[apparmor] [PATCH 2/3] Makefile: Add coverity target

Tyler Hicks tyhicks at canonical.com
Wed Jan 6 16:55:07 UTC 2016 

On 2016-01-05 23:24:51, Steve Beattie wrote:
> On Tue, Jan 05, 2016 at 05:11:14PM -0600, Tyler Hicks wrote:
> > Add a target that uses cov-build, which must be found in $PATH, to
> > generate an intermediate Coverity directory. Finally, the intermediate
> > directory is converted to a compressed tarball, stored in coverity/apparmor-cov-int.tar.gz, that is suitable for uploading to scan.coverity.com.
> 
> Thanks for driving this.
> 
> Some thoughts:
> 
> - In past lives, I've had to try to walk back from a random
>   distributed snapshot tarball and try to match it back up to a VCS
>   tree, and determine whether certain bugs had already been fixed
>   and just needed cherry-picking or whether they were still an issue
>   (or an insufficiently fixed issue). This is why in the generated
>   tarballs, whether for release or ephemeral snapshots, I've tried
>   to include a back reference to the specific commit in our VCS,
>   to make backtracking significantly easier. I would imagine knowing
>   which commit a given coverity scan corresponds to would be useful,
>   especially if we aren't submitting every single commit. (That
>   said, I'm not sure the coverity dashboard has a means of reporting
>   this info.)
> 
>   (Also consider the issue we had in Ubuntu where the kernel team
>   reported failures with out of date tests, but the specific revision
>   used wasn't being reported, so investigation always needed to occur.)

When you do the upload to scan.coverity.com, you must specify a revision
for the upload. For the initial one, I think that I used 2.9.10+r3327.

However, I completely agree that it would be much better to embed that
into the tarball.

> - I've also seen tarball releases where uncommitted fixes or other
>   random garbage leaked in because the tarball was taken from an
>   unclean VCS checkout. This is why the Makefile does the dance of
>   making a clean checkout to work on for tarball generation, even if
>   it is slower. (If I were better at bazaar, I would set up something
>   akin to local git references and so it wouldn't be so slow, but I'm
>   not. Setting REPO_URL=. will also make things go fast, but loses
>   the publicly findable origin tree. My automated jenkins builds do
>   exactly that, however.)

Ah, very good point.

> 
> I'd probably prefer to see it leverage a lot of the snapshot target's
> internals.

I have to admit to glossing over the snapshot target. It didn't
initially work for me and I should have given more thought as to why.

(The reason is that I develop in a git tree that has been converted from
the lp:apparmor bzr tree using git-remote-bzr. The `bzr export` command
in the export_dir target will obviously not work in my setup...)

I'll work on a v2 for this patch, in the background, to base it on the
snapshot target and send it out in a day or so.

Tyler

> 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> >  Makefile | 11 ++++++++++-
> >  1 file changed, 10 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Makefile b/Makefile
> > index 5a9ba73..d7c3849 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -24,6 +24,7 @@ REPO_URL?=https://code.launchpad.net/~apparmor-dev/apparmor/master
> >  #REPO_URL=.
> >  #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/"
> >  
> > +COVERITY_DIR=coverity
> >  RELEASE_DIR=apparmor-${VERSION}
> >  __SETUP_DIR?=.
> >  
> > @@ -60,7 +61,7 @@ export_dir:
> >  
> >  .PHONY: clean
> >  clean:
> > -	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~*
> > +	-rm -rf ${RELEASE_DIR} ./apparmor-${VERSION}~* ${COVERITY_DIR}
> >  	for dir in $(DIRS); do \
> >  		make -C $$dir clean; \
> >  	done
> > @@ -69,6 +70,14 @@ clean:
> >  setup:
> >  	cd $(__SETUP_DIR)/libraries/libapparmor && ./autogen.sh
> >  
> > +.PHONY: coverity
> > +coverity: COV_INT=$(COVERITY_DIR)/apparmor-cov-int
> > +coverity: setup
> > +	cd $(__SETUP_DIR)/libraries/libapparmor && ./configure --with-python
> > +	make clean
> > +	$(foreach dir, $(DIRS), cov-build --dir $(COV_INT) -- make -C $(dir);)
> > +	tar -cvzf $(COV_INT).tar.gz $(COV_INT)
> > +
> >  .PHONY: tag
> >  tag:
> >  	bzr tag apparmor_${TAG_VERSION}
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160106/847573a7/attachment-0001.pgp>

More information about the AppArmor mailing list