Skip to content

Coverity

Coverity #501

# This file is parttly based on https://github.com/marketplace/actions/synopsys-intelligent-security-scan.
name: Coverity
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '30 2 * * *' # Run once per day, to avoid Coverity's submission limits
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
Coverity:
runs-on: ubuntu-latest
env:
COV_URL: ${{ secrets.SYNOPSYS_ACCESS_URL }}
COV_USER: ${{ secrets.SYNOPSYS_ACCESS_EMAIL }}
COVERITY_PASSPHRASE: ${{ secrets.SYNOPSYS_ACCESS_TOKEN }}
CSA: cov-analysis-linux64-2020.12
COVERITY_PROJECT: franziska-wegner/egoa
BLDCMD: mvn -B clean package -DskipTests
CHECKERS: --webapp-security
QT_VERSION: "6.2.0"
steps:
- name: Checkout EGOA
uses: actions/checkout@v4
- name: Coverity Download
run: |
wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$COVERITY_PASSPHRASE&project=franziska-wegner%2Fegoa" -O coverity_tool.tgz
mkdir cov-scan
tar ax -f coverity_tool.tgz --strip-components=1 -C cov-scan
# - name: Coverity Full Scan
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# export PATH=$PATH:/tmp/$CSA/bin
# set -x
# cov-build --dir idir --fs-capture-search $GITHUB_WORKSPACE $BLDCMD
# cov-analyze --dir idir --ticker-mode none --strip-path $GITHUB_WORKSPACE $CHECKERS
# cov-commit-defects --dir idir --ticker-mode none --url $COV_URL --stream $COVERITY_PROJECT-${GITHUB_REF##*/} --scm git \
# --description $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID --target $RUNNER_OS --version $GITHUB_SHA
# - name: Coverity Quality Gate
# if: ${{ github.event_name != 'pull_request' }}
# run: |
# curl -fLsS --user $COV_USER:$COVERITY_PASSPHRASE $COV_URL/api/viewContents/issues/v1/OWASP%20Web%20Top%2010?projectId=$COVERITY_PROJECT > results.json
# if [ $(cat results.json | jq .viewContentsV1.totalRows) -ne 0 ]; then cat results.json | jq .viewContentsV1.rows; exit 1; fi
# - id: changeset
# name: Get Pull Request Changeset
# uses: jitterbit/get-changed-files@v1
# if: ${{ github.event_name == 'pull_request' }}
# - name: Coverity Incremental Scan
# if: ${{ github.event_name == 'pull_request' && steps.changeset.outputs.added_modified != '' }}
# run: |
# export PATH=$PATH:/tmp/$CSA/bin
# set -x
# cov-run-desktop --dir idir --url $COV_URL --stream $COVERITY_PROJECT-$GITHUB_BASE_REF --build $BLDCMD
# cov-run-desktop --dir idir --url $COV_URL --stream $COVERITY_PROJECT-$GITHUB_BASE_REF --present-in-reference false \
# --ignore-uncapturable-inputs true --exit1-if-defects true ${{ steps.changeset.outputs.added_modified }}
- name: Setup environment
run: |
echo "$(pwd)/cov-scan/bin" >> $GITHUB_PATH
echo "NPROC=$(getconf _NPROCESSORS_ONLN)" >> $GITHUB_ENV
- name: Install Qt
uses: jurplel/install-qt-action@v3
with:
version: ${{ env.QT_VERSION }}
cache: 'true'
cache-key-prefix: ${{ runner.os }}-Qt-Cache-${{ env.QT_VERSION }}
dir: ${{ github.workspace }}/Qt
- name: Set reusable strings
# Turn repeated input strings (such as the build output directory) into step outputs. These step outputs can be used throughout the workflow file.
id: strings
shell: bash
run: |
echo "build-output-dir=${{ github.workspace }}/build" >> "$GITHUB_OUTPUT"
- name: Configure egoa
env:
CMAKE_PREFIX_PATH: ${{env.Qt6_DIR}}
CMAKE_MODULE_PATH: ${{env.Qt6_DIR}}
run: >
cmake -B ${{ steps.strings.outputs.build-output-dir }}
-DCMAKE_CXX_COMPILER=g++
-DCMAKE_C_COMPILER=gcc
-DEGOA_BUILD_TYPE=Release
-DCMAKE_BUILD_TYPE=Release
-DBoost_NO_SYSTEM_PATHS=TRUE
-DEGOA_DOWNLOAD_CPPAD=OFF
-DEGOA_DOWNLOAD_EIGEN=OFF
-DEGOA_DOWNLOAD_GOOGLE_TEST_FRAMEWORK=OFF
-DEGOA_DOWNLOAD_IEEE=OFF
-DEGOA_DOWNLOAD_PYPSA_EUR=OFF
-DEGOA_DOWNLOAD_PYPSA_ITI_COLLABORATION=OFF
-DEGOA_DOWNLOAD_SCIGRID=OFF
-DEGOA_DOWNLOAD_WINDFARM=OFF
-DEGOA_ENABLE_ASSERTION=ON
-DEGOA_ENABLE_BONMIN=OFF
-DEGOA_ENABLE_BOOST=OFF
-DEGOA_ENABLE_CPLEX=OFF
-DEGOA_ENABLE_DOCUMENTATION=OFF
-DEGOA_ENABLE_EXCEPTION_HANDLING=ON
-DEGOA_ENABLE_GUROBI=OFF
-DEGOA_ENABLE_IPOPT=OFF
-DEGOA_ENABLE_OGDF=OFF
-DEGOA_ENABLE_OPENMP=OFF
-DEGOA_ENABLE_TESTS=OFF
-DEGOA_ENABLE_VERBOSE_MAKEFILE=ON
-DEGOA_PEDANTIC_AS_ERRORS=OFF
-DEGOA_PEDANTIC_MODE=ON
-DEGOA_TEST_FRAMEWORK=OfflineGoogleTestFramework
-DEGOA_TEST_FRAMEWORK_LOCATION=external/GoogleTestFramework
-DEGOA_THREAD_LIMIT=0
-DEGOA_WARNINGS_AS_ERRORS=ON
-DBONMIN_ROOT_DIR="NONE-DIR"
-DBoost_DIRECTORIES="/opt/homebrew/opt/boost/"
-DCOIN_INCLUDE_DIR="NONE-DIR"
-DCOIN_LIBRARY_DIR="NONE-DIR"
-DCPLEX_HOME="NONE-DIR"
-DGUROBI_ROOT_DIR="NONE-DIR"
-DOGDF_AUTOGEN_INCLUDE_DIR="NONE-DIR"
-DOGDF_INCLUDE_DIR="NONE-DIR"
-DOGDF_LIBRARY_DIR="NONE-DIR"
-DOPENMP_INCLUDES="/opt/homebrew/opt/llvm/include"
-DOPENMP_LIBRARIES="/opt/homebrew/opt/llvm/lib"
-S ${{ github.workspace }}
- name: Run coverity build/scan
run: |
cd build && cov-build --dir cov-int make -j${NPROC}
- name: Submit results
run: |
cd build
tar zcf cov-scan.tgz cov-int
curl --form token=$COVERITY_PASSPHRASE \
--form email=$COV_USER \
--form [email protected] \
--form version="$(git rev-parse HEAD)" \
--form description="Automatic GHA scan" \
'https://scan.coverity.com/builds?project=franziska-wegner%2Fegoa'