diff options
Diffstat (limited to '.gitlab-ci.yml')
-rw-r--r-- | .gitlab-ci.yml | 67 |
1 files changed, 66 insertions, 1 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3f02a76beb0..2b9c34e48dc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -27,6 +27,7 @@ stages: - build - test - Salsa-CI + - sast default: # Base image for builds and tests unless otherwise defined @@ -42,7 +43,7 @@ variables: CMAKE_FLAGS: "-DWITH_SSL=system -DPLUGIN_COLUMNSTORE=NO -DPLUGIN_ROCKSDB=NO -DPLUGIN_S3=NO -DPLUGIN_MROONGA=NO -DPLUGIN_CONNECT=NO -DPLUGIN_MROONGA=NO -DPLUGIN_TOKUDB=NO -DPLUGIN_PERFSCHEMA=NO -DWITH_WSREP=OFF" # Major version dictates which branches share the same ccache. E.g. 10.6-abc # and 10.6-xyz will have the same cache. - MARIADB_MAJOR_VERSION: "10.8" + MARIADB_MAJOR_VERSION: "11.0" # NOTE! Currently ccache is only used on the Centos8 build. As each job has # sufficiently different environments they are unable to benefit from each # other's ccaches. As each build generates about 1 GB of ccache, having @@ -515,6 +516,70 @@ mini-benchmark: metrics: - metrics.txt +cppcheck: + stage: sast + needs: [] + variables: + GIT_STRATEGY: fetch + GIT_SUBMODULE_STRATEGY: normal + script: + - yum install -y cppcheck diffutils + # --template: use a single-line template + # --force: check large directories without warning + # -i<directory>: ignore this directory when scanning + # -j: run multiple cppcheck threads + # Use newline to escape colon in yaml + - > + cppcheck --template="{file}:{line}: {severity}: {message}" --force + client dbug extra include libmariadb libmysqld libservices mysql-test mysys mysys_ssl pcre plugin + strings tests unittest vio wsrep-lib sql sql-common storage + -istorage/mroonga -istorage/tokudb -istorage/spider -istorage/rocksdb -iextra/ -ilibmariadb/ -istorage/columnstore + --output-file=cppcheck.txt -j $(nproc) + # Parallel jobs may output findings in an nondeterministic order. Sort to match ignorelist. + - cat cppcheck.txt | sort > cppcheck_sorted.txt + # Remove line numbers for diff + - sed 's/:[^:]*:/:/' cppcheck_sorted.txt > cppcheck_sorted_no_line_numbers.txt + # Only print new issues not found in ignore list + - echo "Problems found in ignore list that were not discovered by cppcheck (may have been fixed)." + - diff --changed-group-format='%>' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt || true + - echo "Problems found by cppcheck that were not in ignore list." + - diff --changed-group-format='%<' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt > lines_not_ignored.txt || true + - cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt + artifacts: + when: always + paths: + - cppcheck_sorted.txt + +flawfinder: + stage: sast + needs: [] + variables: + GIT_STRATEGY: fetch + GIT_SUBMODULE_STRATEGY: normal + script: + - yum install -y python3 python3-pip jq diffutils git + - pip install flawfinder + - flawfinder --falsepositive --quiet --html . > flawfinder-all-vulnerabilities.html + - cat flawfinder-all-vulnerabilities.html | grep "Hits =" + - flawfinder --falsepositive --quiet --minlevel=5 --sarif . > flawfinder-output.json + # FlawFinder's --sarif output will display all vulnerabilities despite having --minlevel=5 specified. + # Therefore, we postprocess the results with jq and filter out findings where the vulnerability level is less than 5. + # Also in the SARIF output format, the vulnerabilities are ranked as 0.2/0.4/0.6/0.8/1.0 which correspond to the --minlevel=1/2/3/4/5 of FlawFinder. + # Additionally, we sort the results because individual findings are consistent across different runs, but their ordering may not be. + # Vulnerabilities can also be ignored in-line (/* Flawfinder: ignore */), but this option was chosen as to not clutter the codebase. + - jq 'del(.runs[] | .tool | .driver | .rules) | del(.runs[] | .results[] | select(.rank < 1)) | del(.runs[] | .results[] | .locations[] | .physicalLocation | .region | .startLine) | .runs[0].results|=sort_by(.fingerprints)' flawfinder-output.json > flawfinder-min-level5.json + # Diff against known vulnerabilities, but ignore the line number. + - echo "Problems found in ignore list that were not discovered by flawfinder (may have been fixed)." + - diff --changed-group-format='%>' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json || true + - echo "Problems found by flawfinder that were not in ignore list." + - diff --changed-group-format='%<' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json > lines_not_ignored.txt || true + - cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt + artifacts: + when: always + paths: + - flawfinder-all-vulnerabilities.html + - flawfinder-min-level5.json + # Once all RPM builds and tests have passed, also run the DEB builds and tests # @NOTE: This is likely to work well only on salsa.debian.org as the Gitlab.com # runners are too small for everything this stage does. |