-
Notifications
You must be signed in to change notification settings - Fork 3
ci: consolidate fuzz and coverity workflows #28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from 1 commit
Commits
Show all changes
20 commits
Select commit
Hold shift + click to select a range
32afda2
ci: consolidate fuzz and coverity workflows
roshan-ku c58341b
ci: fix zizmor template-injection findings
roshan-ku 69020ee
ci: update workflow configuration
roshan-ku 37b50b1
commented coverity section
roshan-ku 3dc02dc
Merge branch 'main' into workflowUpdates
dmkarthi 3f05c14
ci: inline coverity in shared workflows
roshan-ku 72189f4
fix(coverity): handle scan.coverity.com build-only package
roshan-ku 6dcbe42
fix(coverity): simplify scan.coverity.com flow to match reference
roshan-ku 82edd98
fix(coverity): remove unused env variables, keep only COVERITY_TOKEN
roshan-ku 6de3083
ci: add on-demand Coverity scan workflow
roshan-ku 01deda6
docs: add Coverity Scan badge to README
roshan-ku e4a1510
fix(coverity): use github.sha for checkout ref
roshan-ku 95f2ef7
fix(coverity): use correct scan.coverity.com project slug
roshan-ku 772a9f1
ci: add explanatory comments to security-events permissions
roshan-ku 7806370
fix(coverity): revert API URLs to URL-encoded format
roshan-ku 1b851bf
fix(coverity): update submission email address
roshan-ku 9140dab
fix(coverity): use cov-int as build capture directory name
roshan-ku 41a633c
fix: update MTL default version to v26.01
roshan-ku 31204ce
docs: update Coverity badge with correct project ID
roshan-ku 7433a04
fix: revert MTL version to ffmpeg-plugin-extra-pixel-format
roshan-ku File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| # | ||
| # BSD 3-Clause License | ||
| # Copyright (C) 2026 Intel Corporation | ||
| # SPDX-License-Identifier: BSD-3-Clause | ||
| # | ||
| name: 'AFL Fuzz' | ||
| description: 'Build and run AFL++ fuzzing for config parser harness' | ||
|
|
||
| inputs: | ||
| max-seconds: | ||
| description: 'Maximum AFL fuzzing run time in seconds' | ||
| required: false | ||
| default: '300' | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Install AFL dependencies | ||
| shell: bash | ||
| run: | | ||
| sudo apt-get update -qq | ||
| sudo apt-get install -y -qq afl++ libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config | ||
|
|
||
| - name: Verify AFL environment | ||
| shell: bash | ||
| run: | | ||
| echo "=== AFL++ ===" | ||
| afl-clang-fast --version || { echo "ERROR: afl-clang-fast not found"; exit 1; } | ||
| echo "" | ||
| echo "=== libavutil ===" | ||
| dpkg -l libavutil-dev | grep -q ii || { echo "ERROR: libavutil-dev not installed"; exit 1; } | ||
| echo " Header: $(find /usr/include -name 'avutil.h' | head -1)" | ||
| echo " Library: $(find /usr/lib -name 'libavutil.so*' | head -1)" | ||
| echo "" | ||
| echo "=== Compiler ===" | ||
| gcc --version | head -1 | ||
| echo "" | ||
| echo "Environment OK" | ||
|
|
||
| - name: Build AFL fuzz harness | ||
| shell: bash | ||
| run: | | ||
| cd fuzz | ||
| export CC=afl-clang-fast | ||
| $CC -g -O1 -fno-omit-frame-pointer -I../include -c fuzz_config_reader.c -o fuzz_config_reader.o | ||
| $CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/config_reader.c -o config_reader.o | ||
| $CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/logger.c -o logger.o | ||
| $CC -o fuzz_config_reader fuzz_config_reader.o config_reader.o logger.o -lavutil -lm | ||
| echo "Build successful: $(file fuzz_config_reader)" | ||
|
|
||
| - name: Run AFL fuzzer | ||
| shell: bash | ||
| run: | | ||
| cd fuzz | ||
| mkdir -p findings | ||
| export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 | ||
| export AFL_SKIP_CPUFREQ=1 | ||
| timeout "${{ inputs.max-seconds }}" afl-fuzz -i corpus/ -o findings/ -V "${{ inputs.max-seconds }}" -- ./fuzz_config_reader @@ || true | ||
|
|
||
| - name: Check AFL crashes | ||
| shell: bash | ||
| run: | | ||
| cd fuzz | ||
| CRASH_COUNT=$(find findings/default/crashes -type f ! -name "README.txt" 2>/dev/null | wc -l) | ||
| echo "Crashes found: $CRASH_COUNT" | ||
| if [ "$CRASH_COUNT" -gt 0 ]; then | ||
| echo "::error::AFL found $CRASH_COUNT crash(es)!" | ||
| ls -la findings/default/crashes/ | ||
| exit 1 | ||
| fi | ||
| echo "No crashes found - fuzzing passed." | ||
|
|
||
| - name: Sanitize AFL filenames | ||
| if: always() | ||
| shell: bash | ||
| run: | | ||
| cd fuzz/findings | ||
| find . -name '*:*' | while read -r f; do | ||
| mv "$f" "$(echo "$f" | tr ':' '_')" | ||
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,156 @@ | ||
| # | ||
| # BSD 3-Clause License | ||
| # Copyright (C) 2026 Intel Corporation | ||
| # SPDX-License-Identifier: BSD-3-Clause | ||
| # | ||
| name: 'Coverity Scan' | ||
| description: 'Install Coverity, run static analysis, and emit JSON + SARIF reports' | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Install Coverity | ||
| shell: bash | ||
| env: | ||
| COVERITY_URL: ${{ env.COVERITY_URL }} | ||
| COVERITY_USER: ${{ env.COVERITY_USER }} | ||
| COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }} | ||
| run: | | ||
| echo "===== Coverity Setup =====" | ||
| COVERITY_DIR="$HOME/coverity" | ||
| if [ -x "$COVERITY_DIR/bin/cov-build" ]; then | ||
| echo " [OK] Coverity already installed at $COVERITY_DIR" | ||
| "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true | ||
| exit 0 | ||
| fi | ||
| mkdir -p "$COVERITY_DIR" | ||
| wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \ | ||
| -O /tmp/coverity.tar.gz "$COVERITY_URL" | ||
| tar xzf /tmp/coverity.tar.gz --strip-components=1 -C "$COVERITY_DIR" | ||
| rm -f /tmp/coverity.tar.gz | ||
| "$COVERITY_DIR/bin/cov-build" --ident | head -1 || true | ||
|
|
||
| - name: Run Coverity analysis | ||
| shell: bash | ||
| run: | | ||
| export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-} | ||
| if ! pkg-config --exists mtl 2>/dev/null; then | ||
| MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1) | ||
| if [ -z "$MTL_PC" ]; then | ||
| echo "ERROR: MTL pkg-config file not found." | ||
| exit 1 | ||
| fi | ||
| MTL_PC_DIR=$(dirname "$MTL_PC") | ||
| echo "Found MTL pkgconfig at: $MTL_PC_DIR" | ||
| export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH}" | ||
| fi | ||
|
|
||
| REPORT_DIR="$GITHUB_WORKSPACE/reports" | ||
| mkdir -p "$REPORT_DIR" | ||
|
|
||
| $HOME/coverity/bin/cov-configure --compiler cc --comptype gcc --template | ||
| rm -rf build coverity_output | ||
| meson setup build | ||
| $HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build | ||
|
|
||
| $HOME/coverity/bin/cov-analyze --dir coverity_output/ \ | ||
| --concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \ | ||
| --disable ASSERT_SIDE_EFFECT \ | ||
| --disable AUTO_CAUSES_COPY \ | ||
| --disable BAD_CHECK_OF_WAIT_COND \ | ||
| --disable BAD_SHIFT \ | ||
| --disable COPY_INSTEAD_OF_MOVE \ | ||
| --disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \ | ||
| --disable CUDA.CUDEVICE_HANDLES \ | ||
| --disable CUDA.DEVICE_DEPENDENT \ | ||
| --disable CUDA.DEVICE_DEPENDENT_CALLBACKS \ | ||
| --disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \ | ||
| --disable CUDA.ERROR_INTERFACE \ | ||
| --disable CUDA.ERROR_KERNEL_LAUNCH \ | ||
| --disable CUDA.FORK \ | ||
| --disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \ | ||
| --disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \ | ||
| --disable CUDA.INVALID_MEMORY_ACCESS \ | ||
| --disable CUDA.SHARE_FUNCTION \ | ||
| --disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \ | ||
| --disable CUDA.SPECIFIERS_INCONSISTENCY \ | ||
| --disable CUDA.SYNCHRONIZE_TERMINATION \ | ||
| --disable INEFFICIENT_RESERVE \ | ||
| --disable MISSING_COMMA \ | ||
| --disable MISSING_MOVE_ASSIGNMENT \ | ||
| --disable OVERLAPPING_COPY \ | ||
| --disable STREAM_FORMAT_STATE \ | ||
| --disable UNINTENDED_INTEGER_DIVISION | ||
|
|
||
| $HOME/coverity/bin/cov-format-errors --dir coverity_output/ \ | ||
| --json-output-v8 "$REPORT_DIR/coverity-report.json" | ||
|
|
||
| - name: Convert Coverity JSON to SARIF | ||
| shell: bash | ||
| run: | | ||
| REPORT_DIR="$GITHUB_WORKSPACE/reports" | ||
| python3 - <<'EOF' | ||
| import json, sys | ||
|
|
||
| sarif = { | ||
| "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", | ||
| "version": "2.1.0", | ||
| "runs": [{ | ||
| "tool": { | ||
| "driver": { | ||
| "name": "Coverity", | ||
| "informationUri": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html", | ||
| "rules": [] | ||
| } | ||
| }, | ||
| "results": [] | ||
| }] | ||
| } | ||
|
|
||
| try: | ||
| with open("reports/coverity-report.json") as f: | ||
| cov = json.load(f) | ||
| except (FileNotFoundError, json.JSONDecodeError): | ||
| with open("reports/coverity-results.sarif", "w") as f: | ||
| json.dump(sarif, f, indent=2) | ||
| sys.exit(0) | ||
|
|
||
| rules_map = {} | ||
| results = [] | ||
|
|
||
| for issue in cov.get("issues", []): | ||
| checker = issue.get("checkerName", "unknown") | ||
| if checker not in rules_map: | ||
| rule_idx = len(rules_map) | ||
| rules_map[checker] = rule_idx | ||
| sarif["runs"][0]["tool"]["driver"]["rules"].append({ | ||
| "id": checker, | ||
| "shortDescription": {"text": issue.get("checkerProperties", {}).get("subcategoryShortDescription", checker)}, | ||
| "helpUri": f"https://community.synopsys.com/s/article/{checker}" | ||
| }) | ||
|
|
||
| events = issue.get("events", []) | ||
| main_event = events[0] if events else {} | ||
| file_path = main_event.get("strippedFilePathname", main_event.get("filePathname", "unknown")) | ||
| line = main_event.get("lineNumber", 1) | ||
|
|
||
| results.append({ | ||
| "ruleId": checker, | ||
| "ruleIndex": rules_map[checker], | ||
| "level": "warning", | ||
| "message": {"text": issue.get("checkerProperties", {}).get("subcategoryLongDescription", checker)}, | ||
| "locations": [{ | ||
| "physicalLocation": { | ||
| "artifactLocation": {"uri": file_path, "uriBaseId": "%SRCROOT%"}, | ||
| "region": {"startLine": line} | ||
| } | ||
| }] | ||
| }) | ||
|
|
||
| sarif["runs"][0]["results"] = results | ||
|
|
||
| with open("reports/coverity-results.sarif", "w") as f: | ||
| json.dump(sarif, f, indent=2) | ||
|
|
||
| print(f"Converted {len(results)} Coverity issues to SARIF") | ||
| EOF |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # | ||
| # BSD 3-Clause License | ||
| # Copyright (C) 2026 Intel Corporation | ||
| # SPDX-License-Identifier: BSD-3-Clause | ||
| # | ||
| name: 'libFuzzer' | ||
| description: 'Build and run libFuzzer with ASan and UBSan for config parser harness' | ||
|
|
||
| inputs: | ||
| max-seconds: | ||
| description: 'Maximum libFuzzer run time in seconds per sanitizer mode' | ||
| required: false | ||
| default: '300' | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Install libFuzzer dependencies | ||
| shell: bash | ||
| run: | | ||
| sudo apt-get update -qq | ||
| sudo apt-get install -y -qq clang libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config | ||
|
|
||
| - name: Build and run libFuzzer (ASan) | ||
| shell: bash | ||
| run: | | ||
| cd fuzz | ||
| export CC=clang | ||
| $CC -fsanitize=fuzzer,address -g -O1 -fno-omit-frame-pointer -I../include \ | ||
| fuzz_config_reader_libfuzzer.c \ | ||
| ../src/util/config_reader.c \ | ||
| ../src/util/logger.c \ | ||
| -o fuzz_config_reader_libfuzzer \ | ||
| $(pkg-config --cflags --libs libavutil) -lm | ||
|
|
||
| mkdir -p libfuzzer_corpus | ||
| ./fuzz_config_reader_libfuzzer \ | ||
| libfuzzer_corpus/ corpus/ \ | ||
| -max_total_time=${{ inputs.max-seconds }} \ | ||
| -print_final_stats=1 || FUZZ_EXIT=$? | ||
| if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then | ||
| echo "::error::libFuzzer found a crash (exit code $FUZZ_EXIT)!" | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Build and run libFuzzer (UBSan) | ||
| shell: bash | ||
| run: | | ||
| cd fuzz | ||
| export CC=clang | ||
| $CC -fsanitize=fuzzer,undefined -g -O1 -fno-omit-frame-pointer -I../include \ | ||
| fuzz_config_reader_libfuzzer.c \ | ||
| ../src/util/config_reader.c \ | ||
| ../src/util/logger.c \ | ||
| -o fuzz_config_reader_ubsan \ | ||
| $(pkg-config --cflags --libs libavutil) -lm | ||
|
|
||
| mkdir -p ubsan_corpus | ||
| ./fuzz_config_reader_ubsan \ | ||
| ubsan_corpus/ corpus/ \ | ||
| -max_total_time=${{ inputs.max-seconds }} \ | ||
| -print_final_stats=1 || FUZZ_EXIT=$? | ||
| if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then | ||
| echo "::error::libFuzzer+UBSan found an issue (exit code $FUZZ_EXIT)!" | ||
| exit 1 | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.