Skip to content

RDKB-63009 RDKB-63010: Native build for Coverity #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sowmiyachelliah wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

RDKB-63009 RDKB-63010: Native build for Coverity #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3855e63
RDKB-63009 RDKB-63010: Native build for Coverity
sowmiyachelliah Jan 30, 2026
0fc1dd4
Update code
sowmiyachelliah Jan 30, 2026
57427b8
Update component_config.json
sowmiyachelliah Feb 5, 2026
04c1b61
Update configure_options.conf
sowmiyachelliah Feb 5, 2026
14918ef
Adding sub-module
sowmiyachelliah Feb 9, 2026
10591c6
Updating README.md
sowmiyachelliah Feb 9, 2026
7010a65
Updating configure_options.conf
sowmiyachelliah Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/native-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Build XDNS Component in Native Environment

on:
push:
branches: [ main, 'sprint/**', 'release/**', develop ]
pull_request:
branches: [ main, 'sprint/**', 'release/**', topic/RDK*, develop ]

jobs:
build-xdns-on-pr:
name: Build XDNS component in github rdkcentral
runs-on: ubuntu-latest
container:
image: ghcr.io/rdkcentral/docker-rdk-ci:latest

steps:
- name: Checkout code
uses: actions/checkout@v3
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow uses 'actions/checkout@v3' which is an older version. GitHub Actions has released newer versions (v4 is available as of 2023). Consider updating to '@v4' for improved performance and features. This is the same pattern used in the L1-tests.yml workflow, so updating both together would maintain consistency.

Suggested change
uses: actions/checkout@v3
uses: actions/checkout@v4

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider upgrading to actions/checkout@v4 to stay current with GitHub Actions runtime updates and avoid potential deprecation issues tied to older major versions.

Suggested change
uses: actions/checkout@v3
uses: actions/checkout@v4

Copilot uses AI. Check for mistakes.

- name: native build
run: |
# Trust the workspace
git config --global --add safe.directory '*'

# Pull the latest changes for the native build system
git submodule update --init --recursive --remote

# Build and install dependencies
chmod +x build_tools_workflows/cov_docker_script/setup_dependencies.sh
./build_tools_workflows/cov_docker_script/setup_dependencies.sh ./cov_docker_script/component_config.json

# Build component
chmod +x build_tools_workflows/cov_docker_script/build_native.sh
./build_tools_workflows/cov_docker_script/build_native.sh ./cov_docker_script/component_config.json "$(pwd)"
env:
GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }}
Comment on lines 11 to 36

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 8 days ago

In general, the fix is to add an explicit permissions block either at the workflow root (affecting all jobs) or at the job level, granting only the minimal required scopes. Since this workflow only checks out code and runs build scripts, contents: read is sufficient in most cases.

For this specific file, the minimal, non‑disruptive change is to add a job-level permissions block to build-xdns-on-pr, just under the job name (or runs-on). This will limit the workflow’s automatically provided GITHUB_TOKEN to read-only repository contents while leaving the rest of the job unchanged. Because the job already uses a secret RDKCM_RDKE for the GITHUB_TOKEN environment variable, adding this block does not interfere with that secret; it only constrains the implicit GITHUB_TOKEN that GitHub injects. No imports or additional methods are needed, only YAML changes in .github/workflows/native-build.yml.

Concretely:

  • Edit .github/workflows/native-build.yml.
  • Under build-xdns-on-pr: (around line 11), insert: 
      permissions:
    contents: read
  • Keep indentation aligned with other job keys (name, runs-on, etc.).
    No other functional behavior needs to change.
Suggested changeset 1
.github/workflows/native-build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/native-build.yml b/.github/workflows/native-build.yml
--- a/.github/workflows/native-build.yml
+++ b/.github/workflows/native-build.yml
@@ -9,6 +9,8 @@
 jobs:
   build-xdns-on-pr:
     name: Build XDNS component in github rdkcentral
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/rdkcentral/docker-rdk-ci:latest
EOF
@@ -9,6 +9,8 @@
jobs:
build-xdns-on-pr:
name: Build XDNS component in github rdkcentral
permissions:
contents: read
runs-on: ubuntu-latest
container:
image: ghcr.io/rdkcentral/docker-rdk-ci:latest
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GITHUB_TOKEN environment variable is set to use a custom secret 'secrets.RDKCM_RDKE', but it's not clear if this is actually needed for the build process. If the build scripts are cloning public repositories (as seen in run_setup_dependencies.sh where it clones from https://github.com/rdkcentral/build_tools_workflows), the default GITHUB_TOKEN provided by GitHub Actions should be sufficient. If this custom token is required, please add a comment explaining why. If it's not needed, consider removing it to reduce secret dependencies.

Suggested change
GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }}
GITHUB_TOKEN: ${{ github.token }}

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This overrides the built-in GITHUB_TOKEN with a repository secret, which increases the risk of credential exposure because the subsequent scripts run code from the checked-out repository in a PR context. Prefer using the default ${{ github.token }} for GitHub API operations, and if an elevated token is required, pass it under a different env name and ensure the workflow does not run untrusted PR code with that secret available.

Suggested change
GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }}
GITHUB_TOKEN: ${{ github.token }}

Copilot uses AI. Check for mistakes.
4 changes: 4 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[submodule "build_tools_workflows"]
path = build_tools_workflows
url = https://github.com/rdkcentral/build_tools_workflows
branch = develop
1 change: 1 addition & 0 deletions build_tools_workflows
Open in desktop
Submodule build_tools_workflows added at b7c962
3 changes: 3 additions & 0 deletions cov_docker_script/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# 🔧 Coverity Native Build System for RDK-B Components

The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows](https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md)
109 changes: 109 additions & 0 deletions cov_docker_script/component_config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
{
"_comment": "Component Build Configuration for Coverity/Native Builds",
"_version": "2.0",
"_description": "Defines dependencies and build settings for the native component",

"dependencies": {
"_comment": "External repositories needed by this component",
"repos": [
{
"name": "rbus",
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The component_config.json specifies rbus version "v2.7.0" as a branch name (line 12), which appears to be a tag rather than a branch. Git clone with '-b' flag accepts both branches and tags, so this will work, but it's semantically misleading to call it a "branch" in the configuration. Consider either: 1) Renaming the field from "branch" to "ref" or "version" to be more accurate, or 2) Adding a comment explaining that this field accepts both branches and tags. This affects consistency with other dependencies that use actual branch names like "develop".

Suggested change
"name": "rbus",
"name": "rbus",
"_comment": "\"branch\" may refer to a branch or a tag; here v2.7.0 is a Git tag.",

Copilot uses AI. Check for mistakes.
"repo": "https://github.com/rdkcentral/rbus.git",
"branch": "v2.7.0",
"header_paths": [
{ "source": "include", "destination": "$HOME/usr/include/rdkb" }
],
"build": {
"type": "cmake",
"build_dir": "build",
"cmake_flags": "-DCMAKE_INSTALL_PREFIX=$HOME/usr -DCMAKE_PREFIX_PATH=/usr -DBUILD_FOR_DESKTOP=ON -DCMAKE_BUILD_TYPE=Debug"
}
},
{
"name": "common-library",
"repo": "https://github.com/rdkcentral/common-library.git",
"branch": "develop",
"header_paths": [
{ "source": "source/cosa/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/cosa/include/linux", "destination": "$HOME/usr/include/rdkb/linux" },
{ "source": "source/ccsp/custom", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/ccsp/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/debug_api/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/util_api/http/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/ccsp/components/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/util_api/ansc/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/cosa/package/slap/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/ccsp/components/common/MessageBusHelper/include", "destination": "$HOME/usr/include/rdkb" },
{ "source": "source/dm_pack", "destination": "$HOME/usr/include/rdkb" }
],
"build": {
"type": "script",
"script": "build_tools_workflows/cov_docker_script/common_external_build.sh"
}
Comment on lines 39 to 42
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build configuration references "cov_docker_script/run_external_build.sh" as the build script for common-library (line 41) and Utopia (line 86). However, run_external_build.sh clones the build_tools_workflows repository if it doesn't exist (lines 25-33), which could lead to race conditions or conflicts if multiple dependencies try to build in parallel. Additionally, this creates a circular dependency where component_config.json references run_external_build.sh, which in turn reads component_config.json. Consider: 1) Documenting that builds must be sequential, not parallel, or 2) Restructuring to avoid the script cloning build_tools_workflows (since run_setup_dependencies.sh should handle this).

Copilot uses AI. Check for mistakes.
},
{
"name": "WebconfigFramework",
"repo": "https://github.com/rdkcentral/WebconfigFramework.git",
"branch": "develop",
"header_paths": [
{ "source": "include", "destination": "$HOME/usr/include/rdkb" }
],
"build": {
"type": "autotools",
"configure_flags": "CPPFLAGS=\"-I$HOME/usr/include/rdkb -I$HOME/usr/include/rdkb/rbus -I$HOME/usr/local/include -I$HOME/usr/include/rdkb/rtmessage\" LDFLAGS=\"-L$HOME/usr/local/lib -L$HOME/usr/lib\" LIBS=\"-lrbus -lrtMessage\""
}
},
{
"name": "libSyscallWrapper",
"repo": "https://github.com/rdkcentral/libSyscallWrapper.git",
"branch": "develop",
"header_paths": [
{ "source": "source", "destination": "$HOME/usr/include/rdkb" }
],
"build": {
"type": "autotools",
"configure_flags": "CPPFLAGS=\"-I$HOME/usr/include/rdkb\" LDFLAGS=\"-L$HOME/usr/local/lib\""
}
},
{
"name": "rdk-libunpriv",
"repo": "https://github.com/rdkcentral/rdk-libunpriv.git",
"branch": "develop",
"header_paths": [
{ "source": "source", "destination": "$HOME/usr/include/rdkb" }
]
},
{
"name": "Utopia",
"repo": "https://github.com/rdkcentral/utopia.git",
"branch": "develop",
"header_paths": [
{ "source": "include", "destination": "$HOME/usr/include/rdkb/utopia" },
{ "source": "source/include/utctx", "destination": "$HOME/usr/include/rdkb/utctx" }
],
"build": {
"type": "script",
"script": "build_tools_workflows/cov_docker_script/common_external_build.sh"
}
Comment on lines 83 to 87
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as with common-library dependency at lines 39-42. The build configuration references "cov_docker_script/run_external_build.sh" which may cause conflicts if run_setup_dependencies.sh has already cloned build_tools_workflows, or create race conditions if dependencies build in parallel.

Suggested change
],
"build": {
"type": "script",
"script": "cov_docker_script/run_external_build.sh"
}
]

Copilot uses AI. Check for mistakes.
}
]
},

Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a trailing comma after the closing brace of the "dependencies" object. While many JSON parsers are lenient and accept trailing commas, this is technically invalid according to the JSON specification and could cause parsing errors in strict JSON parsers. Remove the comma on this line.

Copilot uses AI. Check for mistakes.
"native_component": {
"_comment": "Configuration for the main component being built",
"name": "xdns",
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The component name in this configuration is "xdns" (line 94) but the PR title mentions "RDKB-63009 RDKB-63010" without mentioning the XDNS component name. Additionally, this appears to be in a repository that should be named consistently with the component. Please verify this is the correct component name for this repository.

Copilot uses AI. Check for mistakes.
"include_path": "$HOME/usr/include/rdkb/",
"lib_output_path": "$HOME/usr/local/lib/",
Comment on lines +95 to +96
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All paths throughout the configuration use "$HOME" for constructing include and library paths (e.g., lines 14, 95, 96). While this provides flexibility, it assumes HOME is properly set in the build environment. In containerized builds or CI environments, this might not always point to the expected location. Consider documenting this requirement or adding validation in the build scripts to ensure HOME is set correctly before proceeding with the build.

Copilot uses AI. Check for mistakes.
"pre_build_commands": [
{
"description": "Generate dm_pack_datamodel.c from XML",
"command": "python3 $HOME/usr/include/rdkb/dm_pack_code_gen.py config/CcspXdns_dm.xml source/XdnsSsp/dm_pack_datamodel.c"
}
],
"build": {
"type": "autotools",
"configure_options_file": "cov_docker_script/configure_options.conf"
}
}
}

163 changes: 163 additions & 0 deletions cov_docker_script/configure_options.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
# XDNS Configure Options
# This file contains autotools configure options for the xdns component
# Matches the structure and style used for hotspot, common-library, and advanced-security

# ============================================================================
# CPPFLAGS - Preprocessor flags (includes and defines)
# ============================================================================
[CPPFLAGS]
# Autotools configuration
-DHAVE_CONFIG_H

# Include paths (Option A - installed headers)
-I$HOME/usr/include/rdkb/
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script uses "$HOME" variable in multiple paths (lines 13-14, 135), but this assumes HOME is set in the build environment. While this is typically true, in containerized or CI environments, HOME might not be set as expected. Consider verifying that HOME is set or using a more explicit path variable that's controlled by the build system.

Suggested change
-I$HOME/usr/include/rdkb/
-I${HOME:?HOME environment variable is not set}/usr/include/rdkb/

Copilot uses AI. Check for mistakes.
-I/usr/include/dbus-1.0
-I/usr/lib/x86_64-linux-gnu/dbus-1.0/include
Comment on lines 13 to 15
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CPPFLAGS section uses $HOME to reference user home directory paths (e.g., lines 13-14, 135), but this may not work reliably in all build environments, particularly containerized builds. The $HOME variable expansion depends on when and how it's processed. Consider: 1) Documenting the expected $HOME value for the build environment, or 2) Using a more explicit build-time variable that's set by the build system, or 3) Verifying that the build scripts properly expand $HOME before passing these flags to the configure script.

Copilot uses AI. Check for mistakes.
-I/usr/include/cjson

# Standard/system defines
-DSAFEC_DUMMY_API
-DPATH_MAX=1024
-D__686__

# Core system / HAL
-D_COSA_HAL_
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to line 31, the flag '-U_COSA_SIM_' explicitly undefines a macro without a prior definition in this configuration. While this might be defensive programming to ensure simulation mode is disabled, consider adding a comment explaining the intent.

Suggested change
-D_COSA_HAL_
-D_COSA_HAL_
# Explicitly undefine simulation mode macro to ensure non-sim build, even if defined elsewhere

Copilot uses AI. Check for mistakes.
-U_COSA_SIM_
-D_COSA_BCM_ARM_
-D_COSA_INTEL_USG_ARM_
-D_COSA_FOR_COMCAST_

# ANSC framework defines
-D_ANSC_LINUX
-D_ANSC_USER
-D_ANSC_LITTLE_ENDIAN_
-D_ANSC_USE_OPENSSL_
-D_ANSC_AES_USED_
-D_NO_ANSC_ZLIB_
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flag '-U_ANSC_IPV6_COMPATIBLE_' on line 31 undefines this macro, but there's no corresponding '-D' definition for it in the list. This is intentional to ensure IPv6 compatibility is disabled, but it's unusual to explicitly undefine something that was never defined. Consider adding a comment explaining why this specific macro needs to be explicitly undefined, or verify if this is actually necessary.

Suggested change
-D_NO_ANSC_ZLIB_
-D_NO_ANSC_ZLIB_
# Explicitly undefine ANSC IPv6 compatibility to ensure it is disabled,
# even if defined by global, toolchain, or shared build flags.

Copilot uses AI. Check for mistakes.
-U_ANSC_IPV6_COMPATIBLE_

# CCSP/Component defines
-D_CCSP_CWMP_TCP_CONNREQ_HANDLER
-D_DSLH_STUN_
-D_NO_PKI_KB5_SUPPORT
-D_BBHM_SSE_FILE_IO
-DCCSP_SUPPORT_ENABLED

# Product/Platform defines
-D_XB6_PRODUCT_REQ_
-D_XB7_PRODUCT_REQ_
-D_XB8_PRODUCT_REQ_
-DETH_4_PORTS
-D_2_5G_ETHERNET_SUPPORT_
-D_MACSEC_SUPPORT_

# Security / debugging
-DENABLE_SA_KEY
-D_NO_EXECINFO_H_
-D_DEBUG
-DINCLUDE_BREAKPAD

# System features
-DFEATURE_SUPPORT_RDKLOG
-DFEATURE_SUPPORT_SYSLOG
-DBUILD_WEB
-DUSE_NOTIFY_COMPONENT
-DNTPD_ENABLE
-DUTC_ENABLE
-DUTC_ENABLE_ATOM
-DXDNS_ENABLE

# MoCA-related
-DMOCA_DIAGONISTIC
-DMOCA_HOME_ISOLATION
-DCONFIG_SYSTEM_MOCA

# Network features
-DAUTOWAN_ENABLE
-DENABLE_WANMODECHANGE_NOREBOOT
-DENABLE_ETH_WAN
-DEROUTER_DHCP_OPTION_MTA
-DWAN_FAILOVER_SUPPORTED
-DGATEWAY_FAILOVER_SUPPORTED
-D_BRIDGE_UTILS_BIN_
-D_CM_HIGHSPLIT_SUPPORTED_
-DFEATURE_RDKB_WAN_MANAGER
-DFEATURE_RDKB_CONFIGURABLE_WAN_INTERFACE
-DWAN_MANAGER_UNIFICATION_ENABLED
-DMAPT_UNIFICATION_ENABLED
-DFEATURE_SUPPORT_MAPT_NAT46
-DFEATURE_RDKB_DHCP_MANAGER

# WiFi features
-D_ENABLE_BAND_STEERING_
-D_BEACONRATE_SUPPORT
-D_TRI_BAND_WIFI_
-D_WIFI_AX_SUPPORT_
-D_WIFI_CONSOLIDATED_STANDARDS_
-DWIFI_HAL_VERSION_3
-DFEATURE_SUPPORT_MESH
-DFEATURE_SUPPORT_WEBCONFIG
-DFEATURE_SUPPORT_INTERWORKING
-DFEATURE_SUPPORT_PASSPOINT
-DWIFI_STATS_DISABLE_SPEEDTEST_RUNNING
-DFEATURE_SUPPORT_RADIUSGREYLIST
-DFEATURE_SUPPORT_ACL_SELFHEAL
-DFEATURE_CSI
-DFEATURE_SUPPORT_ONBOARD_LOGGING
-DFEATURE_OFF_CHANNEL_SCAN_5G
-DRDK_ONEWIFI
-DWIFI_MANAGE_SUPPORTED

# Advanced features
-D_PSM_TRANS_RDK_TRIGG_
-DFEATURE_RDKB_INTER_DEVICE_MANAGER
-DSPEED_BOOST_SUPPORTED
-DAMENITIES_NETWORK_ENABLED

# XDNS-specific / networking libs
-DCORE_NET_LIB

# Build system / misc
-DRBUS_BUILD_FLAG_ENABLE

# Test/Development
-DCOLUMBO_HWTEST

# Standard defines
-D_GNU_SOURCE
-D__USE_XOPEN

Comment on lines +128 to +129
Copy link

Copilot AI Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

__USE_XOPEN is a libc-internal feature test macro (glibc uses __USE_* internally) and should not be defined by applications. Prefer using standard feature test macros (for example _XOPEN_SOURCE with an explicit value) or remove this define if it isn't required.

Suggested change
-D__USE_XOPEN

Copilot uses AI. Check for mistakes.

# ============================================================================
# CFLAGS - Compiler flags
# ============================================================================
[CFLAGS]
# Optimization / debugging
-Os
-pipe
-g
-feliminate-unused-debug-types

# Compiler runtime behavior
-Wall
-Wextra
-Werror
-fno-exceptions
-ffunction-sections
-fdata-sections
-fomit-frame-pointer
-fno-strict-aliasing
# Some builds require this for older codepaths:
# -fcommon


# ============================================================================
# LDFLAGS - Linker flags
# ============================================================================
[LDFLAGS]
-L$HOME/usr/local/lib/
-Wl,-O1
-Wl,--hash-style=gnu
-Wl,--as-needed
-Wl,--allow-shlib-undefined
-Wl,--unresolved-symbols=ignore-all
Loading