From 32afda20787728d278c289552facdcc1691221a4 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 3 Jun 2026 14:43:10 +0530 Subject: [PATCH 01/19] ci: consolidate fuzz and coverity workflows --- .github/actions/analysis/afl-fuzz/action.yml | 80 +++++++ .github/actions/analysis/coverity/action.yml | 156 +++++++++++++ .github/actions/analysis/libfuzzer/action.yml | 66 ++++++ .github/workflows/ci.yml | 3 +- .github/workflows/coverity.yml | 207 ------------------ .github/workflows/daily_build.yml | 108 ++++++++- .github/workflows/fuzz.yml | 107 --------- .github/workflows/libfuzzer.yml | 94 -------- .github/workflows/pull_request.yml | 13 +- 9 files changed, 410 insertions(+), 424 deletions(-) create mode 100644 .github/actions/analysis/afl-fuzz/action.yml create mode 100644 .github/actions/analysis/coverity/action.yml create mode 100644 .github/actions/analysis/libfuzzer/action.yml delete mode 100644 .github/workflows/coverity.yml delete mode 100644 .github/workflows/fuzz.yml delete mode 100644 .github/workflows/libfuzzer.yml diff --git a/.github/actions/analysis/afl-fuzz/action.yml b/.github/actions/analysis/afl-fuzz/action.yml new file mode 100644 index 0000000..e16e38d --- /dev/null +++ b/.github/actions/analysis/afl-fuzz/action.yml @@ -0,0 +1,80 @@ +# +# BSD 3-Clause License +# Copyright (C) 2026 Intel Corporation +# SPDX-License-Identifier: BSD-3-Clause +# +name: 'AFL Fuzz' +description: 'Build and run AFL++ fuzzing for config parser harness' + +inputs: + max-seconds: + description: 'Maximum AFL fuzzing run time in seconds' + required: false + default: '300' + +runs: + using: composite + steps: + - name: Install AFL dependencies + shell: bash + run: | + sudo apt-get update -qq + sudo apt-get install -y -qq afl++ libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config + + - name: Verify AFL environment + shell: bash + run: | + echo "=== AFL++ ===" + afl-clang-fast --version || { echo "ERROR: afl-clang-fast not found"; exit 1; } + echo "" + echo "=== libavutil ===" + dpkg -l libavutil-dev | grep -q ii || { echo "ERROR: libavutil-dev not installed"; exit 1; } + echo " Header: $(find /usr/include -name 'avutil.h' | head -1)" + echo " Library: $(find /usr/lib -name 'libavutil.so*' | head -1)" + echo "" + echo "=== Compiler ===" + gcc --version | head -1 + echo "" + echo "Environment OK" + + - name: Build AFL fuzz harness + shell: bash + run: | + cd fuzz + export CC=afl-clang-fast + $CC -g -O1 -fno-omit-frame-pointer -I../include -c fuzz_config_reader.c -o fuzz_config_reader.o + $CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/config_reader.c -o config_reader.o + $CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/logger.c -o logger.o + $CC -o fuzz_config_reader fuzz_config_reader.o config_reader.o logger.o -lavutil -lm + echo "Build successful: $(file fuzz_config_reader)" + + - name: Run AFL fuzzer + shell: bash + run: | + cd fuzz + mkdir -p findings + export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 + export AFL_SKIP_CPUFREQ=1 + timeout "${{ inputs.max-seconds }}" afl-fuzz -i corpus/ -o findings/ -V "${{ inputs.max-seconds }}" -- ./fuzz_config_reader @@ || true + + - name: Check AFL crashes + shell: bash + run: | + cd fuzz + CRASH_COUNT=$(find findings/default/crashes -type f ! -name "README.txt" 2>/dev/null | wc -l) + echo "Crashes found: $CRASH_COUNT" + if [ "$CRASH_COUNT" -gt 0 ]; then + echo "::error::AFL found $CRASH_COUNT crash(es)!" + ls -la findings/default/crashes/ + exit 1 + fi + echo "No crashes found - fuzzing passed." + + - name: Sanitize AFL filenames + if: always() + shell: bash + run: | + cd fuzz/findings + find . -name '*:*' | while read -r f; do + mv "$f" "$(echo "$f" | tr ':' '_')" + done diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml new file mode 100644 index 0000000..0ca35c3 --- /dev/null +++ b/.github/actions/analysis/coverity/action.yml @@ -0,0 +1,156 @@ +# +# BSD 3-Clause License +# Copyright (C) 2026 Intel Corporation +# SPDX-License-Identifier: BSD-3-Clause +# +name: 'Coverity Scan' +description: 'Install Coverity, run static analysis, and emit JSON + SARIF reports' + +runs: + using: composite + steps: + - name: Install Coverity + shell: bash + env: + COVERITY_URL: ${{ env.COVERITY_URL }} + COVERITY_USER: ${{ env.COVERITY_USER }} + COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }} + run: | + echo "===== Coverity Setup =====" + COVERITY_DIR="$HOME/coverity" + if [ -x "$COVERITY_DIR/bin/cov-build" ]; then + echo " [OK] Coverity already installed at $COVERITY_DIR" + "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true + exit 0 + fi + mkdir -p "$COVERITY_DIR" + wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \ + -O /tmp/coverity.tar.gz "$COVERITY_URL" + tar xzf /tmp/coverity.tar.gz --strip-components=1 -C "$COVERITY_DIR" + rm -f /tmp/coverity.tar.gz + "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true + + - name: Run Coverity analysis + shell: bash + run: | + export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-} + if ! pkg-config --exists mtl 2>/dev/null; then + MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1) + if [ -z "$MTL_PC" ]; then + echo "ERROR: MTL pkg-config file not found." + exit 1 + fi + MTL_PC_DIR=$(dirname "$MTL_PC") + echo "Found MTL pkgconfig at: $MTL_PC_DIR" + export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH}" + fi + + REPORT_DIR="$GITHUB_WORKSPACE/reports" + mkdir -p "$REPORT_DIR" + + $HOME/coverity/bin/cov-configure --compiler cc --comptype gcc --template + rm -rf build coverity_output + meson setup build + $HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build + + $HOME/coverity/bin/cov-analyze --dir coverity_output/ \ + --concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \ + --disable ASSERT_SIDE_EFFECT \ + --disable AUTO_CAUSES_COPY \ + --disable BAD_CHECK_OF_WAIT_COND \ + --disable BAD_SHIFT \ + --disable COPY_INSTEAD_OF_MOVE \ + --disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \ + --disable CUDA.CUDEVICE_HANDLES \ + --disable CUDA.DEVICE_DEPENDENT \ + --disable CUDA.DEVICE_DEPENDENT_CALLBACKS \ + --disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \ + --disable CUDA.ERROR_INTERFACE \ + --disable CUDA.ERROR_KERNEL_LAUNCH \ + --disable CUDA.FORK \ + --disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \ + --disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \ + --disable CUDA.INVALID_MEMORY_ACCESS \ + --disable CUDA.SHARE_FUNCTION \ + --disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \ + --disable CUDA.SPECIFIERS_INCONSISTENCY \ + --disable CUDA.SYNCHRONIZE_TERMINATION \ + --disable INEFFICIENT_RESERVE \ + --disable MISSING_COMMA \ + --disable MISSING_MOVE_ASSIGNMENT \ + --disable OVERLAPPING_COPY \ + --disable STREAM_FORMAT_STATE \ + --disable UNINTENDED_INTEGER_DIVISION + + $HOME/coverity/bin/cov-format-errors --dir coverity_output/ \ + --json-output-v8 "$REPORT_DIR/coverity-report.json" + + - name: Convert Coverity JSON to SARIF + shell: bash + run: | + REPORT_DIR="$GITHUB_WORKSPACE/reports" + python3 - <<'EOF' + import json, sys + + sarif = { + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [{ + "tool": { + "driver": { + "name": "Coverity", + "informationUri": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html", + "rules": [] + } + }, + "results": [] + }] + } + + try: + with open("reports/coverity-report.json") as f: + cov = json.load(f) + except (FileNotFoundError, json.JSONDecodeError): + with open("reports/coverity-results.sarif", "w") as f: + json.dump(sarif, f, indent=2) + sys.exit(0) + + rules_map = {} + results = [] + + for issue in cov.get("issues", []): + checker = issue.get("checkerName", "unknown") + if checker not in rules_map: + rule_idx = len(rules_map) + rules_map[checker] = rule_idx + sarif["runs"][0]["tool"]["driver"]["rules"].append({ + "id": checker, + "shortDescription": {"text": issue.get("checkerProperties", {}).get("subcategoryShortDescription", checker)}, + "helpUri": f"https://community.synopsys.com/s/article/{checker}" + }) + + events = issue.get("events", []) + main_event = events[0] if events else {} + file_path = main_event.get("strippedFilePathname", main_event.get("filePathname", "unknown")) + line = main_event.get("lineNumber", 1) + + results.append({ + "ruleId": checker, + "ruleIndex": rules_map[checker], + "level": "warning", + "message": {"text": issue.get("checkerProperties", {}).get("subcategoryLongDescription", checker)}, + "locations": [{ + "physicalLocation": { + "artifactLocation": {"uri": file_path, "uriBaseId": "%SRCROOT%"}, + "region": {"startLine": line} + } + }] + }) + + sarif["runs"][0]["results"] = results + + with open("reports/coverity-results.sarif", "w") as f: + json.dump(sarif, f, indent=2) + + print(f"Converted {len(results)} Coverity issues to SARIF") + EOF diff --git a/.github/actions/analysis/libfuzzer/action.yml b/.github/actions/analysis/libfuzzer/action.yml new file mode 100644 index 0000000..b400b05 --- /dev/null +++ b/.github/actions/analysis/libfuzzer/action.yml @@ -0,0 +1,66 @@ +# +# BSD 3-Clause License +# Copyright (C) 2026 Intel Corporation +# SPDX-License-Identifier: BSD-3-Clause +# +name: 'libFuzzer' +description: 'Build and run libFuzzer with ASan and UBSan for config parser harness' + +inputs: + max-seconds: + description: 'Maximum libFuzzer run time in seconds per sanitizer mode' + required: false + default: '300' + +runs: + using: composite + steps: + - name: Install libFuzzer dependencies + shell: bash + run: | + sudo apt-get update -qq + sudo apt-get install -y -qq clang libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config + + - name: Build and run libFuzzer (ASan) + shell: bash + run: | + cd fuzz + export CC=clang + $CC -fsanitize=fuzzer,address -g -O1 -fno-omit-frame-pointer -I../include \ + fuzz_config_reader_libfuzzer.c \ + ../src/util/config_reader.c \ + ../src/util/logger.c \ + -o fuzz_config_reader_libfuzzer \ + $(pkg-config --cflags --libs libavutil) -lm + + mkdir -p libfuzzer_corpus + ./fuzz_config_reader_libfuzzer \ + libfuzzer_corpus/ corpus/ \ + -max_total_time=${{ inputs.max-seconds }} \ + -print_final_stats=1 || FUZZ_EXIT=$? + if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then + echo "::error::libFuzzer found a crash (exit code $FUZZ_EXIT)!" + exit 1 + fi + + - name: Build and run libFuzzer (UBSan) + shell: bash + run: | + cd fuzz + export CC=clang + $CC -fsanitize=fuzzer,undefined -g -O1 -fno-omit-frame-pointer -I../include \ + fuzz_config_reader_libfuzzer.c \ + ../src/util/config_reader.c \ + ../src/util/logger.c \ + -o fuzz_config_reader_ubsan \ + $(pkg-config --cflags --libs libavutil) -lm + + mkdir -p ubsan_corpus + ./fuzz_config_reader_ubsan \ + ubsan_corpus/ corpus/ \ + -max_total_time=${{ inputs.max-seconds }} \ + -print_final_stats=1 || FUZZ_EXIT=$? + if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then + echo "::error::libFuzzer+UBSan found an issue (exit code $FUZZ_EXIT)!" + exit 1 + fi diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7531b56..2f54d67 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,8 +21,9 @@ concurrency: jobs: ci: - name: Continuous Integration + name: CI Full Validation runs-on: ubuntu-latest + timeout-minutes: 45 permissions: contents: read steps: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml deleted file mode 100644 index f853158..0000000 --- a/.github/workflows/coverity.yml +++ /dev/null @@ -1,207 +0,0 @@ -# -# BSD 3-Clause License -# Copyright (C) 2026 Intel Corporation -# SPDX-License-Identifier: BSD-3-Clause -# -name: Coverity Scan - -on: - push: - branches: - - main - schedule: - # Weekly on Tuesday at 05:00 UTC - - cron: '0 5 * * 2' - workflow_dispatch: - -permissions: {} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - coverity: - name: Coverity Static Analysis - runs-on: ubuntu-latest - permissions: - contents: read # checkout repository - security-events: write # upload SARIF results - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Environment check - uses: ./.github/actions/environment-check - - - name: Install Coverity - env: - COVERITY_URL: ${{ secrets.COVERITY_URL }} - COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} - COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} - run: | - echo "===== Coverity Setup =====" - COVERITY_DIR="$HOME/coverity" - if [ -x "$COVERITY_DIR/bin/cov-build" ]; then - echo " [OK] Coverity already installed at $COVERITY_DIR" - "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true - exit 0 - fi - echo " Downloading Coverity..." - mkdir -p "$COVERITY_DIR" - wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \ - -O /tmp/coverity.tar.gz "$COVERITY_URL" - echo " Extracting Coverity..." - tar xzf /tmp/coverity.tar.gz --strip-components=1 -C "$COVERITY_DIR" - rm -f /tmp/coverity.tar.gz - echo " Coverity installed:" - "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true - - - name: Run Coverity Analysis - run: | - # Resolve MTL pkg-config path - export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-} - if ! pkg-config --exists mtl 2>/dev/null; then - MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1) - if [ -z "$MTL_PC" ]; then - echo "ERROR: MTL pkg-config file not found." - exit 1 - fi - MTL_PC_DIR=$(dirname "$MTL_PC") - echo "Found MTL pkgconfig at: $MTL_PC_DIR" - export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH}" - fi - - REPORT_DIR="$GITHUB_WORKSPACE/reports" - mkdir -p "$REPORT_DIR" - - # Configure Coverity for cc (meson uses cc which is gcc) - $HOME/coverity/bin/cov-configure --compiler cc --comptype gcc --template - - # Clean and setup meson build directory - rm -rf build coverity_output - meson setup build - - # Run cov-build wrapping the ninja compilation - $HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build - - # Analyze captured build - $HOME/coverity/bin/cov-analyze --dir coverity_output/ \ - --concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \ - --disable ASSERT_SIDE_EFFECT \ - --disable AUTO_CAUSES_COPY \ - --disable BAD_CHECK_OF_WAIT_COND \ - --disable BAD_SHIFT \ - --disable COPY_INSTEAD_OF_MOVE \ - --disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \ - --disable CUDA.CUDEVICE_HANDLES \ - --disable CUDA.DEVICE_DEPENDENT \ - --disable CUDA.DEVICE_DEPENDENT_CALLBACKS \ - --disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \ - --disable CUDA.ERROR_INTERFACE \ - --disable CUDA.ERROR_KERNEL_LAUNCH \ - --disable CUDA.FORK \ - --disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \ - --disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \ - --disable CUDA.INVALID_MEMORY_ACCESS \ - --disable CUDA.SHARE_FUNCTION \ - --disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \ - --disable CUDA.SPECIFIERS_INCONSISTENCY \ - --disable CUDA.SYNCHRONIZE_TERMINATION \ - --disable INEFFICIENT_RESERVE \ - --disable MISSING_COMMA \ - --disable MISSING_MOVE_ASSIGNMENT \ - --disable OVERLAPPING_COPY \ - --disable STREAM_FORMAT_STATE \ - --disable UNINTENDED_INTEGER_DIVISION - - # Generate JSON report - $HOME/coverity/bin/cov-format-errors --dir coverity_output/ \ - --json-output-v8 "$REPORT_DIR/coverity-report.json" - - - name: Convert Coverity JSON to SARIF - run: | - REPORT_DIR="$GITHUB_WORKSPACE/reports" - python3 - <<'EOF' - import json, sys - - sarif = { - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", - "version": "2.1.0", - "runs": [{ - "tool": { - "driver": { - "name": "Coverity", - "informationUri": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html", - "rules": [] - } - }, - "results": [] - }] - } - - try: - with open("reports/coverity-report.json") as f: - cov = json.load(f) - except (FileNotFoundError, json.JSONDecodeError): - with open("reports/coverity-results.sarif", "w") as f: - json.dump(sarif, f, indent=2) - sys.exit(0) - - rules_map = {} - results = [] - - for issue in cov.get("issues", []): - checker = issue.get("checkerName", "unknown") - if checker not in rules_map: - rule_idx = len(rules_map) - rules_map[checker] = rule_idx - sarif["runs"][0]["tool"]["driver"]["rules"].append({ - "id": checker, - "shortDescription": {"text": issue.get("checkerProperties", {}).get("subcategoryShortDescription", checker)}, - "helpUri": f"https://community.synopsys.com/s/article/{checker}" - }) - - events = issue.get("events", []) - main_event = events[0] if events else {} - file_path = main_event.get("strippedFilePathname", main_event.get("filePathname", "unknown")) - line = main_event.get("lineNumber", 1) - - results.append({ - "ruleId": checker, - "ruleIndex": rules_map[checker], - "level": "warning", - "message": {"text": issue.get("checkerProperties", {}).get("subcategoryLongDescription", checker)}, - "locations": [{ - "physicalLocation": { - "artifactLocation": {"uri": file_path, "uriBaseId": "%SRCROOT%"}, - "region": {"startLine": line} - } - }] - }) - - sarif["runs"][0]["results"] = results - - with open("reports/coverity-results.sarif", "w") as f: - json.dump(sarif, f, indent=2) - - print(f"Converted {len(results)} Coverity issues to SARIF") - EOF - - - name: Upload SARIF to Security tab - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 - if: always() - with: - sarif_file: reports/coverity-results.sarif - category: coverity - - - name: Upload reports - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - if: always() - with: - name: coverity-report-${{ github.run_id }} - path: reports/ - retention-days: 30 diff --git a/.github/workflows/daily_build.yml b/.github/workflows/daily_build.yml index 682d748..32f46f0 100644 --- a/.github/workflows/daily_build.yml +++ b/.github/workflows/daily_build.yml @@ -9,10 +9,6 @@ on: schedule: # Run at 10:00 PM UTC, Monday through Friday - cron: '0 22 * * 1-5' - - push: - branches: - - main workflow_dispatch: permissions: {} @@ -25,6 +21,7 @@ jobs: build: name: Daily Build runs-on: ubuntu-latest + timeout-minutes: 60 permissions: contents: read @@ -67,6 +64,9 @@ jobs: - name: Trivy Scan uses: ./.github/actions/analysis/trivy + - name: checksec Analysis + uses: ./.github/actions/analysis/checksec + - name: Upload daily build reports uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() @@ -74,3 +74,103 @@ jobs: name: DVLED-SW-TK-DailyBuild-${{ github.run_id }} path: ${{ github.workspace }}/reports/ retention-days: 30 + + afl-fuzz: + name: Daily AFL Fuzz + runs-on: ubuntu-latest + timeout-minutes: 25 + permissions: + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.sha }} + fetch-depth: 0 + persist-credentials: false + + - name: AFL Fuzz + uses: ./.github/actions/analysis/afl-fuzz + with: + max-seconds: '300' + + - name: Upload AFL fuzzing results + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + if: always() + with: + name: afl-fuzz-results-${{ github.run_id }} + path: fuzz/findings/ + retention-days: 14 + + libfuzzer: + name: Daily libFuzzer + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.sha }} + fetch-depth: 0 + persist-credentials: false + + - name: libFuzzer + uses: ./.github/actions/analysis/libfuzzer + with: + max-seconds: '300' + + - name: Upload libFuzzer corpora + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + if: always() + with: + name: libfuzzer-results-${{ github.run_id }} + path: | + fuzz/libfuzzer_corpus/ + fuzz/ubsan_corpus/ + retention-days: 14 + + coverity: + name: Daily Coverity Static Analysis + runs-on: ubuntu-latest + timeout-minutes: 90 + permissions: + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.sha }} + fetch-depth: 0 + persist-credentials: false + + - name: Environment check + uses: ./.github/actions/environment-check + + - name: Coverity Scan + uses: ./.github/actions/analysis/coverity + env: + COVERITY_URL: ${{ secrets.COVERITY_URL }} + COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} + COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} + + - name: Upload SARIF to Security tab + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + if: always() + with: + sarif_file: reports/coverity-results.sarif + category: coverity + + - name: Upload Coverity reports + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + if: always() + with: + name: coverity-report-${{ github.run_id }} + path: reports/ + retention-days: 30 + diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml deleted file mode 100644 index 93c6b30..0000000 --- a/.github/workflows/fuzz.yml +++ /dev/null @@ -1,107 +0,0 @@ -# -# BSD 3-Clause License -# Copyright (C) 2026 Intel Corporation -# SPDX-License-Identifier: BSD-3-Clause -# -name: Fuzz Testing (AFL) - -on: - push: - branches: - - main - pull_request: - branches: - - main - schedule: - # Weekly on Wednesday at 04:00 UTC - - cron: '0 4 * * 3' - workflow_dispatch: - -permissions: {} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - fuzz: - name: AFL Fuzz - Config Parser - runs-on: ubuntu-latest - permissions: - contents: read - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Install dependencies - run: | - sudo apt-get update - sudo apt-get install -y afl++ libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config - - - name: Verify environment - run: | - echo "=== AFL++ ===" - afl-clang-fast --version || { echo "ERROR: afl-clang-fast not found"; exit 1; } - echo "" - echo "=== libavutil ===" - dpkg -l libavutil-dev | grep -q ii || { echo "ERROR: libavutil-dev not installed"; exit 1; } - echo " Header: $(find /usr/include -name 'avutil.h' | head -1)" - echo " Library: $(find /usr/lib -name 'libavutil.so*' | head -1)" - echo "" - echo "=== Compiler ===" - gcc --version | head -1 - echo "" - echo "Environment OK" - - - name: Build fuzz harness - run: | - cd fuzz - export CC=afl-clang-fast - # Compile each file separately with minimal flags to avoid AFL MAX_PARAMS_NUM - $CC -g -O1 -fno-omit-frame-pointer -I../include -c fuzz_config_reader.c -o fuzz_config_reader.o - $CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/config_reader.c -o config_reader.o - $CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/logger.c -o logger.o - # Link with afl-clang-fast (needs AFL runtime), pass only linker libs directly - $CC -o fuzz_config_reader fuzz_config_reader.o config_reader.o logger.o -lavutil -lm - echo "Build successful: $(file fuzz_config_reader)" - - - name: Run AFL fuzzer (timed) - run: | - cd fuzz - mkdir -p findings - export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 - export AFL_SKIP_CPUFREQ=1 - # Run AFL for 5 minutes (CI time-boxed) - timeout 300 afl-fuzz -i corpus/ -o findings/ -V 300 -- ./fuzz_config_reader @@ || true - - - name: Check for crashes - run: | - cd fuzz - CRASH_COUNT=$(find findings/default/crashes -type f ! -name "README.txt" 2>/dev/null | wc -l) - echo "Crashes found: $CRASH_COUNT" - if [ "$CRASH_COUNT" -gt 0 ]; then - echo "::error::AFL found $CRASH_COUNT crash(es)!" - ls -la findings/default/crashes/ - exit 1 - fi - echo "No crashes found — fuzzing passed." - - - name: Sanitize AFL filenames for upload - if: always() - run: | - cd fuzz/findings - # Rename files with colons (AFL naming) to use underscores - find . -name '*:*' | while read f; do - mv "$f" "$(echo "$f" | tr ':' '_')" - done - - - name: Upload fuzzing results - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 - if: always() - with: - name: afl-fuzz-results-${{ github.run_id }} - path: fuzz/findings/ - retention-days: 14 diff --git a/.github/workflows/libfuzzer.yml b/.github/workflows/libfuzzer.yml deleted file mode 100644 index aaea7ec..0000000 --- a/.github/workflows/libfuzzer.yml +++ /dev/null @@ -1,94 +0,0 @@ -# -# BSD 3-Clause License -# Copyright (C) 2026 Intel Corporation -# SPDX-License-Identifier: BSD-3-Clause -# -name: Fuzz Testing (libFuzzer) - -on: - push: - branches: - - main - pull_request: - branches: - - main - schedule: - # Weekly on Thursday at 03:00 UTC - - cron: '0 3 * * 4' - workflow_dispatch: - -permissions: {} - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - libfuzzer: - name: libFuzzer - Config Parser - runs-on: ubuntu-latest - permissions: - contents: read # checkout repository - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - - name: Install dependencies - run: | - sudo apt-get update - sudo apt-get install -y clang libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config - - - name: Build fuzz harness (AddressSanitizer + libFuzzer) - run: | - cd fuzz - export CC=clang - $CC -fsanitize=fuzzer,address -g -O1 -fno-omit-frame-pointer -I../include \ - fuzz_config_reader_libfuzzer.c \ - ../src/util/config_reader.c \ - ../src/util/logger.c \ - -o fuzz_config_reader_libfuzzer \ - $(pkg-config --cflags --libs libavutil) -lm - echo "Build successful: $(file fuzz_config_reader_libfuzzer)" - - - name: Run libFuzzer (timed) - run: | - cd fuzz - mkdir -p libfuzzer_corpus - # Seed from existing corpus, run for 5 minutes - ./fuzz_config_reader_libfuzzer \ - libfuzzer_corpus/ corpus/ \ - -max_total_time=300 \ - -print_final_stats=1 || FUZZ_EXIT=$? - if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then - echo "::error::libFuzzer found a crash (exit code $FUZZ_EXIT)!" - exit 1 - fi - echo "No crashes found — libFuzzer passed." - - - name: Build fuzz harness (UndefinedBehaviorSanitizer + libFuzzer) - run: | - cd fuzz - export CC=clang - $CC -fsanitize=fuzzer,undefined -g -O1 -fno-omit-frame-pointer -I../include \ - fuzz_config_reader_libfuzzer.c \ - ../src/util/config_reader.c \ - ../src/util/logger.c \ - -o fuzz_config_reader_ubsan \ - $(pkg-config --cflags --libs libavutil) -lm - - - name: Run libFuzzer with UBSan (timed) - run: | - cd fuzz - mkdir -p ubsan_corpus - ./fuzz_config_reader_ubsan \ - ubsan_corpus/ corpus/ \ - -max_total_time=300 \ - -print_final_stats=1 || FUZZ_EXIT=$? - if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then - echo "::error::libFuzzer+UBSan found an issue (exit code $FUZZ_EXIT)!" - exit 1 - fi - echo "No issues found — UBSan fuzzing passed." diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 56da48c..426435a 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -7,14 +7,10 @@ name: Pull Request on: pull_request: - types: [assigned, opened, synchronize, reopened] + types: [opened, synchronize, reopened, ready_for_review] branches: - main - push: - branches-ignore: - - main - workflow_dispatch: permissions: {} @@ -27,6 +23,7 @@ jobs: pull-request: name: Pull Request runs-on: ubuntu-latest + timeout-minutes: 25 permissions: contents: read @@ -65,12 +62,6 @@ jobs: - name: cppcheck uses: ./.github/actions/analysis/cppcheck - - name: Trivy Scan - uses: ./.github/actions/analysis/trivy - - - name: checksec Analysis - uses: ./.github/actions/analysis/checksec - - name: Upload PR reports uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() From c58341b3a70d499aa6c15753fa0ab4a72a9b7d01 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 3 Jun 2026 14:55:25 +0530 Subject: [PATCH 02/19] ci: fix zizmor template-injection findings --- .github/actions/analysis/afl-fuzz/action.yml | 8 +++++++- .github/actions/analysis/libfuzzer/action.yml | 16 ++++++++++++++-- .github/workflows/daily_build.yml | 2 +- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/.github/actions/analysis/afl-fuzz/action.yml b/.github/actions/analysis/afl-fuzz/action.yml index e16e38d..e36c34e 100644 --- a/.github/actions/analysis/afl-fuzz/action.yml +++ b/.github/actions/analysis/afl-fuzz/action.yml @@ -50,12 +50,18 @@ runs: - name: Run AFL fuzzer shell: bash + env: + MAX_SECONDS: ${{ inputs.max-seconds }} run: | cd fuzz + if ! [[ "$MAX_SECONDS" =~ ^[0-9]+$ ]]; then + echo "ERROR: max-seconds must be a positive integer" + exit 1 + fi mkdir -p findings export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 export AFL_SKIP_CPUFREQ=1 - timeout "${{ inputs.max-seconds }}" afl-fuzz -i corpus/ -o findings/ -V "${{ inputs.max-seconds }}" -- ./fuzz_config_reader @@ || true + timeout "$MAX_SECONDS" afl-fuzz -i corpus/ -o findings/ -V "$MAX_SECONDS" -- ./fuzz_config_reader @@ || true - name: Check AFL crashes shell: bash diff --git a/.github/actions/analysis/libfuzzer/action.yml b/.github/actions/analysis/libfuzzer/action.yml index b400b05..7f27c06 100644 --- a/.github/actions/analysis/libfuzzer/action.yml +++ b/.github/actions/analysis/libfuzzer/action.yml @@ -23,7 +23,13 @@ runs: - name: Build and run libFuzzer (ASan) shell: bash + env: + MAX_SECONDS: ${{ inputs.max-seconds }} run: | + if ! [[ "$MAX_SECONDS" =~ ^[0-9]+$ ]]; then + echo "ERROR: max-seconds must be a positive integer" + exit 1 + fi cd fuzz export CC=clang $CC -fsanitize=fuzzer,address -g -O1 -fno-omit-frame-pointer -I../include \ @@ -36,7 +42,7 @@ runs: mkdir -p libfuzzer_corpus ./fuzz_config_reader_libfuzzer \ libfuzzer_corpus/ corpus/ \ - -max_total_time=${{ inputs.max-seconds }} \ + -max_total_time="$MAX_SECONDS" \ -print_final_stats=1 || FUZZ_EXIT=$? if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then echo "::error::libFuzzer found a crash (exit code $FUZZ_EXIT)!" @@ -45,7 +51,13 @@ runs: - name: Build and run libFuzzer (UBSan) shell: bash + env: + MAX_SECONDS: ${{ inputs.max-seconds }} run: | + if ! [[ "$MAX_SECONDS" =~ ^[0-9]+$ ]]; then + echo "ERROR: max-seconds must be a positive integer" + exit 1 + fi cd fuzz export CC=clang $CC -fsanitize=fuzzer,undefined -g -O1 -fno-omit-frame-pointer -I../include \ @@ -58,7 +70,7 @@ runs: mkdir -p ubsan_corpus ./fuzz_config_reader_ubsan \ ubsan_corpus/ corpus/ \ - -max_total_time=${{ inputs.max-seconds }} \ + -max_total_time="$MAX_SECONDS" \ -print_final_stats=1 || FUZZ_EXIT=$? if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then echo "::error::libFuzzer+UBSan found an issue (exit code $FUZZ_EXIT)!" diff --git a/.github/workflows/daily_build.yml b/.github/workflows/daily_build.yml index 32f46f0..c30ad47 100644 --- a/.github/workflows/daily_build.yml +++ b/.github/workflows/daily_build.yml @@ -139,7 +139,7 @@ jobs: timeout-minutes: 90 permissions: contents: read - security-events: write + security-events: write # Needed to upload Coverity SARIF to the Security tab. steps: - name: Checkout repository From 69020ee6b2202e6136bceafca7a256ccaa25f1f7 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 3 Jun 2026 14:58:11 +0530 Subject: [PATCH 03/19] ci: update workflow configuration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2f54d67..f22c9e5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ concurrency: jobs: ci: - name: CI Full Validation + name: Continuous Integration runs-on: ubuntu-latest timeout-minutes: 45 permissions: From 37b50b1d6ad6f62052702541ff181894832299a3 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Thu, 4 Jun 2026 14:10:25 +0530 Subject: [PATCH 04/19] commented coverity section --- .github/actions/environment-check/action.yml | 2 +- .github/workflows/daily_build.yml | 80 ++++++++++---------- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/.github/actions/environment-check/action.yml b/.github/actions/environment-check/action.yml index a05d2f5..4b10977 100644 --- a/.github/actions/environment-check/action.yml +++ b/.github/actions/environment-check/action.yml @@ -14,7 +14,7 @@ inputs: mtl-version: description: 'MTL release tag to build' required: false - default: 'v26.01' + default: 'ffmpeg-plugin-extra-pixel-format' ffmpeg-version: description: 'FFmpeg release branch to build' required: false diff --git a/.github/workflows/daily_build.yml b/.github/workflows/daily_build.yml index c30ad47..f08a2da 100644 --- a/.github/workflows/daily_build.yml +++ b/.github/workflows/daily_build.yml @@ -133,44 +133,44 @@ jobs: fuzz/ubsan_corpus/ retention-days: 14 - coverity: - name: Daily Coverity Static Analysis - runs-on: ubuntu-latest - timeout-minutes: 90 - permissions: - contents: read - security-events: write # Needed to upload Coverity SARIF to the Security tab. - - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: ${{ github.sha }} - fetch-depth: 0 - persist-credentials: false - - - name: Environment check - uses: ./.github/actions/environment-check - - - name: Coverity Scan - uses: ./.github/actions/analysis/coverity - env: - COVERITY_URL: ${{ secrets.COVERITY_URL }} - COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} - COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} - - - name: Upload SARIF to Security tab - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 - if: always() - with: - sarif_file: reports/coverity-results.sarif - category: coverity - - - name: Upload Coverity reports - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - if: always() - with: - name: coverity-report-${{ github.run_id }} - path: reports/ - retention-days: 30 + # coverity: + # name: Daily Coverity Static Analysis + # runs-on: ubuntu-latest + # timeout-minutes: 90 + # permissions: + # contents: read + # security-events: write # Needed to upload Coverity SARIF to the Security tab. + # + # steps: + # - name: Checkout repository + # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + # with: + # ref: ${{ github.sha }} + # fetch-depth: 0 + # persist-credentials: false + # + # - name: Environment check + # uses: ./.github/actions/environment-check + # + # - name: Coverity Scan + # uses: ./.github/actions/analysis/coverity + # env: + # COVERITY_URL: ${{ secrets.COVERITY_URL }} + # COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} + # COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} + # + # - name: Upload SARIF to Security tab + # uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + # if: always() + # with: + # sarif_file: reports/coverity-results.sarif + # category: coverity + # + # - name: Upload Coverity reports + # uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + # if: always() + # with: + # name: coverity-report-${{ github.run_id }} + # path: reports/ + # retention-days: 30 From 3f05c1434e881c8f58b4a1b70a349d852b67c4d2 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Tue, 30 Jun 2026 14:52:24 +0530 Subject: [PATCH 05/19] ci: inline coverity in shared workflows --- .github/actions/analysis/coverity/action.yml | 102 ++++++++++++++++++- .github/workflows/ci.yml | 19 ++++ .github/workflows/daily_build.yml | 59 ++++------- .github/workflows/pull_request.yml | 19 ++++ .github/workflows/scan_on_demand.yml | 19 ++++ 5 files changed, 174 insertions(+), 44 deletions(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index 0ca35c3..3593c97 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -9,28 +9,108 @@ description: 'Install Coverity, run static analysis, and emit JSON + SARIF repor runs: using: composite steps: + - name: Detect Coverity credentials + id: coverity_secrets + shell: bash + env: + COVERITY_URL: ${{ env.COVERITY_URL }} + COVERITY_USER: ${{ env.COVERITY_USER }} + COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }} + COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }} + COVERITY_SCAN_USER: ${{ env.COVERITY_SCAN_USER }} + COVERITY_SCAN_PASSWORD: ${{ env.COVERITY_SCAN_PASSWORD }} + run: | + set -euo pipefail + if [ -n "${COVERITY_TOKEN:-}" ] || \ + { [ -n "${COVERITY_SCAN_USER:-}" ] && [ -n "${COVERITY_SCAN_PASSWORD:-}" ]; } || \ + { [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; }; then + echo "available=true" >> "$GITHUB_OUTPUT" + else + echo "available=false" >> "$GITHUB_OUTPUT" + echo "Coverity secrets are not available; skipping Coverity analysis." + fi + - name: Install Coverity + if: steps.coverity_secrets.outputs.available == 'true' shell: bash env: COVERITY_URL: ${{ env.COVERITY_URL }} COVERITY_USER: ${{ env.COVERITY_USER }} COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }} + COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }} + COVERITY_PROJECT: ${{ env.COVERITY_PROJECT }} + COVERITY_SCAN_USER: ${{ env.COVERITY_SCAN_USER }} + COVERITY_SCAN_PASSWORD: ${{ env.COVERITY_SCAN_PASSWORD }} run: | + set -euo pipefail echo "===== Coverity Setup =====" COVERITY_DIR="$HOME/coverity" + COVERITY_TARBALL="/tmp/coverity.tar.gz" if [ -x "$COVERITY_DIR/bin/cov-build" ]; then echo " [OK] Coverity already installed at $COVERITY_DIR" "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true exit 0 fi + + rm -f "$COVERITY_TARBALL" mkdir -p "$COVERITY_DIR" - wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \ - -O /tmp/coverity.tar.gz "$COVERITY_URL" - tar xzf /tmp/coverity.tar.gz --strip-components=1 -C "$COVERITY_DIR" - rm -f /tmp/coverity.tar.gz + + DOWNLOAD_OK=0 + + if [ -n "${COVERITY_TOKEN:-}" ]; then + echo " Downloading Coverity from scan.coverity.com (token/project mode)..." + PROJECT_RAW="${COVERITY_PROJECT:-OpenVisualCloud/directview-led-software-toolkit}" + PROJECT_ENCODED="${PROJECT_RAW//\//%2F}" + if wget -q --post-data "token=${COVERITY_TOKEN}&project=${PROJECT_ENCODED}" \ + -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64"; then + DOWNLOAD_OK=1 + echo " [OK] Downloaded from scan.coverity.com for project ${PROJECT_RAW}" + else + echo " [WARN] scan.coverity.com token/project download failed, trying fallback source" + rm -f "$COVERITY_TARBALL" + fi + fi + + if [ "$DOWNLOAD_OK" -eq 0 ] && [ -n "${COVERITY_SCAN_USER:-}" ] && [ -n "${COVERITY_SCAN_PASSWORD:-}" ]; then + echo " Downloading Coverity from scan.coverity.com (user/password mode)..." + if wget -q --user="$COVERITY_SCAN_USER" --password="$COVERITY_SCAN_PASSWORD" \ + -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/cxx/linux64"; then + DOWNLOAD_OK=1 + echo " [OK] Downloaded from scan.coverity.com" + else + echo " [WARN] scan.coverity.com user/password download failed, trying fallback source" + rm -f "$COVERITY_TARBALL" + fi + fi + + if [ "$DOWNLOAD_OK" -eq 0 ] && [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; then + echo " Downloading Coverity from configured COVERITY_URL..." + wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \ + -O "$COVERITY_TARBALL" "$COVERITY_URL" + DOWNLOAD_OK=1 + echo " [OK] Downloaded from COVERITY_URL" + fi + + if [ "$DOWNLOAD_OK" -eq 0 ] || [ ! -s "$COVERITY_TARBALL" ]; then + echo "ERROR: Coverity download failed." + echo "Set either COVERITY_TOKEN (and optionally COVERITY_PROJECT)," + echo "or COVERITY_SCAN_USER/COVERITY_SCAN_PASSWORD," + echo "or COVERITY_URL/COVERITY_USER/COVERITY_PASSWORD." + exit 1 + fi + + tar xzf "$COVERITY_TARBALL" --strip-components=1 -C "$COVERITY_DIR" + rm -f "$COVERITY_TARBALL" + + if [ ! -x "$COVERITY_DIR/bin/cov-build" ] || [ ! -x "$COVERITY_DIR/bin/cov-configure" ]; then + echo "ERROR: Coverity install incomplete (missing cov-build/cov-configure)." + exit 1 + fi + "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true - name: Run Coverity analysis + if: steps.coverity_secrets.outputs.available == 'true' shell: bash run: | export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-} @@ -86,6 +166,7 @@ runs: --json-output-v8 "$REPORT_DIR/coverity-report.json" - name: Convert Coverity JSON to SARIF + if: steps.coverity_secrets.outputs.available == 'true' shell: bash run: | REPORT_DIR="$GITHUB_WORKSPACE/reports" @@ -154,3 +235,16 @@ runs: print(f"Converted {len(results)} Coverity issues to SARIF") EOF + + - name: Write empty SARIF when Coverity is skipped + if: steps.coverity_secrets.outputs.available != 'true' + shell: bash + run: | + mkdir -p "$GITHUB_WORKSPACE/reports" + cat > "$GITHUB_WORKSPACE/reports/coverity-results.sarif" <<'EOF' + { + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [] + } + EOF diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f22c9e5..48a1f4d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,6 +26,7 @@ jobs: timeout-minutes: 45 permissions: contents: read + security-events: write steps: - name: Clean up previous run env: @@ -68,6 +69,24 @@ jobs: - name: checksec Analysis uses: ./.github/actions/analysis/checksec + - name: Coverity Scan + uses: ./.github/actions/analysis/coverity + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_PROJECT: OpenVisualCloud/directview-led-software-toolkit + COVERITY_SCAN_USER: ${{ secrets.COVERITY_SCAN_USER }} + COVERITY_SCAN_PASSWORD: ${{ secrets.COVERITY_SCAN_PASSWORD }} + COVERITY_URL: ${{ secrets.COVERITY_URL }} + COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} + COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} + + - name: Upload SARIF to Security tab + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + if: always() + with: + sarif_file: reports/coverity-results.sarif + category: coverity + - name: Upload all reports uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() diff --git a/.github/workflows/daily_build.yml b/.github/workflows/daily_build.yml index f08a2da..2f21e04 100644 --- a/.github/workflows/daily_build.yml +++ b/.github/workflows/daily_build.yml @@ -24,6 +24,7 @@ jobs: timeout-minutes: 60 permissions: contents: read + security-events: write steps: - name: Clean up previous run @@ -67,6 +68,24 @@ jobs: - name: checksec Analysis uses: ./.github/actions/analysis/checksec + - name: Coverity Scan + uses: ./.github/actions/analysis/coverity + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_PROJECT: OpenVisualCloud/directview-led-software-toolkit + COVERITY_SCAN_USER: ${{ secrets.COVERITY_SCAN_USER }} + COVERITY_SCAN_PASSWORD: ${{ secrets.COVERITY_SCAN_PASSWORD }} + COVERITY_URL: ${{ secrets.COVERITY_URL }} + COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} + COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} + + - name: Upload SARIF to Security tab + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + if: always() + with: + sarif_file: reports/coverity-results.sarif + category: coverity + - name: Upload daily build reports uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() @@ -133,44 +152,4 @@ jobs: fuzz/ubsan_corpus/ retention-days: 14 - # coverity: - # name: Daily Coverity Static Analysis - # runs-on: ubuntu-latest - # timeout-minutes: 90 - # permissions: - # contents: read - # security-events: write # Needed to upload Coverity SARIF to the Security tab. - # - # steps: - # - name: Checkout repository - # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - # with: - # ref: ${{ github.sha }} - # fetch-depth: 0 - # persist-credentials: false - # - # - name: Environment check - # uses: ./.github/actions/environment-check - # - # - name: Coverity Scan - # uses: ./.github/actions/analysis/coverity - # env: - # COVERITY_URL: ${{ secrets.COVERITY_URL }} - # COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} - # COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} - # - # - name: Upload SARIF to Security tab - # uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 - # if: always() - # with: - # sarif_file: reports/coverity-results.sarif - # category: coverity - # - # - name: Upload Coverity reports - # uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - # if: always() - # with: - # name: coverity-report-${{ github.run_id }} - # path: reports/ - # retention-days: 30 diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 426435a..a02d4bd 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -26,6 +26,7 @@ jobs: timeout-minutes: 25 permissions: contents: read + security-events: write steps: - name: Clean up previous run @@ -62,6 +63,24 @@ jobs: - name: cppcheck uses: ./.github/actions/analysis/cppcheck + - name: Coverity Scan + uses: ./.github/actions/analysis/coverity + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_PROJECT: OpenVisualCloud/directview-led-software-toolkit + COVERITY_SCAN_USER: ${{ secrets.COVERITY_SCAN_USER }} + COVERITY_SCAN_PASSWORD: ${{ secrets.COVERITY_SCAN_PASSWORD }} + COVERITY_URL: ${{ secrets.COVERITY_URL }} + COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} + COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} + + - name: Upload SARIF to Security tab + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + if: always() + with: + sarif_file: reports/coverity-results.sarif + category: coverity + - name: Upload PR reports uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() diff --git a/.github/workflows/scan_on_demand.yml b/.github/workflows/scan_on_demand.yml index 6263f82..7958985 100644 --- a/.github/workflows/scan_on_demand.yml +++ b/.github/workflows/scan_on_demand.yml @@ -25,6 +25,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + security-events: write steps: - name: Clean up previous run @@ -120,6 +121,24 @@ jobs: - name: Trivy Scan uses: ./.github/actions/analysis/trivy + - name: Coverity Scan + uses: ./.github/actions/analysis/coverity + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + COVERITY_PROJECT: OpenVisualCloud/directview-led-software-toolkit + COVERITY_SCAN_USER: ${{ secrets.COVERITY_SCAN_USER }} + COVERITY_SCAN_PASSWORD: ${{ secrets.COVERITY_SCAN_PASSWORD }} + COVERITY_URL: ${{ secrets.COVERITY_URL }} + COVERITY_USER: ${{ secrets.COVERITY_ARTIFACTORY_USER }} + COVERITY_PASSWORD: ${{ secrets.COVERITY_ARTIFACTORY_PASSWORD }} + + - name: Upload SARIF to Security tab + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + if: always() + with: + sarif_file: reports/coverity-results.sarif + category: coverity + - name: Upload scan reports uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() From 72189f446ab89d74ca77406329b666195d24510c Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 11:23:18 +0530 Subject: [PATCH 06/19] fix(coverity): handle scan.coverity.com build-only package The scan.coverity.com download (token/project mode) only includes cov-build/cov-configure but not cov-analyze/cov-format-errors. Detect the coverity mode after installation and branch accordingly: - local mode (full install): run cov-analyze locally - scan mode (scan.coverity.com): submit build capture for server-side analysis via the scan.coverity.com builds API --- .github/actions/analysis/coverity/action.yml | 109 +++++++++++++------ 1 file changed, 78 insertions(+), 31 deletions(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index 3593c97..802d9e1 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -31,6 +31,7 @@ runs: fi - name: Install Coverity + id: install_coverity if: steps.coverity_secrets.outputs.available == 'true' shell: bash env: @@ -49,6 +50,11 @@ runs: if [ -x "$COVERITY_DIR/bin/cov-build" ]; then echo " [OK] Coverity already installed at $COVERITY_DIR" "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true + if [ -x "$COVERITY_DIR/bin/cov-analyze" ]; then + echo "coverity_mode=local" >> "$GITHUB_OUTPUT" + else + echo "coverity_mode=scan" >> "$GITHUB_OUTPUT" + fi exit 0 fi @@ -109,9 +115,21 @@ runs: "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true + # Detect whether full Coverity (with cov-analyze) is available + if [ -x "$COVERITY_DIR/bin/cov-analyze" ]; then + echo "coverity_mode=local" >> "$GITHUB_OUTPUT" + else + echo " [INFO] cov-analyze not found; scan.coverity.com build-only package detected." + echo " Build results will be submitted to scan.coverity.com for server-side analysis." + echo "coverity_mode=scan" >> "$GITHUB_OUTPUT" + fi + - name: Run Coverity analysis if: steps.coverity_secrets.outputs.available == 'true' shell: bash + env: + COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }} + COVERITY_PROJECT: ${{ env.COVERITY_PROJECT }} run: | export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-} if ! pkg-config --exists mtl 2>/dev/null; then @@ -133,37 +151,65 @@ runs: meson setup build $HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build - $HOME/coverity/bin/cov-analyze --dir coverity_output/ \ - --concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \ - --disable ASSERT_SIDE_EFFECT \ - --disable AUTO_CAUSES_COPY \ - --disable BAD_CHECK_OF_WAIT_COND \ - --disable BAD_SHIFT \ - --disable COPY_INSTEAD_OF_MOVE \ - --disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \ - --disable CUDA.CUDEVICE_HANDLES \ - --disable CUDA.DEVICE_DEPENDENT \ - --disable CUDA.DEVICE_DEPENDENT_CALLBACKS \ - --disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \ - --disable CUDA.ERROR_INTERFACE \ - --disable CUDA.ERROR_KERNEL_LAUNCH \ - --disable CUDA.FORK \ - --disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \ - --disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \ - --disable CUDA.INVALID_MEMORY_ACCESS \ - --disable CUDA.SHARE_FUNCTION \ - --disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \ - --disable CUDA.SPECIFIERS_INCONSISTENCY \ - --disable CUDA.SYNCHRONIZE_TERMINATION \ - --disable INEFFICIENT_RESERVE \ - --disable MISSING_COMMA \ - --disable MISSING_MOVE_ASSIGNMENT \ - --disable OVERLAPPING_COPY \ - --disable STREAM_FORMAT_STATE \ - --disable UNINTENDED_INTEGER_DIVISION - - $HOME/coverity/bin/cov-format-errors --dir coverity_output/ \ - --json-output-v8 "$REPORT_DIR/coverity-report.json" + COVERITY_MODE="${{ steps.install_coverity.outputs.coverity_mode }}" + + if [ "$COVERITY_MODE" = "local" ]; then + echo "===== Running local Coverity analysis =====" + $HOME/coverity/bin/cov-analyze --dir coverity_output/ \ + --concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \ + --disable ASSERT_SIDE_EFFECT \ + --disable AUTO_CAUSES_COPY \ + --disable BAD_CHECK_OF_WAIT_COND \ + --disable BAD_SHIFT \ + --disable COPY_INSTEAD_OF_MOVE \ + --disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \ + --disable CUDA.CUDEVICE_HANDLES \ + --disable CUDA.DEVICE_DEPENDENT \ + --disable CUDA.DEVICE_DEPENDENT_CALLBACKS \ + --disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \ + --disable CUDA.ERROR_INTERFACE \ + --disable CUDA.ERROR_KERNEL_LAUNCH \ + --disable CUDA.FORK \ + --disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \ + --disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \ + --disable CUDA.INVALID_MEMORY_ACCESS \ + --disable CUDA.SHARE_FUNCTION \ + --disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \ + --disable CUDA.SPECIFIERS_INCONSISTENCY \ + --disable CUDA.SYNCHRONIZE_TERMINATION \ + --disable INEFFICIENT_RESERVE \ + --disable MISSING_COMMA \ + --disable MISSING_MOVE_ASSIGNMENT \ + --disable OVERLAPPING_COPY \ + --disable STREAM_FORMAT_STATE \ + --disable UNINTENDED_INTEGER_DIVISION + + $HOME/coverity/bin/cov-format-errors --dir coverity_output/ \ + --json-output-v8 "$REPORT_DIR/coverity-report.json" + else + echo "===== Submitting build to scan.coverity.com for server-side analysis =====" + PROJECT_RAW="${COVERITY_PROJECT:-OpenVisualCloud/directview-led-software-toolkit}" + PROJECT_ENCODED="${PROJECT_RAW//\//%2F}" + TARBALL="/tmp/coverity-results.tar.gz" + tar czf "$TARBALL" coverity_output/ + RESPONSE=$(curl -s -w "\n%{http_code}" \ + --form "token=${COVERITY_TOKEN}" \ + --form "email=coverity@openvisualcloud.org" \ + --form "file=@${TARBALL}" \ + --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ + --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ + "https://scan.coverity.com/builds?project=${PROJECT_ENCODED}") + HTTP_CODE=$(echo "$RESPONSE" | tail -1) + BODY=$(echo "$RESPONSE" | sed '$d') + rm -f "$TARBALL" + if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then + echo " [OK] Build submitted to scan.coverity.com (HTTP $HTTP_CODE)" + else + echo " [WARN] Submission returned HTTP $HTTP_CODE: $BODY" + fi + echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json" + echo " Results will be available at: https://scan.coverity.com/projects/${PROJECT_ENCODED}" + fi - name: Convert Coverity JSON to SARIF if: steps.coverity_secrets.outputs.available == 'true' @@ -248,3 +294,4 @@ runs: "runs": [] } EOF + From 6dcbe427b5d531efa1bd0a14ceb3afeaa77a1666 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 11:42:51 +0530 Subject: [PATCH 07/19] fix(coverity): simplify scan.coverity.com flow to match reference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Determine mode by credentials type, not binary probing - scan mode: cov-build → tar → curl upload (matches open-source pattern) - local mode: cov-build → cov-analyze → cov-format-errors (full install) - Remove COVERITY_PROJECT env; hardcode project name directly - Only pass COVERITY_TOKEN to analysis step --- .github/actions/analysis/coverity/action.yml | 63 ++++++++------------ 1 file changed, 24 insertions(+), 39 deletions(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index 802d9e1..6ea9bf1 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -39,7 +39,6 @@ runs: COVERITY_USER: ${{ env.COVERITY_USER }} COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }} COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }} - COVERITY_PROJECT: ${{ env.COVERITY_PROJECT }} COVERITY_SCAN_USER: ${{ env.COVERITY_SCAN_USER }} COVERITY_SCAN_PASSWORD: ${{ env.COVERITY_SCAN_PASSWORD }} run: | @@ -47,14 +46,17 @@ runs: echo "===== Coverity Setup =====" COVERITY_DIR="$HOME/coverity" COVERITY_TARBALL="/tmp/coverity.tar.gz" + + # Determine mode based on credentials provided + if [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; then + echo "coverity_mode=local" >> "$GITHUB_OUTPUT" + else + echo "coverity_mode=scan" >> "$GITHUB_OUTPUT" + fi + if [ -x "$COVERITY_DIR/bin/cov-build" ]; then echo " [OK] Coverity already installed at $COVERITY_DIR" "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true - if [ -x "$COVERITY_DIR/bin/cov-analyze" ]; then - echo "coverity_mode=local" >> "$GITHUB_OUTPUT" - else - echo "coverity_mode=scan" >> "$GITHUB_OUTPUT" - fi exit 0 fi @@ -65,12 +67,11 @@ runs: if [ -n "${COVERITY_TOKEN:-}" ]; then echo " Downloading Coverity from scan.coverity.com (token/project mode)..." - PROJECT_RAW="${COVERITY_PROJECT:-OpenVisualCloud/directview-led-software-toolkit}" - PROJECT_ENCODED="${PROJECT_RAW//\//%2F}" + PROJECT_ENCODED="OpenVisualCloud%2Fdirectview-led-software-toolkit" if wget -q --post-data "token=${COVERITY_TOKEN}&project=${PROJECT_ENCODED}" \ -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64"; then DOWNLOAD_OK=1 - echo " [OK] Downloaded from scan.coverity.com for project ${PROJECT_RAW}" + echo " [OK] Downloaded from scan.coverity.com" else echo " [WARN] scan.coverity.com token/project download failed, trying fallback source" rm -f "$COVERITY_TARBALL" @@ -99,7 +100,7 @@ runs: if [ "$DOWNLOAD_OK" -eq 0 ] || [ ! -s "$COVERITY_TARBALL" ]; then echo "ERROR: Coverity download failed." - echo "Set either COVERITY_TOKEN (and optionally COVERITY_PROJECT)," + echo "Set either COVERITY_TOKEN," echo "or COVERITY_SCAN_USER/COVERITY_SCAN_PASSWORD," echo "or COVERITY_URL/COVERITY_USER/COVERITY_PASSWORD." exit 1 @@ -108,29 +109,20 @@ runs: tar xzf "$COVERITY_TARBALL" --strip-components=1 -C "$COVERITY_DIR" rm -f "$COVERITY_TARBALL" - if [ ! -x "$COVERITY_DIR/bin/cov-build" ] || [ ! -x "$COVERITY_DIR/bin/cov-configure" ]; then - echo "ERROR: Coverity install incomplete (missing cov-build/cov-configure)." + if [ ! -x "$COVERITY_DIR/bin/cov-build" ]; then + echo "ERROR: Coverity install incomplete (missing cov-build)." exit 1 fi "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true - # Detect whether full Coverity (with cov-analyze) is available - if [ -x "$COVERITY_DIR/bin/cov-analyze" ]; then - echo "coverity_mode=local" >> "$GITHUB_OUTPUT" - else - echo " [INFO] cov-analyze not found; scan.coverity.com build-only package detected." - echo " Build results will be submitted to scan.coverity.com for server-side analysis." - echo "coverity_mode=scan" >> "$GITHUB_OUTPUT" - fi - - name: Run Coverity analysis if: steps.coverity_secrets.outputs.available == 'true' shell: bash env: COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }} - COVERITY_PROJECT: ${{ env.COVERITY_PROJECT }} run: | + set -euo pipefail export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-} if ! pkg-config --exists mtl 2>/dev/null; then MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1) @@ -188,27 +180,20 @@ runs: --json-output-v8 "$REPORT_DIR/coverity-report.json" else echo "===== Submitting build to scan.coverity.com for server-side analysis =====" - PROJECT_RAW="${COVERITY_PROJECT:-OpenVisualCloud/directview-led-software-toolkit}" - PROJECT_ENCODED="${PROJECT_RAW//\//%2F}" - TARBALL="/tmp/coverity-results.tar.gz" - tar czf "$TARBALL" coverity_output/ - RESPONSE=$(curl -s -w "\n%{http_code}" \ - --form "token=${COVERITY_TOKEN}" \ + tail coverity_output/build-log.txt + tar czf /tmp/coverity-results.tar.gz coverity_output/ + ls -lh /tmp/coverity-results.tar.gz + + curl --form "token=${COVERITY_TOKEN}" \ --form "email=coverity@openvisualcloud.org" \ - --form "file=@${TARBALL}" \ + --form "file=@/tmp/coverity-results.tar.gz" \ --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ - "https://scan.coverity.com/builds?project=${PROJECT_ENCODED}") - HTTP_CODE=$(echo "$RESPONSE" | tail -1) - BODY=$(echo "$RESPONSE" | sed '$d') - rm -f "$TARBALL" - if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then - echo " [OK] Build submitted to scan.coverity.com (HTTP $HTTP_CODE)" - else - echo " [WARN] Submission returned HTTP $HTTP_CODE: $BODY" - fi + "https://scan.coverity.com/builds?project=OpenVisualCloud%2Fdirectview-led-software-toolkit" + + rm -f /tmp/coverity-results.tar.gz echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json" - echo " Results will be available at: https://scan.coverity.com/projects/${PROJECT_ENCODED}" + echo " Results will be available at: https://scan.coverity.com/projects/OpenVisualCloud%2Fdirectview-led-software-toolkit" fi - name: Convert Coverity JSON to SARIF From 82edd98bd97fd612d9bb2ab057ebfe9e425efcbe Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 11:44:36 +0530 Subject: [PATCH 08/19] fix(coverity): remove unused env variables, keep only COVERITY_TOKEN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Strip all COVERITY_URL/USER/PASSWORD/SCAN_USER/SCAN_PASSWORD paths and local cov-analyze mode. Only scan.coverity.com token flow remains: download cov-build → capture build → tar → curl upload. --- .github/actions/analysis/coverity/action.yml | 133 +++---------------- 1 file changed, 22 insertions(+), 111 deletions(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index 6ea9bf1..1124006 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -13,17 +13,10 @@ runs: id: coverity_secrets shell: bash env: - COVERITY_URL: ${{ env.COVERITY_URL }} - COVERITY_USER: ${{ env.COVERITY_USER }} - COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }} COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }} - COVERITY_SCAN_USER: ${{ env.COVERITY_SCAN_USER }} - COVERITY_SCAN_PASSWORD: ${{ env.COVERITY_SCAN_PASSWORD }} run: | set -euo pipefail - if [ -n "${COVERITY_TOKEN:-}" ] || \ - { [ -n "${COVERITY_SCAN_USER:-}" ] && [ -n "${COVERITY_SCAN_PASSWORD:-}" ]; } || \ - { [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; }; then + if [ -n "${COVERITY_TOKEN:-}" ]; then echo "available=true" >> "$GITHUB_OUTPUT" else echo "available=false" >> "$GITHUB_OUTPUT" @@ -31,29 +24,16 @@ runs: fi - name: Install Coverity - id: install_coverity if: steps.coverity_secrets.outputs.available == 'true' shell: bash env: - COVERITY_URL: ${{ env.COVERITY_URL }} - COVERITY_USER: ${{ env.COVERITY_USER }} - COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }} COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }} - COVERITY_SCAN_USER: ${{ env.COVERITY_SCAN_USER }} - COVERITY_SCAN_PASSWORD: ${{ env.COVERITY_SCAN_PASSWORD }} run: | set -euo pipefail echo "===== Coverity Setup =====" COVERITY_DIR="$HOME/coverity" COVERITY_TARBALL="/tmp/coverity.tar.gz" - # Determine mode based on credentials provided - if [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; then - echo "coverity_mode=local" >> "$GITHUB_OUTPUT" - else - echo "coverity_mode=scan" >> "$GITHUB_OUTPUT" - fi - if [ -x "$COVERITY_DIR/bin/cov-build" ]; then echo " [OK] Coverity already installed at $COVERITY_DIR" "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true @@ -63,46 +43,13 @@ runs: rm -f "$COVERITY_TARBALL" mkdir -p "$COVERITY_DIR" - DOWNLOAD_OK=0 - - if [ -n "${COVERITY_TOKEN:-}" ]; then - echo " Downloading Coverity from scan.coverity.com (token/project mode)..." - PROJECT_ENCODED="OpenVisualCloud%2Fdirectview-led-software-toolkit" - if wget -q --post-data "token=${COVERITY_TOKEN}&project=${PROJECT_ENCODED}" \ - -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64"; then - DOWNLOAD_OK=1 - echo " [OK] Downloaded from scan.coverity.com" - else - echo " [WARN] scan.coverity.com token/project download failed, trying fallback source" - rm -f "$COVERITY_TARBALL" - fi - fi + echo " Downloading Coverity from scan.coverity.com..." + PROJECT_ENCODED="OpenVisualCloud%2Fdirectview-led-software-toolkit" + wget -q --post-data "token=${COVERITY_TOKEN}&project=${PROJECT_ENCODED}" \ + -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64" - if [ "$DOWNLOAD_OK" -eq 0 ] && [ -n "${COVERITY_SCAN_USER:-}" ] && [ -n "${COVERITY_SCAN_PASSWORD:-}" ]; then - echo " Downloading Coverity from scan.coverity.com (user/password mode)..." - if wget -q --user="$COVERITY_SCAN_USER" --password="$COVERITY_SCAN_PASSWORD" \ - -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/cxx/linux64"; then - DOWNLOAD_OK=1 - echo " [OK] Downloaded from scan.coverity.com" - else - echo " [WARN] scan.coverity.com user/password download failed, trying fallback source" - rm -f "$COVERITY_TARBALL" - fi - fi - - if [ "$DOWNLOAD_OK" -eq 0 ] && [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; then - echo " Downloading Coverity from configured COVERITY_URL..." - wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \ - -O "$COVERITY_TARBALL" "$COVERITY_URL" - DOWNLOAD_OK=1 - echo " [OK] Downloaded from COVERITY_URL" - fi - - if [ "$DOWNLOAD_OK" -eq 0 ] || [ ! -s "$COVERITY_TARBALL" ]; then + if [ ! -s "$COVERITY_TARBALL" ]; then echo "ERROR: Coverity download failed." - echo "Set either COVERITY_TOKEN," - echo "or COVERITY_SCAN_USER/COVERITY_SCAN_PASSWORD," - echo "or COVERITY_URL/COVERITY_USER/COVERITY_PASSWORD." exit 1 fi @@ -114,6 +61,7 @@ runs: exit 1 fi + echo " [OK] Downloaded from scan.coverity.com" "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true - name: Run Coverity analysis @@ -143,58 +91,21 @@ runs: meson setup build $HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build - COVERITY_MODE="${{ steps.install_coverity.outputs.coverity_mode }}" - - if [ "$COVERITY_MODE" = "local" ]; then - echo "===== Running local Coverity analysis =====" - $HOME/coverity/bin/cov-analyze --dir coverity_output/ \ - --concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \ - --disable ASSERT_SIDE_EFFECT \ - --disable AUTO_CAUSES_COPY \ - --disable BAD_CHECK_OF_WAIT_COND \ - --disable BAD_SHIFT \ - --disable COPY_INSTEAD_OF_MOVE \ - --disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \ - --disable CUDA.CUDEVICE_HANDLES \ - --disable CUDA.DEVICE_DEPENDENT \ - --disable CUDA.DEVICE_DEPENDENT_CALLBACKS \ - --disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \ - --disable CUDA.ERROR_INTERFACE \ - --disable CUDA.ERROR_KERNEL_LAUNCH \ - --disable CUDA.FORK \ - --disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \ - --disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \ - --disable CUDA.INVALID_MEMORY_ACCESS \ - --disable CUDA.SHARE_FUNCTION \ - --disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \ - --disable CUDA.SPECIFIERS_INCONSISTENCY \ - --disable CUDA.SYNCHRONIZE_TERMINATION \ - --disable INEFFICIENT_RESERVE \ - --disable MISSING_COMMA \ - --disable MISSING_MOVE_ASSIGNMENT \ - --disable OVERLAPPING_COPY \ - --disable STREAM_FORMAT_STATE \ - --disable UNINTENDED_INTEGER_DIVISION - - $HOME/coverity/bin/cov-format-errors --dir coverity_output/ \ - --json-output-v8 "$REPORT_DIR/coverity-report.json" - else - echo "===== Submitting build to scan.coverity.com for server-side analysis =====" - tail coverity_output/build-log.txt - tar czf /tmp/coverity-results.tar.gz coverity_output/ - ls -lh /tmp/coverity-results.tar.gz - - curl --form "token=${COVERITY_TOKEN}" \ - --form "email=coverity@openvisualcloud.org" \ - --form "file=@/tmp/coverity-results.tar.gz" \ - --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ - --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ - "https://scan.coverity.com/builds?project=OpenVisualCloud%2Fdirectview-led-software-toolkit" - - rm -f /tmp/coverity-results.tar.gz - echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json" - echo " Results will be available at: https://scan.coverity.com/projects/OpenVisualCloud%2Fdirectview-led-software-toolkit" - fi + echo "===== Submitting build to scan.coverity.com =====" + tail coverity_output/build-log.txt + tar czf /tmp/coverity-results.tar.gz coverity_output/ + ls -lh /tmp/coverity-results.tar.gz + + curl --form "token=${COVERITY_TOKEN}" \ + --form "email=coverity@openvisualcloud.org" \ + --form "file=@/tmp/coverity-results.tar.gz" \ + --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ + --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ + "https://scan.coverity.com/builds?project=OpenVisualCloud%2Fdirectview-led-software-toolkit" + + rm -f /tmp/coverity-results.tar.gz + echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json" + echo " Results will be available at: https://scan.coverity.com/projects/OpenVisualCloud%2Fdirectview-led-software-toolkit" - name: Convert Coverity JSON to SARIF if: steps.coverity_secrets.outputs.available == 'true' From 6de30837cde276b3bb82d782422ff90ae2271872 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 11:50:43 +0530 Subject: [PATCH 09/19] ci: add on-demand Coverity scan workflow --- .github/workflows/coverity.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/coverity.yml diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000..6057760 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,58 @@ +# +# BSD 3-Clause License +# Copyright (C) 2026 Intel Corporation +# SPDX-License-Identifier: BSD-3-Clause +# +name: Coverity Scan + +on: + workflow_dispatch: + inputs: + branch: + description: 'Branch to scan' + required: true + default: 'main' + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ inputs.branch || github.ref }} + cancel-in-progress: true + +jobs: + coverity: + name: Coverity Scan + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + security-events: write + + steps: + - name: Clean up previous run + env: + WORKSPACE: ${{ github.workspace }} + run: | + find "$WORKSPACE" -mindepth 1 -maxdepth 1 -exec rm -rf {} + + + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ inputs.branch || github.ref }} + fetch-depth: 0 + persist-credentials: false + + - name: Environment check + uses: ./.github/actions/environment-check + + - name: Coverity Scan + uses: ./.github/actions/analysis/coverity + env: + COVERITY_TOKEN: ${{ secrets.COVERITY_TOKEN }} + + - name: Upload SARIF to Security tab + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + if: always() + with: + sarif_file: reports/coverity-results.sarif + category: coverity From 01deda6ae62a4595442cf2553743fc7c32caa71b Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 11:52:16 +0530 Subject: [PATCH 10/19] docs: add Coverity Scan badge to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9178494..4f3d1ff 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![License](https://img.shields.io/badge/license-BSD--3--Clause-blue.svg)](LICENSE) [![CI](https://github.com/OpenVisualCloud/directview-led-software-toolkit/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/OpenVisualCloud/directview-led-software-toolkit/actions/workflows/ci.yml) +[![Coverity Scan](https://scan.coverity.com/projects/OpenVisualCloud-directview-led-software-toolkit/badge.svg)](https://scan.coverity.com/projects/OpenVisualCloud-directview-led-software-toolkit) [![Ubuntu](https://img.shields.io/badge/Ubuntu-22.04%20|%2024.04-orange.svg)](https://releases.ubuntu.com/jammy/) [![MTL](https://img.shields.io/badge/MTL-v26.01+-green.svg)](https://github.com/OpenVisualCloud/Media-Transport-Library) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/OpenVisualCloud/directview-led-software-toolkit/badge)](https://securityscorecards.dev/viewer/?uri=github.com/OpenVisualCloud/directview-led-software-toolkit) From e4a15108d0524ed40590d02e5f13683e782e103a Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 11:57:43 +0530 Subject: [PATCH 11/19] fix(coverity): use github.sha for checkout ref workflow_dispatch UI already provides branch selection; no need for a separate inputs.branch. Using github.sha ensures the checked-out code matches the branch the workflow is running from. --- .github/workflows/coverity.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 6057760..aaf452a 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -7,16 +7,11 @@ name: Coverity Scan on: workflow_dispatch: - inputs: - branch: - description: 'Branch to scan' - required: true - default: 'main' permissions: {} concurrency: - group: ${{ github.workflow }}-${{ inputs.branch || github.ref }} + group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: @@ -38,7 +33,7 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - ref: ${{ inputs.branch || github.ref }} + ref: ${{ github.sha }} fetch-depth: 0 persist-credentials: false From 95f2ef75a489e9a6fde61291009a203d004b9ad9 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 13:37:21 +0530 Subject: [PATCH 12/19] fix(coverity): use correct scan.coverity.com project slug Project identifier is 'openvisualcloud-directview-led-software-toolkit' (slug format), not the URL-encoded GitHub path. --- .github/actions/analysis/coverity/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index 1124006..55bd5fb 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -44,7 +44,7 @@ runs: mkdir -p "$COVERITY_DIR" echo " Downloading Coverity from scan.coverity.com..." - PROJECT_ENCODED="OpenVisualCloud%2Fdirectview-led-software-toolkit" + PROJECT_ENCODED="openvisualcloud-directview-led-software-toolkit" wget -q --post-data "token=${COVERITY_TOKEN}&project=${PROJECT_ENCODED}" \ -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64" @@ -101,11 +101,11 @@ runs: --form "file=@/tmp/coverity-results.tar.gz" \ --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ - "https://scan.coverity.com/builds?project=OpenVisualCloud%2Fdirectview-led-software-toolkit" + "https://scan.coverity.com/builds?project=openvisualcloud-directview-led-software-toolkit" rm -f /tmp/coverity-results.tar.gz echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json" - echo " Results will be available at: https://scan.coverity.com/projects/OpenVisualCloud%2Fdirectview-led-software-toolkit" + echo " Results will be available at: https://scan.coverity.com/projects/openvisualcloud-directview-led-software-toolkit" - name: Convert Coverity JSON to SARIF if: steps.coverity_secrets.outputs.available == 'true' From 772a9f1991c0b9614ae0acb1641039cad4e00895 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 13:39:30 +0530 Subject: [PATCH 13/19] ci: add explanatory comments to security-events permissions Fixes zizmor undocumented-permissions audit findings across all workflow files. --- .github/workflows/ci.yml | 2 +- .github/workflows/coverity.yml | 2 +- .github/workflows/daily_build.yml | 2 +- .github/workflows/pull_request.yml | 2 +- .github/workflows/scan_on_demand.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48a1f4d..c558225 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: timeout-minutes: 45 permissions: contents: read - security-events: write + security-events: write # Required to upload SARIF results to GitHub Security tab steps: - name: Clean up previous run env: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index aaf452a..e1b5cc6 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -21,7 +21,7 @@ jobs: timeout-minutes: 30 permissions: contents: read - security-events: write + security-events: write # Required to upload SARIF results to GitHub Security tab steps: - name: Clean up previous run diff --git a/.github/workflows/daily_build.yml b/.github/workflows/daily_build.yml index 2f21e04..fcfc8bf 100644 --- a/.github/workflows/daily_build.yml +++ b/.github/workflows/daily_build.yml @@ -24,7 +24,7 @@ jobs: timeout-minutes: 60 permissions: contents: read - security-events: write + security-events: write # Required to upload SARIF results to GitHub Security tab steps: - name: Clean up previous run diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index a02d4bd..818c216 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -26,7 +26,7 @@ jobs: timeout-minutes: 25 permissions: contents: read - security-events: write + security-events: write # Required to upload SARIF results to GitHub Security tab steps: - name: Clean up previous run diff --git a/.github/workflows/scan_on_demand.yml b/.github/workflows/scan_on_demand.yml index 7958985..4e092f0 100644 --- a/.github/workflows/scan_on_demand.yml +++ b/.github/workflows/scan_on_demand.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - security-events: write + security-events: write # Required to upload SARIF results to GitHub Security tab steps: - name: Clean up previous run From 7806370f1718add684a1c11d78f45f46583f17b5 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 14:05:19 +0530 Subject: [PATCH 14/19] fix(coverity): revert API URLs to URL-encoded format scan.coverity.com API requires 'OpenVisualCloud%2Fdirectview-led-software-toolkit' (URL-encoded path). The slug format is only for the web UI. --- .github/actions/analysis/coverity/action.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index 55bd5fb..b036959 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -44,8 +44,7 @@ runs: mkdir -p "$COVERITY_DIR" echo " Downloading Coverity from scan.coverity.com..." - PROJECT_ENCODED="openvisualcloud-directview-led-software-toolkit" - wget -q --post-data "token=${COVERITY_TOKEN}&project=${PROJECT_ENCODED}" \ + wget -q --post-data "token=${COVERITY_TOKEN}&project=OpenVisualCloud%2Fdirectview-led-software-toolkit" \ -O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64" if [ ! -s "$COVERITY_TARBALL" ]; then @@ -101,7 +100,7 @@ runs: --form "file=@/tmp/coverity-results.tar.gz" \ --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ - "https://scan.coverity.com/builds?project=openvisualcloud-directview-led-software-toolkit" + "https://scan.coverity.com/builds?project=OpenVisualCloud%2Fdirectview-led-software-toolkit" rm -f /tmp/coverity-results.tar.gz echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json" From 1b851bff10c4d80b2a930bf0b8ce44fcb666a15d Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 14:11:24 +0530 Subject: [PATCH 15/19] fix(coverity): update submission email address --- .github/actions/analysis/coverity/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index b036959..2285eb5 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -96,7 +96,7 @@ runs: ls -lh /tmp/coverity-results.tar.gz curl --form "token=${COVERITY_TOKEN}" \ - --form "email=coverity@openvisualcloud.org" \ + --form "email=karthik.d.m@intel.com" \ --form "file=@/tmp/coverity-results.tar.gz" \ --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ From 9140dab16dc81924ec927e563aff1e34ff2553d5 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 14:43:49 +0530 Subject: [PATCH 16/19] fix(coverity): use cov-int as build capture directory name scan.coverity.com requires the archive to contain cov-int/build-log.txt. Rename from coverity_output to cov-int to match the expected format. --- .github/actions/analysis/coverity/action.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/actions/analysis/coverity/action.yml b/.github/actions/analysis/coverity/action.yml index 2285eb5..fd09e40 100644 --- a/.github/actions/analysis/coverity/action.yml +++ b/.github/actions/analysis/coverity/action.yml @@ -86,23 +86,23 @@ runs: mkdir -p "$REPORT_DIR" $HOME/coverity/bin/cov-configure --compiler cc --comptype gcc --template - rm -rf build coverity_output + rm -rf build cov-int meson setup build - $HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build + $HOME/coverity/bin/cov-build --dir cov-int ninja -C build echo "===== Submitting build to scan.coverity.com =====" - tail coverity_output/build-log.txt - tar czf /tmp/coverity-results.tar.gz coverity_output/ - ls -lh /tmp/coverity-results.tar.gz + tail cov-int/build-log.txt + tar czf /tmp/cov-int.tar.gz cov-int/ + ls -lh /tmp/cov-int.tar.gz curl --form "token=${COVERITY_TOKEN}" \ --form "email=karthik.d.m@intel.com" \ - --form "file=@/tmp/coverity-results.tar.gz" \ + --form "file=@/tmp/cov-int.tar.gz" \ --form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \ --form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \ "https://scan.coverity.com/builds?project=OpenVisualCloud%2Fdirectview-led-software-toolkit" - rm -f /tmp/coverity-results.tar.gz + rm -f /tmp/cov-int.tar.gz echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json" echo " Results will be available at: https://scan.coverity.com/projects/openvisualcloud-directview-led-software-toolkit" From 41a633c749fd2cce9b05ffd5839f358210ef3999 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 14:44:32 +0530 Subject: [PATCH 17/19] fix: update MTL default version to v26.01 --- .github/actions/environment-check/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/environment-check/action.yml b/.github/actions/environment-check/action.yml index 4b10977..a05d2f5 100644 --- a/.github/actions/environment-check/action.yml +++ b/.github/actions/environment-check/action.yml @@ -14,7 +14,7 @@ inputs: mtl-version: description: 'MTL release tag to build' required: false - default: 'ffmpeg-plugin-extra-pixel-format' + default: 'v26.01' ffmpeg-version: description: 'FFmpeg release branch to build' required: false From 31204cefe25e55b2084b44875103c1b793e544d2 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 14:59:34 +0530 Subject: [PATCH 18/19] docs: update Coverity badge with correct project ID --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4f3d1ff..ff5ddf7 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![License](https://img.shields.io/badge/license-BSD--3--Clause-blue.svg)](LICENSE) [![CI](https://github.com/OpenVisualCloud/directview-led-software-toolkit/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/OpenVisualCloud/directview-led-software-toolkit/actions/workflows/ci.yml) -[![Coverity Scan](https://scan.coverity.com/projects/OpenVisualCloud-directview-led-software-toolkit/badge.svg)](https://scan.coverity.com/projects/OpenVisualCloud-directview-led-software-toolkit) +Coverity Scan Build Status [![Ubuntu](https://img.shields.io/badge/Ubuntu-22.04%20|%2024.04-orange.svg)](https://releases.ubuntu.com/jammy/) [![MTL](https://img.shields.io/badge/MTL-v26.01+-green.svg)](https://github.com/OpenVisualCloud/Media-Transport-Library) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/OpenVisualCloud/directview-led-software-toolkit/badge)](https://securityscorecards.dev/viewer/?uri=github.com/OpenVisualCloud/directview-led-software-toolkit) From 7433a0440fdc017d0a4a7094df176bef4ba3bc25 Mon Sep 17 00:00:00 2001 From: roshan-ku Date: Wed, 1 Jul 2026 15:00:12 +0530 Subject: [PATCH 19/19] fix: revert MTL version to ffmpeg-plugin-extra-pixel-format --- .github/actions/environment-check/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/environment-check/action.yml b/.github/actions/environment-check/action.yml index a05d2f5..4b10977 100644 --- a/.github/actions/environment-check/action.yml +++ b/.github/actions/environment-check/action.yml @@ -14,7 +14,7 @@ inputs: mtl-version: description: 'MTL release tag to build' required: false - default: 'v26.01' + default: 'ffmpeg-plugin-extra-pixel-format' ffmpeg-version: description: 'FFmpeg release branch to build' required: false