From: Peter Maydell <peter.maydell@linaro.org>

Add config to travis to do a Coverity Scan build and upload, using
the new run-coverity-scan script.

There is an official integration between Travis and Coverity Scan:
 https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb
which slurps values out of the .travis.yml and downloads a build
script from Coverity which does the bulk of the work:
 https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh

However we choose to roll our own since this seems less
confusing and also allows us to include debug features
(notably the ability to do a "dry run" test which doesn't
actually upload anything).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 .travis.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 0220f7472e..29c9ef72a4 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -218,3 +218,27 @@ matrix:
         - TEST_CMD=""
       before_script:
         - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log
+    # Build and upload to Coverity Scan.
+    # We do not impose any rate limiting here, but instead rely on the
+    # limiting done by the coverity servers, which for a project of QEMU's
+    # size means one build a day. The run-coverity-scan script will exit
+    # early if the limiter does not permit a new upload, so the effect will
+    # be that the first build (only) in each 24 hour period will be scanned.
+    # If we needed to apply a limit at the Travis end, the simplest approach
+    # would be to run the scan only if the branch was 'coverity-scan', and
+    # use a cron job to push master to the 'coverity-scan' branch periodically.
+    # We run on the trusty Travis hosts so that there's a wider set of
+    # dependencies satisfied to improve coverage.
+    - dist: trusty
+      env:
+        - COVERITY=1
+        - COVERITY_BUILD_CMD="make -j3"
+        - COVERITY_EMAIL=peter.maydell@linaro.org
+        # This 'secure' setting sets COVERITY_TOKEN=<secret token>
+        # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=...
+        - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o="
+      before_script:
+        - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi
+        - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping Coverity (wrong branch)"; exit 0; fi
+      script:
+        - ./scripts/run-coverity-scan
-- 
2.11.0

Philippe Mathieu-Daudé <f4bug@amsat.org> writes:

> From: Peter Maydell <peter.maydell@linaro.org>
>
> Add config to travis to do a Coverity Scan build and upload, using
> the new run-coverity-scan script.
>
> There is an official integration between Travis and Coverity Scan:
>  https://github.com/travis-ci/travis-build/blob/master/lib/travis/build/addons/coverity_scan.rb
> which slurps values out of the .travis.yml and downloads a build
> script from Coverity which does the bulk of the work:
>  https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh
>
> However we choose to roll our own since this seems less
> confusing and also allows us to include debug features
> (notably the ability to do a "dry run" test which doesn't
> actually upload anything).
>
> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  .travis.yml | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>
> diff --git a/.travis.yml b/.travis.yml
> index 0220f7472e..29c9ef72a4 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -218,3 +218,27 @@ matrix:
>          - TEST_CMD=""
>        before_script:
>          - ./configure ${CONFIG} --extra-cflags="-g3 -O0 -fsanitize=thread -fuse-ld=gold" || cat config.log
> +    # Build and upload to Coverity Scan.
> +    # We do not impose any rate limiting here, but instead rely on the
> +    # limiting done by the coverity servers, which for a project of QEMU's
> +    # size means one build a day. The run-coverity-scan script will exit
> +    # early if the limiter does not permit a new upload, so the effect will
> +    # be that the first build (only) in each 24 hour period will be scanned.
> +    # If we needed to apply a limit at the Travis end, the simplest approach
> +    # would be to run the scan only if the branch was 'coverity-scan', and
> +    # use a cron job to push master to the 'coverity-scan' branch periodically.
> +    # We run on the trusty Travis hosts so that there's a wider set of
> +    # dependencies satisfied to improve coverage.
> +    - dist: trusty
> +      env:
> +        - COVERITY=1
> +        - COVERITY_BUILD_CMD="make -j3"
> +        - COVERITY_EMAIL=peter.maydell@linaro.org
> +        # This 'secure' setting sets COVERITY_TOKEN=<secret token>
> +        # and was created with travis encrypt -r qemu/qemu COVERITY_TOKEN=...
> +        - secure: "D3E6E5bacui53fYBQrx0wQr8ZTvo6VIBPKfg0QHj2uwa6OPFkUlcMr/EHWvdbZNAa4Q1bv1vhlED5OPRfPmQYzxQNT4SAxDZeuZnikgIymfqQXNOjKw4kRUDO9P42QanyFd+EAu2JDVClAeJPgBpa/ns4CNrGDK+Q3coGndCP8o="
> +      before_script:
> +        - if [ "$TRAVIS_PULL_REQUEST" = "true" ]; then echo "Skipping Coverity (pullreq)"; exit 0; fi
> +        - if [ "$TRAVIS_BRANCH" != "master" ]; then echo "Skipping
> Coverity (wrong branch)"; exit 0; fi

I think this is waiting on a fix I mention when reviewing Peter's
original patches.


--
Alex Bennée

On 06/22/2017 06:56 AM, Alex Bennée wrote:[...]
> I think this is waiting on a fix I mention when reviewing Peter's
> original patches.

Ok! I'll wait or drop the Coverity part.