh
diff --git a/scripts/setup_build_env.sh b/scripts/setup_build_env.sh
@@ -197,7 +197,8 @@ function lib_build_and_install_jsonc()
 # Get and install golang from source
 function lib_build_and_install_golang()
 {
-    as_root wget_download_strip_unpack "https://go.dev/dl/go${GOLANG_GO_VER}.linux-amd64.tar.gz" "/usr/local/go/"
+    wget_download_strip_unpack "https://go.dev/dl/go${GOLANG_GO_VER}.linux-amd64.tar.gz" "${BUILD_DIR}/golang"
+    as_root cp -r "${BUILD_DIR}/golang" "/usr/local/go"
     as_root ln -s /usr/local/go/bin/go /usr/bin/go
     go version
     go install "${GOLANG_PROTOBUF_GEN}"