-
Notifications
You must be signed in to change notification settings - Fork 9
RDKB-62985 RDKB-62986: Native build for Coverity #39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 15 commits
111e0f9
ade908b
cde2cec
3e3633a
e576e65
919e89e
beae32e
76dfd24
78d72b0
a48ab3e
155de65
056451a
c2a5b41
2615d01
2bcf44c
bc067ea
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,36 @@ | ||||||||||
| name: Build Advanced Security Component in Native Environment | ||||||||||
|
|
||||||||||
| on: | ||||||||||
| push: | ||||||||||
| branches: [ main, 'sprint/**', 'release/**', develop ] | ||||||||||
| pull_request: | ||||||||||
| branches: [ main, 'sprint/**', 'release/**', topic/RDK*, develop ] | ||||||||||
|
|
||||||||||
| jobs: | ||||||||||
| build-advanced-security-on-pr: | ||||||||||
| name: Build advanced-security component in github rdkcentral | ||||||||||
| runs-on: ubuntu-latest | ||||||||||
| container: | ||||||||||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||||||||||
|
|
||||||||||
| steps: | ||||||||||
| - name: Checkout code | ||||||||||
| uses: actions/checkout@v3 | ||||||||||
|
||||||||||
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
Copilot
AI
Feb 11, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actions/checkout@v3 is outdated and misses fixes/features added in newer major versions. Bump to the current supported major version (and consider pinning to a commit SHA for supply-chain hardening).
| uses: actions/checkout@v3 | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
Copilot
AI
Feb 11, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Setting safe.directory to '*' disables git’s ownership safety checks globally for all repos in the container, which is broader than needed. Prefer scoping this to the checked-out workspace only (e.g., add the specific working directory) so other directories remain protected.
| git config --global --add safe.directory '*' | |
| git config --global --add safe.directory "$GITHUB_WORKSPACE" |
Copilot
AI
Feb 9, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overriding GITHUB_TOKEN with a separate secret increases the risk of accidental token exposure (e.g., script logging) and can also break PR builds from forks where secrets aren’t available. Prefer the built-in GitHub token (${{ github.token }} / ${{ secrets.GITHUB_TOKEN }}) or pass a separate token under a different env var name with the minimum required permissions.
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} | |
| GITHUB_TOKEN: ${{ github.token }} | |
| RDKCM_RDKE_TOKEN: ${{ secrets.RDKCM_RDKE }} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| [submodule "build_tools_workflows"] | ||
| path = build_tools_workflows | ||
| url = https://github.com/rdkcentral/build_tools_workflows | ||
| branch = develop |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # 🔧 Coverity Native Build System for RDK-B Components | ||
|
|
||
| The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows](https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md) |
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,99 @@ | ||||||
| { | ||||||
| "_comment": "Component Build Configuration for Coverity/Native Builds", | ||||||
| "_version": "2.0", | ||||||
| "_description": "Defines dependencies and build settings for the native component", | ||||||
|
|
||||||
| "dependencies": { | ||||||
|
||||||
| "dependencies": { | |
| "dependencies": { |
Copilot
AI
Feb 9, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same source directory is copied to two different destinations, including the include root (.../rdkb/). This can unintentionally flatten/duplicate headers and change include resolution order. Keep only the canonical destination (likely .../rdkb/linux) or copy only specific headers into the root if that’s required.
| { "source": "source/cosa/include/linux", "destination": "$HOME/usr/include/rdkb/" }, |
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this configuration taken from do_compile log ? |
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,153 @@ | ||||||||||
| # Advanced Security Configure Options | ||||||||||
| # This file contains autotools configure options for the advanced-security component | ||||||||||
|
|
||||||||||
| # ============================================================================ | ||||||||||
| # CPPFLAGS - Preprocessor flags (includes and defines) | ||||||||||
| # ============================================================================ | ||||||||||
| [CPPFLAGS] | ||||||||||
|
|
||||||||||
| # Autotools configuration | ||||||||||
| -DHAVE_CONFIG_H | ||||||||||
|
|
||||||||||
| # Include paths | ||||||||||
| -I$HOME/usr/include/rdkb/ | ||||||||||
| -I/usr/include/dbus-1.0 | ||||||||||
| -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include | ||||||||||
| -I/usr/include/cjson | ||||||||||
|
|
||||||||||
| # ANSC framework defines | ||||||||||
| -D_ANSC_LINUX | ||||||||||
| -D_ANSC_USER | ||||||||||
| -D_ANSC_LITTLE_ENDIAN_ | ||||||||||
| -D_ANSC_USE_OPENSSL_ | ||||||||||
| -D_ANSC_AES_USED_ | ||||||||||
| -D_NO_ANSC_ZLIB_ | ||||||||||
| -U_ANSC_IPV6_COMPATIBLE_ | ||||||||||
|
|
||||||||||
| # Core system / HAL | ||||||||||
| -D_COSA_HAL_ | ||||||||||
| -U_COSA_SIM_ | ||||||||||
| -D_COSA_INTEL_USG_ARM_ | ||||||||||
| -D_COSA_BCM_ARM_ | ||||||||||
| -D_COSA_FOR_COMCAST_ | ||||||||||
|
|
||||||||||
| # CCSP/Component defines | ||||||||||
| -D_CCSP_CWMP_TCP_CONNREQ_HANDLER | ||||||||||
| -D_DSLH_STUN_ | ||||||||||
| -D_NO_PKI_KB5_SUPPORT | ||||||||||
| -D_BBHM_SSE_FILE_IO | ||||||||||
| -DCCSP_SUPPORT_ENABLED | ||||||||||
|
|
||||||||||
| # Security / debugging | ||||||||||
| -DENABLE_SA_KEY | ||||||||||
| -D_NO_EXECINFO_H_ | ||||||||||
| -D_DEBUG | ||||||||||
| -DINCLUDE_BREAKPAD | ||||||||||
|
|
||||||||||
| # System features | ||||||||||
| -DFEATURE_SUPPORT_RDKLOG | ||||||||||
| -DFEATURE_SUPPORT_SYSLOG | ||||||||||
| -DBUILD_WEB | ||||||||||
| -DUSE_NOTIFY_COMPONENT | ||||||||||
| -DNTPD_ENABLE | ||||||||||
| -DUTC_ENABLE | ||||||||||
| -DUTC_ENABLE_ATOM | ||||||||||
| -DXDNS_ENABLE | ||||||||||
|
|
||||||||||
| # Product/Platform defines | ||||||||||
| -D_XB6_PRODUCT_REQ_ | ||||||||||
| -D_XB7_PRODUCT_REQ_ | ||||||||||
| -D_XB8_PRODUCT_REQ_ | ||||||||||
| -DCONFIG_VENDOR_NAME | ||||||||||
|
|
||||||||||
| # MoCA-related | ||||||||||
| -DCONFIG_SYSTEM_MOCA | ||||||||||
| -DMOCA_HOME_ISOLATION | ||||||||||
| -DMOCA_DIAGONISTIC | ||||||||||
|
||||||||||
| -DMOCA_DIAGONISTIC | |
| -DMOCA_DIAGNOSTIC |
Copilot
AI
Feb 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These linker flags suppress unresolved-symbol failures, which can hide real link problems and reduce the value of CI (and potentially Coverity) by allowing incomplete binaries. Prefer failing the build on unresolved symbols; if suppression is required for specific optional libs, scope it narrowly (e.g., only for affected targets) rather than globally in LDFLAGS.
| -L$HOME/usr/local/lib/ | |
| -Wl,--allow-shlib-undefined | |
| -Wl,--unresolved-symbols=ignore-all | |
| -L$HOME/usr/local/lib/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using the
latesttag makes CI non-reproducible and can break builds when the image changes. Pin the container image to a specific version tag or immutable digest (e.g.,@sha256:...) so Coverity/native builds are stable over time.