Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 86 additions & 0 deletions .github/actions/analysis/afl-fuzz/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'AFL Fuzz'
description: 'Build and run AFL++ fuzzing for config parser harness'

inputs:
max-seconds:
description: 'Maximum AFL fuzzing run time in seconds'
required: false
default: '300'

runs:
using: composite
steps:
- name: Install AFL dependencies
shell: bash
run: |
sudo apt-get update -qq
sudo apt-get install -y -qq afl++ libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config

- name: Verify AFL environment
shell: bash
run: |
echo "=== AFL++ ==="
afl-clang-fast --version || { echo "ERROR: afl-clang-fast not found"; exit 1; }
echo ""
echo "=== libavutil ==="
dpkg -l libavutil-dev | grep -q ii || { echo "ERROR: libavutil-dev not installed"; exit 1; }
echo " Header: $(find /usr/include -name 'avutil.h' | head -1)"
echo " Library: $(find /usr/lib -name 'libavutil.so*' | head -1)"
echo ""
echo "=== Compiler ==="
gcc --version | head -1
echo ""
echo "Environment OK"

- name: Build AFL fuzz harness
shell: bash
run: |
cd fuzz
export CC=afl-clang-fast
$CC -g -O1 -fno-omit-frame-pointer -I../include -c fuzz_config_reader.c -o fuzz_config_reader.o
$CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/config_reader.c -o config_reader.o
$CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/logger.c -o logger.o
$CC -o fuzz_config_reader fuzz_config_reader.o config_reader.o logger.o -lavutil -lm
echo "Build successful: $(file fuzz_config_reader)"

- name: Run AFL fuzzer
shell: bash
env:
MAX_SECONDS: ${{ inputs.max-seconds }}
run: |
cd fuzz
if ! [[ "$MAX_SECONDS" =~ ^[0-9]+$ ]]; then
echo "ERROR: max-seconds must be a positive integer"
exit 1
fi
mkdir -p findings
export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
export AFL_SKIP_CPUFREQ=1
timeout "$MAX_SECONDS" afl-fuzz -i corpus/ -o findings/ -V "$MAX_SECONDS" -- ./fuzz_config_reader @@ || true

- name: Check AFL crashes
shell: bash
run: |
cd fuzz
CRASH_COUNT=$(find findings/default/crashes -type f ! -name "README.txt" 2>/dev/null | wc -l)
echo "Crashes found: $CRASH_COUNT"
if [ "$CRASH_COUNT" -gt 0 ]; then
echo "::error::AFL found $CRASH_COUNT crash(es)!"
ls -la findings/default/crashes/
exit 1
fi
echo "No crashes found - fuzzing passed."

- name: Sanitize AFL filenames
if: always()
shell: bash
run: |
cd fuzz/findings
find . -name '*:*' | while read -r f; do
mv "$f" "$(echo "$f" | tr ':' '_')"
done
250 changes: 250 additions & 0 deletions .github/actions/analysis/coverity/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,250 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'Coverity Scan'
description: 'Install Coverity, run static analysis, and emit JSON + SARIF reports'

runs:
using: composite
steps:
- name: Detect Coverity credentials
id: coverity_secrets
shell: bash
env:
COVERITY_URL: ${{ env.COVERITY_URL }}
COVERITY_USER: ${{ env.COVERITY_USER }}
COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }}
COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }}
COVERITY_SCAN_USER: ${{ env.COVERITY_SCAN_USER }}
COVERITY_SCAN_PASSWORD: ${{ env.COVERITY_SCAN_PASSWORD }}
run: |
set -euo pipefail
if [ -n "${COVERITY_TOKEN:-}" ] || \
{ [ -n "${COVERITY_SCAN_USER:-}" ] && [ -n "${COVERITY_SCAN_PASSWORD:-}" ]; } || \
{ [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; }; then
echo "available=true" >> "$GITHUB_OUTPUT"
else
echo "available=false" >> "$GITHUB_OUTPUT"
echo "Coverity secrets are not available; skipping Coverity analysis."
fi

- name: Install Coverity
if: steps.coverity_secrets.outputs.available == 'true'
shell: bash
env:
COVERITY_URL: ${{ env.COVERITY_URL }}
COVERITY_USER: ${{ env.COVERITY_USER }}
COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }}
COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }}
COVERITY_PROJECT: ${{ env.COVERITY_PROJECT }}
COVERITY_SCAN_USER: ${{ env.COVERITY_SCAN_USER }}
COVERITY_SCAN_PASSWORD: ${{ env.COVERITY_SCAN_PASSWORD }}
run: |
set -euo pipefail
echo "===== Coverity Setup ====="
COVERITY_DIR="$HOME/coverity"
COVERITY_TARBALL="/tmp/coverity.tar.gz"
if [ -x "$COVERITY_DIR/bin/cov-build" ]; then
echo " [OK] Coverity already installed at $COVERITY_DIR"
"$COVERITY_DIR/bin/cov-build" --ident | head -1 || true
exit 0
fi

rm -f "$COVERITY_TARBALL"
mkdir -p "$COVERITY_DIR"

DOWNLOAD_OK=0

if [ -n "${COVERITY_TOKEN:-}" ]; then
echo " Downloading Coverity from scan.coverity.com (token/project mode)..."
PROJECT_RAW="${COVERITY_PROJECT:-OpenVisualCloud/directview-led-software-toolkit}"
PROJECT_ENCODED="${PROJECT_RAW//\//%2F}"
if wget -q --post-data "token=${COVERITY_TOKEN}&project=${PROJECT_ENCODED}" \
-O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64"; then
DOWNLOAD_OK=1
echo " [OK] Downloaded from scan.coverity.com for project ${PROJECT_RAW}"
else
echo " [WARN] scan.coverity.com token/project download failed, trying fallback source"
rm -f "$COVERITY_TARBALL"
fi
fi

if [ "$DOWNLOAD_OK" -eq 0 ] && [ -n "${COVERITY_SCAN_USER:-}" ] && [ -n "${COVERITY_SCAN_PASSWORD:-}" ]; then
echo " Downloading Coverity from scan.coverity.com (user/password mode)..."
if wget -q --user="$COVERITY_SCAN_USER" --password="$COVERITY_SCAN_PASSWORD" \
-O "$COVERITY_TARBALL" "https://scan.coverity.com/download/cxx/linux64"; then
DOWNLOAD_OK=1
echo " [OK] Downloaded from scan.coverity.com"
else
echo " [WARN] scan.coverity.com user/password download failed, trying fallback source"
rm -f "$COVERITY_TARBALL"
fi
fi

if [ "$DOWNLOAD_OK" -eq 0 ] && [ -n "${COVERITY_URL:-}" ] && [ -n "${COVERITY_USER:-}" ] && [ -n "${COVERITY_PASSWORD:-}" ]; then
echo " Downloading Coverity from configured COVERITY_URL..."
wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \
-O "$COVERITY_TARBALL" "$COVERITY_URL"
DOWNLOAD_OK=1
echo " [OK] Downloaded from COVERITY_URL"
fi

if [ "$DOWNLOAD_OK" -eq 0 ] || [ ! -s "$COVERITY_TARBALL" ]; then
echo "ERROR: Coverity download failed."
echo "Set either COVERITY_TOKEN (and optionally COVERITY_PROJECT),"
echo "or COVERITY_SCAN_USER/COVERITY_SCAN_PASSWORD,"
echo "or COVERITY_URL/COVERITY_USER/COVERITY_PASSWORD."
exit 1
fi

tar xzf "$COVERITY_TARBALL" --strip-components=1 -C "$COVERITY_DIR"
rm -f "$COVERITY_TARBALL"

if [ ! -x "$COVERITY_DIR/bin/cov-build" ] || [ ! -x "$COVERITY_DIR/bin/cov-configure" ]; then
echo "ERROR: Coverity install incomplete (missing cov-build/cov-configure)."
exit 1
fi

"$COVERITY_DIR/bin/cov-build" --ident | head -1 || true

- name: Run Coverity analysis
if: steps.coverity_secrets.outputs.available == 'true'
shell: bash
run: |
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-}
if ! pkg-config --exists mtl 2>/dev/null; then
MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1)
if [ -z "$MTL_PC" ]; then
echo "ERROR: MTL pkg-config file not found."
exit 1
fi
MTL_PC_DIR=$(dirname "$MTL_PC")
echo "Found MTL pkgconfig at: $MTL_PC_DIR"
export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH}"
fi

REPORT_DIR="$GITHUB_WORKSPACE/reports"
mkdir -p "$REPORT_DIR"

$HOME/coverity/bin/cov-configure --compiler cc --comptype gcc --template
rm -rf build coverity_output
meson setup build
$HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build

$HOME/coverity/bin/cov-analyze --dir coverity_output/ \
--concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \
--disable ASSERT_SIDE_EFFECT \
--disable AUTO_CAUSES_COPY \
--disable BAD_CHECK_OF_WAIT_COND \
--disable BAD_SHIFT \
--disable COPY_INSTEAD_OF_MOVE \
--disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \
--disable CUDA.CUDEVICE_HANDLES \
--disable CUDA.DEVICE_DEPENDENT \
--disable CUDA.DEVICE_DEPENDENT_CALLBACKS \
--disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \
--disable CUDA.ERROR_INTERFACE \
--disable CUDA.ERROR_KERNEL_LAUNCH \
--disable CUDA.FORK \
--disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \
--disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \
--disable CUDA.INVALID_MEMORY_ACCESS \
--disable CUDA.SHARE_FUNCTION \
--disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \
--disable CUDA.SPECIFIERS_INCONSISTENCY \
--disable CUDA.SYNCHRONIZE_TERMINATION \
--disable INEFFICIENT_RESERVE \
--disable MISSING_COMMA \
--disable MISSING_MOVE_ASSIGNMENT \
--disable OVERLAPPING_COPY \
--disable STREAM_FORMAT_STATE \
--disable UNINTENDED_INTEGER_DIVISION

$HOME/coverity/bin/cov-format-errors --dir coverity_output/ \
--json-output-v8 "$REPORT_DIR/coverity-report.json"

- name: Convert Coverity JSON to SARIF
if: steps.coverity_secrets.outputs.available == 'true'
shell: bash
run: |
REPORT_DIR="$GITHUB_WORKSPACE/reports"
python3 - <<'EOF'
import json, sys

sarif = {
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "Coverity",
"informationUri": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html",
"rules": []
}
},
"results": []
}]
}

try:
with open("reports/coverity-report.json") as f:
cov = json.load(f)
except (FileNotFoundError, json.JSONDecodeError):
with open("reports/coverity-results.sarif", "w") as f:
json.dump(sarif, f, indent=2)
sys.exit(0)

rules_map = {}
results = []

for issue in cov.get("issues", []):
checker = issue.get("checkerName", "unknown")
if checker not in rules_map:
rule_idx = len(rules_map)
rules_map[checker] = rule_idx
sarif["runs"][0]["tool"]["driver"]["rules"].append({
"id": checker,
"shortDescription": {"text": issue.get("checkerProperties", {}).get("subcategoryShortDescription", checker)},
"helpUri": f"https://community.synopsys.com/s/article/{checker}"
})

events = issue.get("events", [])
main_event = events[0] if events else {}
file_path = main_event.get("strippedFilePathname", main_event.get("filePathname", "unknown"))
line = main_event.get("lineNumber", 1)

results.append({
"ruleId": checker,
"ruleIndex": rules_map[checker],
"level": "warning",
"message": {"text": issue.get("checkerProperties", {}).get("subcategoryLongDescription", checker)},
"locations": [{
"physicalLocation": {
"artifactLocation": {"uri": file_path, "uriBaseId": "%SRCROOT%"},
"region": {"startLine": line}
}
}]
})

sarif["runs"][0]["results"] = results

with open("reports/coverity-results.sarif", "w") as f:
json.dump(sarif, f, indent=2)

print(f"Converted {len(results)} Coverity issues to SARIF")
EOF

- name: Write empty SARIF when Coverity is skipped
if: steps.coverity_secrets.outputs.available != 'true'
shell: bash
run: |
mkdir -p "$GITHUB_WORKSPACE/reports"
cat > "$GITHUB_WORKSPACE/reports/coverity-results.sarif" <<'EOF'
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": []
}
EOF
Loading
Loading