Skip to content
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
32afda2
ci: consolidate fuzz and coverity workflows
roshan-ku Jun 3, 2026
c58341b
ci: fix zizmor template-injection findings
roshan-ku Jun 3, 2026
69020ee
ci: update workflow configuration
roshan-ku Jun 3, 2026
37b50b1
commented coverity section
roshan-ku Jun 4, 2026
3dc02dc
Merge branch 'main' into workflowUpdates
dmkarthi Jun 30, 2026
3f05c14
ci: inline coverity in shared workflows
roshan-ku Jun 30, 2026
72189f4
fix(coverity): handle scan.coverity.com build-only package
roshan-ku Jul 1, 2026
6dcbe42
fix(coverity): simplify scan.coverity.com flow to match reference
roshan-ku Jul 1, 2026
82edd98
fix(coverity): remove unused env variables, keep only COVERITY_TOKEN
roshan-ku Jul 1, 2026
6de3083
ci: add on-demand Coverity scan workflow
roshan-ku Jul 1, 2026
01deda6
docs: add Coverity Scan badge to README
roshan-ku Jul 1, 2026
e4a1510
fix(coverity): use github.sha for checkout ref
roshan-ku Jul 1, 2026
95f2ef7
fix(coverity): use correct scan.coverity.com project slug
roshan-ku Jul 1, 2026
772a9f1
ci: add explanatory comments to security-events permissions
roshan-ku Jul 1, 2026
7806370
fix(coverity): revert API URLs to URL-encoded format
roshan-ku Jul 1, 2026
1b851bf
fix(coverity): update submission email address
roshan-ku Jul 1, 2026
9140dab
fix(coverity): use cov-int as build capture directory name
roshan-ku Jul 1, 2026
41a633c
fix: update MTL default version to v26.01
roshan-ku Jul 1, 2026
31204ce
docs: update Coverity badge with correct project ID
roshan-ku Jul 1, 2026
7433a04
fix: revert MTL version to ffmpeg-plugin-extra-pixel-format
roshan-ku Jul 1, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions .github/actions/analysis/afl-fuzz/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'AFL Fuzz'
description: 'Build and run AFL++ fuzzing for config parser harness'

inputs:
max-seconds:
description: 'Maximum AFL fuzzing run time in seconds'
required: false
default: '300'

runs:
using: composite
steps:
- name: Install AFL dependencies
shell: bash
run: |
sudo apt-get update -qq
sudo apt-get install -y -qq afl++ libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config

- name: Verify AFL environment
shell: bash
run: |
echo "=== AFL++ ==="
afl-clang-fast --version || { echo "ERROR: afl-clang-fast not found"; exit 1; }
echo ""
echo "=== libavutil ==="
dpkg -l libavutil-dev | grep -q ii || { echo "ERROR: libavutil-dev not installed"; exit 1; }
echo " Header: $(find /usr/include -name 'avutil.h' | head -1)"
echo " Library: $(find /usr/lib -name 'libavutil.so*' | head -1)"
echo ""
echo "=== Compiler ==="
gcc --version | head -1
echo ""
echo "Environment OK"

- name: Build AFL fuzz harness
shell: bash
run: |
cd fuzz
export CC=afl-clang-fast
$CC -g -O1 -fno-omit-frame-pointer -I../include -c fuzz_config_reader.c -o fuzz_config_reader.o
$CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/config_reader.c -o config_reader.o
$CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/logger.c -o logger.o
$CC -o fuzz_config_reader fuzz_config_reader.o config_reader.o logger.o -lavutil -lm
echo "Build successful: $(file fuzz_config_reader)"

- name: Run AFL fuzzer
shell: bash
run: |
cd fuzz
mkdir -p findings
export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
export AFL_SKIP_CPUFREQ=1
timeout "${{ inputs.max-seconds }}" afl-fuzz -i corpus/ -o findings/ -V "${{ inputs.max-seconds }}" -- ./fuzz_config_reader @@ || true

- name: Check AFL crashes
shell: bash
run: |
cd fuzz
CRASH_COUNT=$(find findings/default/crashes -type f ! -name "README.txt" 2>/dev/null | wc -l)
echo "Crashes found: $CRASH_COUNT"
if [ "$CRASH_COUNT" -gt 0 ]; then
echo "::error::AFL found $CRASH_COUNT crash(es)!"
ls -la findings/default/crashes/
exit 1
fi
echo "No crashes found - fuzzing passed."

- name: Sanitize AFL filenames
if: always()
shell: bash
run: |
cd fuzz/findings
find . -name '*:*' | while read -r f; do
mv "$f" "$(echo "$f" | tr ':' '_')"
done
156 changes: 156 additions & 0 deletions .github/actions/analysis/coverity/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'Coverity Scan'
description: 'Install Coverity, run static analysis, and emit JSON + SARIF reports'

runs:
using: composite
steps:
- name: Install Coverity
shell: bash
env:
COVERITY_URL: ${{ env.COVERITY_URL }}
COVERITY_USER: ${{ env.COVERITY_USER }}
COVERITY_PASSWORD: ${{ env.COVERITY_PASSWORD }}
run: |
echo "===== Coverity Setup ====="
COVERITY_DIR="$HOME/coverity"
if [ -x "$COVERITY_DIR/bin/cov-build" ]; then
echo " [OK] Coverity already installed at $COVERITY_DIR"
"$COVERITY_DIR/bin/cov-build" --ident | head -1 || true
exit 0
fi
mkdir -p "$COVERITY_DIR"
wget --no-proxy -q --user="$COVERITY_USER" --password="$COVERITY_PASSWORD" \
-O /tmp/coverity.tar.gz "$COVERITY_URL"
tar xzf /tmp/coverity.tar.gz --strip-components=1 -C "$COVERITY_DIR"
rm -f /tmp/coverity.tar.gz
"$COVERITY_DIR/bin/cov-build" --ident | head -1 || true

- name: Run Coverity analysis
shell: bash
run: |
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-}
if ! pkg-config --exists mtl 2>/dev/null; then
MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1)
if [ -z "$MTL_PC" ]; then
echo "ERROR: MTL pkg-config file not found."
exit 1
fi
MTL_PC_DIR=$(dirname "$MTL_PC")
echo "Found MTL pkgconfig at: $MTL_PC_DIR"
export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH}"
fi

REPORT_DIR="$GITHUB_WORKSPACE/reports"
mkdir -p "$REPORT_DIR"

$HOME/coverity/bin/cov-configure --compiler cc --comptype gcc --template
rm -rf build coverity_output
meson setup build
$HOME/coverity/bin/cov-build --dir coverity_output/ ninja -C build

$HOME/coverity/bin/cov-analyze --dir coverity_output/ \
--concurrency --enable-constraint-fpp --enable-fnptr --enable-virtual \
--disable ASSERT_SIDE_EFFECT \
--disable AUTO_CAUSES_COPY \
--disable BAD_CHECK_OF_WAIT_COND \
--disable BAD_SHIFT \
--disable COPY_INSTEAD_OF_MOVE \
--disable CUDA.COLLECTIVE_WARP_SHUFFLE_WIDTH \
--disable CUDA.CUDEVICE_HANDLES \
--disable CUDA.DEVICE_DEPENDENT \
--disable CUDA.DEVICE_DEPENDENT_CALLBACKS \
--disable CUDA.DIVERGENCE_AT_COLLECTIVE_OPERATION \
--disable CUDA.ERROR_INTERFACE \
--disable CUDA.ERROR_KERNEL_LAUNCH \
--disable CUDA.FORK \
--disable CUDA.INACTIVE_THREAD_AT_COLLECTIVE_WARP \
--disable CUDA.INITIATION_OBJECT_DEVICE_THREAD_BLOCK \
--disable CUDA.INVALID_MEMORY_ACCESS \
--disable CUDA.SHARE_FUNCTION \
--disable CUDA.SHARE_OBJECT_STREAM_ASSOCIATED \
--disable CUDA.SPECIFIERS_INCONSISTENCY \
--disable CUDA.SYNCHRONIZE_TERMINATION \
--disable INEFFICIENT_RESERVE \
--disable MISSING_COMMA \
--disable MISSING_MOVE_ASSIGNMENT \
--disable OVERLAPPING_COPY \
--disable STREAM_FORMAT_STATE \
--disable UNINTENDED_INTEGER_DIVISION

$HOME/coverity/bin/cov-format-errors --dir coverity_output/ \
--json-output-v8 "$REPORT_DIR/coverity-report.json"

- name: Convert Coverity JSON to SARIF
shell: bash
run: |
REPORT_DIR="$GITHUB_WORKSPACE/reports"
python3 - <<'EOF'
import json, sys

sarif = {
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "Coverity",
"informationUri": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html",
"rules": []
}
},
"results": []
}]
}

try:
with open("reports/coverity-report.json") as f:
cov = json.load(f)
except (FileNotFoundError, json.JSONDecodeError):
with open("reports/coverity-results.sarif", "w") as f:
json.dump(sarif, f, indent=2)
sys.exit(0)

rules_map = {}
results = []

for issue in cov.get("issues", []):
checker = issue.get("checkerName", "unknown")
if checker not in rules_map:
rule_idx = len(rules_map)
rules_map[checker] = rule_idx
sarif["runs"][0]["tool"]["driver"]["rules"].append({
"id": checker,
"shortDescription": {"text": issue.get("checkerProperties", {}).get("subcategoryShortDescription", checker)},
"helpUri": f"https://community.synopsys.com/s/article/{checker}"
})

events = issue.get("events", [])
main_event = events[0] if events else {}
file_path = main_event.get("strippedFilePathname", main_event.get("filePathname", "unknown"))
line = main_event.get("lineNumber", 1)

results.append({
"ruleId": checker,
"ruleIndex": rules_map[checker],
"level": "warning",
"message": {"text": issue.get("checkerProperties", {}).get("subcategoryLongDescription", checker)},
"locations": [{
"physicalLocation": {
"artifactLocation": {"uri": file_path, "uriBaseId": "%SRCROOT%"},
"region": {"startLine": line}
}
}]
})

sarif["runs"][0]["results"] = results

with open("reports/coverity-results.sarif", "w") as f:
json.dump(sarif, f, indent=2)

print(f"Converted {len(results)} Coverity issues to SARIF")
EOF
66 changes: 66 additions & 0 deletions .github/actions/analysis/libfuzzer/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'libFuzzer'
description: 'Build and run libFuzzer with ASan and UBSan for config parser harness'

inputs:
max-seconds:
description: 'Maximum libFuzzer run time in seconds per sanitizer mode'
required: false
default: '300'

runs:
using: composite
steps:
- name: Install libFuzzer dependencies
shell: bash
run: |
sudo apt-get update -qq
sudo apt-get install -y -qq clang libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config

- name: Build and run libFuzzer (ASan)
shell: bash
run: |
cd fuzz
export CC=clang
$CC -fsanitize=fuzzer,address -g -O1 -fno-omit-frame-pointer -I../include \
fuzz_config_reader_libfuzzer.c \
../src/util/config_reader.c \
../src/util/logger.c \
-o fuzz_config_reader_libfuzzer \
$(pkg-config --cflags --libs libavutil) -lm

mkdir -p libfuzzer_corpus
./fuzz_config_reader_libfuzzer \
libfuzzer_corpus/ corpus/ \
-max_total_time=${{ inputs.max-seconds }} \
-print_final_stats=1 || FUZZ_EXIT=$?
if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then
echo "::error::libFuzzer found a crash (exit code $FUZZ_EXIT)!"
exit 1
fi

- name: Build and run libFuzzer (UBSan)
shell: bash
run: |
cd fuzz
export CC=clang
$CC -fsanitize=fuzzer,undefined -g -O1 -fno-omit-frame-pointer -I../include \
fuzz_config_reader_libfuzzer.c \
../src/util/config_reader.c \
../src/util/logger.c \
-o fuzz_config_reader_ubsan \
$(pkg-config --cflags --libs libavutil) -lm

mkdir -p ubsan_corpus
./fuzz_config_reader_ubsan \
ubsan_corpus/ corpus/ \
-max_total_time=${{ inputs.max-seconds }} \
-print_final_stats=1 || FUZZ_EXIT=$?
if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then
echo "::error::libFuzzer+UBSan found an issue (exit code $FUZZ_EXIT)!"
exit 1
fi
3 changes: 2 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,9 @@ concurrency:

jobs:
ci:
name: Continuous Integration
name: CI Full Validation
Comment thread
roshan-ku marked this conversation as resolved.
Outdated
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
contents: read
steps:
Expand Down
Loading
Loading