From 21d364fe9f19331ee77f02355a01e51c5efbb2dc Mon Sep 17 00:00:00 2001 From: bobra200 Date: Wed, 22 Apr 2026 16:20:36 -0700 Subject: [PATCH 01/19] feat: add Coverity static analysis workflows and local dev tooling [RDKEMW-14544] - build_dependencies.sh: install all build deps from source (mirrors .github/Dockerfile); idempotent, safe to run in any container - cov_build.sh: cmake configure + build for Coverity capture - native_full_build.yml: build verification CI + act local validation target - coverity_full_scan.yml: thin caller for full scan on push to main/develop - coverity_incremental_scan.yml: thin caller for incremental scan on PRs with on-demand workflow_dispatch support - coverity_component_full_scan.yml: self-contained reusable full scan engine (local copy; no dependency on rdk-e/build_tools_workflows) - coverity_component_incremental_scan.yml: self-contained reusable incremental scan engine; posts defect details as PR review comments - coverity_local.sh: offline developer scan via Docker (no server required); outputs raw text + HTML report to coverity_html/ - .actrc: act convenience defaults for local native build validation NOTE: For CI to work, the Code Central team must provisision: - Coverity Central project 'firebolt-cpp-transport' with streams firebolt-cpp-transport_main and firebolt-cpp-transport_develop - Org vars: DOCKER_REGISTRY, ARTIFACTORY_USER, COVERITY_URL, COVERITY_USER - Org secrets: COVERITY_APIKEY, ARTIFACTORY_USER_APIKEY - comcast-ubuntu-latest runner availability in rdkcentral org --- .actrc | 2 + .../coverity_component_full_scan.yml | 83 ++++++++++++++ .../coverity_component_incremental_scan.yml | 108 ++++++++++++++++++ .github/workflows/coverity_full_scan.yml | 21 ++++ .../workflows/coverity_incremental_scan.yml | 30 +++++ .github/workflows/native_full_build.yml | 32 ++++++ build_dependencies.sh | 86 ++++++++++++++ cov_build.sh | 19 +++ coverity_local.sh | 67 +++++++++++ 9 files changed, 448 insertions(+) create mode 100644 .actrc create mode 100644 .github/workflows/coverity_component_full_scan.yml create mode 100644 .github/workflows/coverity_component_incremental_scan.yml create mode 100644 .github/workflows/coverity_full_scan.yml create mode 100644 .github/workflows/coverity_incremental_scan.yml create mode 100644 .github/workflows/native_full_build.yml create mode 100755 build_dependencies.sh create mode 100755 cov_build.sh create mode 100755 coverity_local.sh diff --git a/.actrc b/.actrc new file mode 100644 index 0000000..f599d5d --- /dev/null +++ b/.actrc @@ -0,0 +1,2 @@ +--container-architecture linux/amd64 +-W .github/workflows/native_full_build.yml diff --git a/.github/workflows/coverity_component_full_scan.yml b/.github/workflows/coverity_component_full_scan.yml new file mode 100644 index 0000000..1786b2c --- /dev/null +++ b/.github/workflows/coverity_component_full_scan.yml @@ -0,0 +1,83 @@ +name: Coverity Full Analysis Scan + +# Reusable workflow — called by coverity_full_scan.yml. +# Runs a full cov-build + cov-analyze + cov-commit-defects cycle. +# Results are committed to the Coverity Connect server stream only; +# nothing is posted back to any pull request. +on: + workflow_call: + inputs: + buildCommand: + description: 'Build Command' + required: true + type: string + branchName: + description: 'Branch Name' + required: true + type: string + customSetup: + description: 'Custom setup commands' + required: false + type: string + secrets: + COVERITY_APIKEY: + required: true + ARTIFACTORY_USER_APIKEY: + required: true + # GITHUB_TOKENCM: cross-org token — required if customSetup clones private repos + GITHUB_TOKENCM: + required: false + +jobs: + coverity_full_scan: + runs-on: comcast-ubuntu-latest + container: + # TODO (org admin): provision vars.DOCKER_REGISTRY in rdkcentral org + image: ${{ vars.DOCKER_REGISTRY }}/rdk-docker/docker-rdk-coverity:1.0.7 + credentials: + # TODO (org admin): provision vars.ARTIFACTORY_USER in rdkcentral org + username: ${{ vars.ARTIFACTORY_USER }} + password: ${{ secrets.ARTIFACTORY_USER_APIKEY }} + + env: + # TODO (org admin): provision vars.COVERITY_URL and vars.COVERITY_USER in rdkcentral org + COVERITY_URL: ${{ vars.COVERITY_URL }} + COVERITY_USER: ${{ vars.COVERITY_USER }} + COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }} + COVERITY_PROJECT_NAME: ${{ github.event.repository.name }} + COVERITY_STREAM_NAME: ${{ github.event.repository.name }}_${{ inputs.branchName }} + BUILD_COMMAND: ${{ inputs.buildCommand }} + GITHUB_TOKENCM: ${{ secrets.GITHUB_TOKENCM }} + COVERITY_UNSUPPORTED_COMPILER_INVOCATION: 1 + + steps: + - uses: actions/checkout@v4 + + - name: Custom setup + if: ${{ inputs.customSetup }} + run: eval "${{ inputs.customSetup }}" + + - name: Coverity Full Analysis Scan + run: | + export PATH=$PATH:/opt/coverity/bin + set -x + cd $GITHUB_WORKSPACE + cov-configure --gcc --config config/coverity_config.xml + cov-build --dir coverity_dir --config config/coverity_config.xml $BUILD_COMMAND + cov-analyze --dir coverity_dir --one-tu-per-psf false --disable-spotbugs --aggressiveness-level low --enable DC.STRING_BUFFER --all + + max_retries=3 + retries=0 + retry_timeout_sec=30 + success=false + while [ $retries -lt $max_retries ]; do + echo "Attempt $((retries + 1)) of $max_retries for cov-commit-defects" + if cov-commit-defects --dir coverity_dir --stream $COVERITY_STREAM_NAME \ + --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY; then + success=true + break + fi + retries=$((retries + 1)) + sleep $((retries * retry_timeout_sec)) + done + $success || { echo "cov-commit-defects failed after $max_retries attempts"; exit 1; } diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml new file mode 100644 index 0000000..a6fc01c --- /dev/null +++ b/.github/workflows/coverity_component_incremental_scan.yml @@ -0,0 +1,108 @@ +name: Coverity Incremental Analysis Scan + +# Reusable workflow — called by coverity_incremental_scan.yml. +# Runs cov-run-desktop against changed files only and posts findings +# as pull request comments via synopsys-sig/coverity-report-output-v7-json. +on: + workflow_call: + inputs: + pullRequestNumber: + description: 'Pull Request Number' + required: true + type: string + buildCommand: + description: 'Build Command' + required: true + type: string + branchName: + description: 'Branch Name (target/base branch)' + required: true + type: string + customSetup: + description: 'Custom setup commands' + required: false + type: string + secrets: + COVERITY_APIKEY: + required: true + ARTIFACTORY_USER_APIKEY: + required: true + # GITHUB_TOKEN: used to post PR feedback comments + GITHUB_TOKEN: + required: true + # GITHUB_TOKENCM: cross-org token — required if customSetup clones private repos + GITHUB_TOKENCM: + required: false + +jobs: + coverity_incremental_scan: + runs-on: comcast-ubuntu-latest + container: + # TODO (org admin): provision vars.DOCKER_REGISTRY in rdkcentral org + image: ${{ vars.DOCKER_REGISTRY }}/rdk-docker/docker-rdk-coverity:1.0.7 + credentials: + # TODO (org admin): provision vars.ARTIFACTORY_USER in rdkcentral org + username: ${{ vars.ARTIFACTORY_USER }} + password: ${{ secrets.ARTIFACTORY_USER_APIKEY }} + + env: + # TODO (org admin): provision vars.COVERITY_URL and vars.COVERITY_USER in rdkcentral org + COVERITY_URL: ${{ vars.COVERITY_URL }} + COVERITY_USER: ${{ vars.COVERITY_USER }} + COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COVERITY_PROJECT_NAME: ${{ github.event.repository.name }} + COVERITY_STREAM_NAME: ${{ github.event.repository.name }}_${{ inputs.branchName }} + BUILD_COMMAND: ${{ inputs.buildCommand }} + COVERITY_UNSUPPORTED_COMPILER_INVOCATION: 1 + + steps: + - uses: actions/checkout@v4 + + - name: Custom setup + if: ${{ inputs.customSetup }} + run: | + echo "customSetup: ${{ inputs.customSetup }}" + eval "${{ inputs.customSetup }}" + + - name: Get Pull Request Changeset + id: changeset + uses: jitterbit/get-changed-files@v1 + if: ${{ github.event_name == 'pull_request' }} + + - name: Coverity Incremental Analysis Scan + if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch') && steps.changeset.outputs.added_modified != '' }} + run: | + export PATH=$PATH:/opt/coverity/bin + set -x + cd $GITHUB_WORKSPACE + echo "Changed files: ${{ steps.changeset.outputs.added_modified }}" + # Phase 1: capture build into the coverity_dir intermediate database + cov-run-desktop --dir coverity_dir \ + --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY \ + --stream $COVERITY_STREAM_NAME \ + --build $BUILD_COMMAND + # Phase 2: analyze changed files only, compare against stream baseline + # --exit1-if-defects true: workflow fails on new defects (maintainers can bypass + # via GitHub branch protection "Allow specified actors to bypass required pull requests") + cov-run-desktop --dir coverity_dir \ + --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY \ + --stream $COVERITY_STREAM_NAME \ + --present-in-reference false \ + --ignore-uncapturable-inputs true \ + --exit1-if-defects true \ + --json-output-v7 coverity_dir/coverity-results.json \ + --allow-suffix-match --set-new-defect-owner false \ + ${{ steps.changeset.outputs.added_modified }} + + # Post findings as PR comments — raw Coverity output, no custom formatting + - name: Coverity Pull Request Feedback + if: always() + uses: synopsys-sig/coverity-report-output-v7-json@v0.1.1 + with: + json-file-path: coverity_dir/coverity-results.json + github-token: ${{ secrets.GITHUB_TOKEN }} + coverity-url: ${{ vars.COVERITY_URL }} + coverity-project-name: ${{ github.event.repository.name }} + coverity-username: ${{ vars.COVERITY_USER }} + coverity-password: ${{ secrets.COVERITY_APIKEY }} diff --git a/.github/workflows/coverity_full_scan.yml b/.github/workflows/coverity_full_scan.yml new file mode 100644 index 0000000..dd8b5d6 --- /dev/null +++ b/.github/workflows/coverity_full_scan.yml @@ -0,0 +1,21 @@ +name: Coverity Full Scan + +# Triggers on merges to primary branches. +# Results committed to Coverity Connect server (maintainer-only access). +# Nothing is posted back to any pull request. +on: + push: + branches: [ main, develop, '+([0-9])\.+([0-9])\.x-maintenance' ] + paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp'] + +jobs: + call-coverity-full-scan: + uses: ./.github/workflows/coverity_component_full_scan.yml + with: + branchName: ${{ github.ref_name }} + buildCommand: sh cov_build.sh + customSetup: sh build_dependencies.sh + secrets: + COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }} + ARTIFACTORY_USER_APIKEY: ${{ secrets.ARTIFACTORY_USER_APIKEY }} + GITHUB_TOKENCM: ${{ secrets.RDKCM_RDKE }} diff --git a/.github/workflows/coverity_incremental_scan.yml b/.github/workflows/coverity_incremental_scan.yml new file mode 100644 index 0000000..61415b3 --- /dev/null +++ b/.github/workflows/coverity_incremental_scan.yml @@ -0,0 +1,30 @@ +name: Coverity Incremental Scan + +# Triggers on pull requests targeting primary branches. +# Scans only changed compilable source files. +# Findings are posted as pull request comments. +# Merges are not blocked outright — maintainers can bypass via branch protection. +on: + pull_request: + branches: [ main, develop, '+([0-9])\.+([0-9])\.x-maintenance' ] + paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp'] + workflow_dispatch: + inputs: + pullRequestNumber: + description: 'Pull Request Number' + required: true + type: string + +jobs: + call-coverity-incremental-scan: + uses: ./.github/workflows/coverity_component_incremental_scan.yml + with: + pullRequestNumber: ${{ github.event.inputs.pullRequestNumber || github.event.pull_request.number }} + branchName: ${{ github.event.pull_request.base.ref || github.ref_name }} + buildCommand: sh cov_build.sh + customSetup: sh build_dependencies.sh + secrets: + COVERITY_APIKEY: ${{ secrets.COVERITY_APIKEY }} + ARTIFACTORY_USER_APIKEY: ${{ secrets.ARTIFACTORY_USER_APIKEY }} + GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} + GITHUB_TOKENCM: ${{ secrets.RDKCM_RDKE }} diff --git a/.github/workflows/native_full_build.yml b/.github/workflows/native_full_build.yml new file mode 100644 index 0000000..c8b10f6 --- /dev/null +++ b/.github/workflows/native_full_build.yml @@ -0,0 +1,32 @@ +name: Build Component in Native Environment + +on: + push: + branches: [ main, '+([0-9])\.+([0-9])\.x-maintenance' ] + paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp'] + pull_request: + branches: [ main, '+([0-9])\.+([0-9])\.x-maintenance' ] + paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp'] + +defaults: + run: + shell: bash + +jobs: + native-build: + name: Build firebolt-cpp-transport in native environment + runs-on: ubuntu-latest + container: + image: ghcr.io/rdkcentral/docker-rdk-ci:latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install build dependencies + run: sh -x build_dependencies.sh + + - name: Build + run: sh -x cov_build.sh + env: + GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} diff --git a/build_dependencies.sh b/build_dependencies.sh new file mode 100755 index 0000000..57ba48f --- /dev/null +++ b/build_dependencies.sh @@ -0,0 +1,86 @@ +#!/usr/bin/env bash +# build_dependencies.sh — install all build dependencies for firebolt-cpp-transport +# +# Installs to the system prefix (/usr/local) and is intentionally idempotent: +# running it multiple times is safe. Mirrors the dep set and versions pinned in +# .github/Dockerfile so that both the native CI image and the Coverity container +# end up with an identical build environment. +# +# Usage: sh build_dependencies.sh +# (run as root, or with sudo, from any directory) +set -x +set -e + +DEPS_GOOGLETEST_V="1.15.2" +DEPS_NLOHMANN_JSON_V="3.11.3" +DEPS_JSON_SCHEMA_VALIDATOR_V="2.3.0" +DEPS_WEBSOCKETPP_V="0.8.2" + +# --------------------------------------------------------------------------- +# 1. System packages +# --------------------------------------------------------------------------- +apt-get update +apt-get install -y --no-install-recommends --fix-missing \ + build-essential ca-certificates \ + cmake pkg-config clang-format \ + libboost-all-dev \ + curl wget git \ + python3-pip + +pip install gcovr || pip3 install gcovr + +# --------------------------------------------------------------------------- +# 2. googletest +# --------------------------------------------------------------------------- +WORK_DIR="$(mktemp -d)" +trap 'rm -rf "$WORK_DIR"' EXIT + +dir="googletest-${DEPS_GOOGLETEST_V}" +curl -sL "https://github.com/google/googletest/releases/download/v${DEPS_GOOGLETEST_V}/${dir}.tar.gz" \ + | tar xzf - -C "$WORK_DIR" +cmake -B "$WORK_DIR/build/${dir}" \ + -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=ON \ + "$WORK_DIR/${dir}" +cmake --build "$WORK_DIR/build/${dir}" --target install + +# --------------------------------------------------------------------------- +# 3. nlohmann/json +# --------------------------------------------------------------------------- +dir="nlohmann-json-${DEPS_NLOHMANN_JSON_V}" +git clone --depth 1 --branch "v${DEPS_NLOHMANN_JSON_V}" \ + "https://github.com/nlohmann/json" "$WORK_DIR/${dir}" +cmake -B "$WORK_DIR/build/${dir}" \ + -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=ON \ + -DJSON_BuildTests=OFF \ + "$WORK_DIR/${dir}" +cmake --build "$WORK_DIR/build/${dir}" --target install + +# --------------------------------------------------------------------------- +# 4. json-schema-validator +# --------------------------------------------------------------------------- +dir="json-schema-validator-${DEPS_JSON_SCHEMA_VALIDATOR_V}" +curl -sL "https://github.com/pboettch/json-schema-validator/archive/refs/tags/${DEPS_JSON_SCHEMA_VALIDATOR_V}.tar.gz" \ + | tar xzf - -C "$WORK_DIR" +cmake -B "$WORK_DIR/build/${dir}" \ + -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=ON \ + -DJSON_VALIDATOR_BUILD_TESTS=OFF \ + -DJSON_VALIDATOR_BUILD_EXAMPLES=OFF \ + "$WORK_DIR/${dir}" +cmake --build "$WORK_DIR/build/${dir}" --target install + +# --------------------------------------------------------------------------- +# 5. websocketpp (header-only, cmake install registers package config) +# --------------------------------------------------------------------------- +dir="websocketpp-${DEPS_WEBSOCKETPP_V}" +curl -sL "https://github.com/zaphoyd/websocketpp/archive/refs/tags/${DEPS_WEBSOCKETPP_V}.tar.gz" \ + | tar xzf - -C "$WORK_DIR" +cmake -B "$WORK_DIR/build/${dir}" \ + -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_TESTS=OFF \ + -DBUILD_EXAMPLES=OFF \ + "$WORK_DIR/${dir}" +cmake --build "$WORK_DIR/build/${dir}" --target install diff --git a/cov_build.sh b/cov_build.sh new file mode 100755 index 0000000..2990e05 --- /dev/null +++ b/cov_build.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +# cov_build.sh — configure and build firebolt-cpp-transport +# +# Run from the repo root after build_dependencies.sh has prepared the +# environment. Produces a Debug build with tests enabled so that +# Coverity can intercept the full compilation including test code. +# +# Usage: sh cov_build.sh +set -x +set -e + +GITHUB_WORKSPACE="${GITHUB_WORKSPACE:-${PWD}}" +cd "${GITHUB_WORKSPACE}" + +cmake -B build -S . \ + -DCMAKE_BUILD_TYPE=Debug \ + -DENABLE_TESTS=ON + +cmake --build build --parallel diff --git a/coverity_local.sh b/coverity_local.sh new file mode 100755 index 0000000..fdd4f56 --- /dev/null +++ b/coverity_local.sh @@ -0,0 +1,67 @@ +#!/usr/bin/env bash +# coverity_local.sh — run a Coverity static analysis scan on your local machine +# +# Runs cov-build + cov-analyze inside the same Docker image used by CI. +# Results are written to ./coverity_dir/ and an HTML report to ./coverity_html/. +# No Coverity Connect server connection is made — raw tool output only. +# +# Prerequisites: +# docker login -u -p +# docker pull /rdk-docker/docker-rdk-coverity:1.0.7 +# +# Usage: +# sh coverity_local.sh +# sh coverity_local.sh --image # override image +set -e + +IMAGE="${COVERITY_IMAGE:-}" +while [[ $# -gt 0 ]]; do + case $1 in + --image) IMAGE="$2"; shift 2;; + *) echo "Unknown option: $1" >&2; exit 1;; + esac +done + +if [[ -z "$IMAGE" ]]; then + if [[ -z "${DOCKER_REGISTRY:-}" ]]; then + echo "ERROR: set DOCKER_REGISTRY or pass --image " >&2 + exit 1 + fi + IMAGE="${DOCKER_REGISTRY}/rdk-docker/docker-rdk-coverity:1.0.7" +fi + +docker run --rm \ + --user "$(id -u):$(id -g)" \ + -v "$(pwd):/workspace" \ + -w /workspace \ + "$IMAGE" \ + bash -c ' + set -ex + export PATH=$PATH:/opt/coverity/bin + + # Install build dependencies + sh build_dependencies.sh + + # Capture build + cov-configure --gcc --config config/coverity_config.xml + cov-build --dir coverity_dir --config config/coverity_config.xml sh cov_build.sh + + # Analyze — same checker set as CI full scan + cov-analyze --dir coverity_dir \ + --one-tu-per-psf false \ + --disable-spotbugs \ + --aggressiveness-level low \ + --enable DC.STRING_BUFFER \ + --all + + # Emit raw text summary to stdout + cov-format-errors --dir coverity_dir --emacs-style + + # Emit HTML report for browsing + mkdir -p coverity_html + cov-format-errors --dir coverity_dir --html-output coverity_html + + echo "" + echo "HTML report: coverity_html/index.html" + echo "Raw database: coverity_dir/" + ' From 83f5ef3cfd077c63adc79a8c2912f2761807f423 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:30:07 -0700 Subject: [PATCH 02/19] Potential fix for pull request finding 'CodeQL / Code injection' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/coverity_component_incremental_scan.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml index a6fc01c..aec6b83 100644 --- a/.github/workflows/coverity_component_incremental_scan.yml +++ b/.github/workflows/coverity_component_incremental_scan.yml @@ -72,11 +72,14 @@ jobs: - name: Coverity Incremental Analysis Scan if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch') && steps.changeset.outputs.added_modified != '' }} + env: + CHANGED_FILES_RAW: ${{ steps.changeset.outputs.added_modified }} run: | export PATH=$PATH:/opt/coverity/bin set -x cd $GITHUB_WORKSPACE - echo "Changed files: ${{ steps.changeset.outputs.added_modified }}" + echo "Changed files: $CHANGED_FILES_RAW" + mapfile -t changed_files <<< "$CHANGED_FILES_RAW" # Phase 1: capture build into the coverity_dir intermediate database cov-run-desktop --dir coverity_dir \ --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY \ @@ -93,7 +96,7 @@ jobs: --exit1-if-defects true \ --json-output-v7 coverity_dir/coverity-results.json \ --allow-suffix-match --set-new-defect-owner false \ - ${{ steps.changeset.outputs.added_modified }} + "${changed_files[@]}" # Post findings as PR comments — raw Coverity output, no custom formatting - name: Coverity Pull Request Feedback From 6f400287624df9bd88be87dab919187e8b065453 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:30:38 -0700 Subject: [PATCH 03/19] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/coverity_component_full_scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/coverity_component_full_scan.yml b/.github/workflows/coverity_component_full_scan.yml index 1786b2c..6a07253 100644 --- a/.github/workflows/coverity_component_full_scan.yml +++ b/.github/workflows/coverity_component_full_scan.yml @@ -28,6 +28,9 @@ on: GITHUB_TOKENCM: required: false +permissions: + contents: read + jobs: coverity_full_scan: runs-on: comcast-ubuntu-latest From cfa71cad0bd2a915aae67a355f9760ad5d971826 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:32:56 -0700 Subject: [PATCH 04/19] Update coverity_local.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- coverity_local.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/coverity_local.sh b/coverity_local.sh index fdd4f56..7493f25 100755 --- a/coverity_local.sh +++ b/coverity_local.sh @@ -43,8 +43,8 @@ docker run --rm \ sh build_dependencies.sh # Capture build - cov-configure --gcc --config config/coverity_config.xml - cov-build --dir coverity_dir --config config/coverity_config.xml sh cov_build.sh + cov-configure --gcc + cov-build --dir coverity_dir sh cov_build.sh # Analyze — same checker set as CI full scan cov-analyze --dir coverity_dir \ From d0afb589669871219efb3815cb6102087950a9d0 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:33:10 -0700 Subject: [PATCH 05/19] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/coverity_component_incremental_scan.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml index aec6b83..13897eb 100644 --- a/.github/workflows/coverity_component_incremental_scan.yml +++ b/.github/workflows/coverity_component_incremental_scan.yml @@ -34,6 +34,10 @@ on: GITHUB_TOKENCM: required: false +permissions: + contents: read + pull-requests: write + jobs: coverity_incremental_scan: runs-on: comcast-ubuntu-latest From 1c6ad109c7f0bfd14eff6e6dfe486c0ba97a2a90 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:33:29 -0700 Subject: [PATCH 06/19] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/coverity_full_scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/coverity_full_scan.yml b/.github/workflows/coverity_full_scan.yml index dd8b5d6..8bab735 100644 --- a/.github/workflows/coverity_full_scan.yml +++ b/.github/workflows/coverity_full_scan.yml @@ -8,6 +8,9 @@ on: branches: [ main, develop, '+([0-9])\.+([0-9])\.x-maintenance' ] paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp'] +permissions: + contents: read + jobs: call-coverity-full-scan: uses: ./.github/workflows/coverity_component_full_scan.yml From 4f9c3459d986f8562c01a01d76fdedfa1142e3e7 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:34:07 -0700 Subject: [PATCH 07/19] Update .github/workflows/native_full_build.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/native_full_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/native_full_build.yml b/.github/workflows/native_full_build.yml index c8b10f6..39fe83a 100644 --- a/.github/workflows/native_full_build.yml +++ b/.github/workflows/native_full_build.yml @@ -3,10 +3,10 @@ name: Build Component in Native Environment on: push: branches: [ main, '+([0-9])\.+([0-9])\.x-maintenance' ] - paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp'] + paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp', 'CMakeLists.txt', 'cmake/**', 'build_dependencies.sh', 'cov_build.sh'] pull_request: branches: [ main, '+([0-9])\.+([0-9])\.x-maintenance' ] - paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp'] + paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp', 'CMakeLists.txt', 'cmake/**', 'build_dependencies.sh', 'cov_build.sh'] defaults: run: From 750934cab1d0636b54f0fd479201c700322e8685 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:34:30 -0700 Subject: [PATCH 08/19] Update .github/workflows/coverity_component_full_scan.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/coverity_component_full_scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverity_component_full_scan.yml b/.github/workflows/coverity_component_full_scan.yml index 6a07253..d86daea 100644 --- a/.github/workflows/coverity_component_full_scan.yml +++ b/.github/workflows/coverity_component_full_scan.yml @@ -65,8 +65,8 @@ jobs: export PATH=$PATH:/opt/coverity/bin set -x cd $GITHUB_WORKSPACE - cov-configure --gcc --config config/coverity_config.xml - cov-build --dir coverity_dir --config config/coverity_config.xml $BUILD_COMMAND + cov-configure --gcc + cov-build --dir coverity_dir $BUILD_COMMAND cov-analyze --dir coverity_dir --one-tu-per-psf false --disable-spotbugs --aggressiveness-level low --enable DC.STRING_BUFFER --all max_retries=3 From 89a339f747f88d69a857f3ab9388837eaaa5d3a1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Apr 2026 23:38:29 +0000 Subject: [PATCH 09/19] Fix incremental workflow PR feedback step gating Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/2697802e-5137-4307-bcb3-7283898eb5ee Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- .github/workflows/coverity_component_incremental_scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml index 13897eb..741b532 100644 --- a/.github/workflows/coverity_component_incremental_scan.yml +++ b/.github/workflows/coverity_component_incremental_scan.yml @@ -75,6 +75,7 @@ jobs: if: ${{ github.event_name == 'pull_request' }} - name: Coverity Incremental Analysis Scan + id: incremental_scan if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch') && steps.changeset.outputs.added_modified != '' }} env: CHANGED_FILES_RAW: ${{ steps.changeset.outputs.added_modified }} @@ -104,7 +105,7 @@ jobs: # Post findings as PR comments — raw Coverity output, no custom formatting - name: Coverity Pull Request Feedback - if: always() + if: ${{ always() && hashFiles('coverity_dir/coverity-results.json') != '' }} uses: synopsys-sig/coverity-report-output-v7-json@v0.1.1 with: json-file-path: coverity_dir/coverity-results.json From 66f6d4fef379b11a518be4565bfc9f7b050dae51 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:41:58 -0700 Subject: [PATCH 10/19] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/native_full_build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/native_full_build.yml b/.github/workflows/native_full_build.yml index 39fe83a..9f4314d 100644 --- a/.github/workflows/native_full_build.yml +++ b/.github/workflows/native_full_build.yml @@ -8,6 +8,9 @@ on: branches: [ main, '+([0-9])\.+([0-9])\.x-maintenance' ] paths: ['**/*.c', '**/*.cpp', '**/*.cc', '**/*.cxx', '**/*.h', '**/*.hpp', 'CMakeLists.txt', 'cmake/**', 'build_dependencies.sh', 'cov_build.sh'] +permissions: + contents: read + defaults: run: shell: bash From dfe89d18a4f44b32c9b2c9d2c5e2ad9dcc2cf302 Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:42:17 -0700 Subject: [PATCH 11/19] Potential fix for pull request finding 'CodeQL / Workflow does not contain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/coverity_incremental_scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/coverity_incremental_scan.yml b/.github/workflows/coverity_incremental_scan.yml index 61415b3..cdeccd0 100644 --- a/.github/workflows/coverity_incremental_scan.yml +++ b/.github/workflows/coverity_incremental_scan.yml @@ -1,5 +1,8 @@ name: Coverity Incremental Scan +permissions: + contents: read + # Triggers on pull requests targeting primary branches. # Scans only changed compilable source files. # Findings are posted as pull request comments. From 4f841811d1e175744087d167370f7cd731b60e62 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Apr 2026 23:44:06 +0000 Subject: [PATCH 12/19] Ensure Coverity full scan has config directory Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/66d64f41-82f3-4ab9-b6fd-a0fc7ae36096 Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- .github/workflows/coverity_component_full_scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/coverity_component_full_scan.yml b/.github/workflows/coverity_component_full_scan.yml index d86daea..05fbd96 100644 --- a/.github/workflows/coverity_component_full_scan.yml +++ b/.github/workflows/coverity_component_full_scan.yml @@ -65,6 +65,7 @@ jobs: export PATH=$PATH:/opt/coverity/bin set -x cd $GITHUB_WORKSPACE + mkdir -p config cov-configure --gcc cov-build --dir coverity_dir $BUILD_COMMAND cov-analyze --dir coverity_dir --one-tu-per-psf false --disable-spotbugs --aggressiveness-level low --enable DC.STRING_BUFFER --all From 5f82519a5c2894d61c3f18e5ce912ce346aa1afd Mon Sep 17 00:00:00 2001 From: Brendan O'Bra Date: Wed, 22 Apr 2026 16:51:17 -0700 Subject: [PATCH 13/19] Update .github/workflows/coverity_incremental_scan.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/coverity_incremental_scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/coverity_incremental_scan.yml b/.github/workflows/coverity_incremental_scan.yml index cdeccd0..ce24c0b 100644 --- a/.github/workflows/coverity_incremental_scan.yml +++ b/.github/workflows/coverity_incremental_scan.yml @@ -2,6 +2,7 @@ name: Coverity Incremental Scan permissions: contents: read + pull-requests: write # Triggers on pull requests targeting primary branches. # Scans only changed compilable source files. From d8e278dcc5741dc1df70aceedb324d23692e6ec5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Apr 2026 23:55:50 +0000 Subject: [PATCH 14/19] Fix dispatch changeset logic and quote Coverity build command Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/91b278f7-4671-4949-9fdf-4738e9e74cc2 Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- .../coverity_component_incremental_scan.yml | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml index 741b532..0268949 100644 --- a/.github/workflows/coverity_component_incremental_scan.yml +++ b/.github/workflows/coverity_component_incremental_scan.yml @@ -62,6 +62,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + ref: ${{ format('refs/pull/{0}/merge', inputs.pullRequestNumber) }} - name: Custom setup if: ${{ inputs.customSetup }} @@ -71,12 +73,30 @@ jobs: - name: Get Pull Request Changeset id: changeset - uses: jitterbit/get-changed-files@v1 - if: ${{ github.event_name == 'pull_request' }} + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const pull_number = Number('${{ inputs.pullRequestNumber }}'); + if (!Number.isInteger(pull_number) || pull_number <= 0) { + core.setFailed('Invalid pullRequestNumber input.'); + return; + } + const files = await github.paginate(github.rest.pulls.listFiles, { + owner: context.repo.owner, + repo: context.repo.repo, + pull_number, + per_page: 100 + }); + const addedModified = files + .filter((file) => file.status === 'added' || file.status === 'modified') + .map((file) => file.filename) + .join('\n'); + core.setOutput('added_modified', addedModified); - name: Coverity Incremental Analysis Scan id: incremental_scan - if: ${{ (github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch') && steps.changeset.outputs.added_modified != '' }} + if: ${{ steps.changeset.outputs.added_modified != '' }} env: CHANGED_FILES_RAW: ${{ steps.changeset.outputs.added_modified }} run: | @@ -89,7 +109,7 @@ jobs: cov-run-desktop --dir coverity_dir \ --url $COVERITY_URL --user $COVERITY_USER --password $COVERITY_APIKEY \ --stream $COVERITY_STREAM_NAME \ - --build $BUILD_COMMAND + --build "$BUILD_COMMAND" # Phase 2: analyze changed files only, compare against stream baseline # --exit1-if-defects true: workflow fails on new defects (maintainers can bypass # via GitHub branch protection "Allow specified actors to bypass required pull requests") From 696bd314d60677ab359bf7b0465f18d39adfac0a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Apr 2026 23:56:45 +0000 Subject: [PATCH 15/19] Harden incremental changeset input parsing Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/91b278f7-4671-4949-9fdf-4738e9e74cc2 Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- .github/workflows/coverity_component_incremental_scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml index 0268949..2026d44 100644 --- a/.github/workflows/coverity_component_incremental_scan.yml +++ b/.github/workflows/coverity_component_incremental_scan.yml @@ -77,7 +77,7 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | - const pull_number = Number('${{ inputs.pullRequestNumber }}'); + const pull_number = Number(${{ toJSON(inputs.pullRequestNumber) }}); if (!Number.isInteger(pull_number) || pull_number <= 0) { core.setFailed('Invalid pullRequestNumber input.'); return; @@ -89,7 +89,7 @@ jobs: per_page: 100 }); const addedModified = files - .filter((file) => file.status === 'added' || file.status === 'modified') + .filter((file) => file.status === 'added' || file.status === 'modified' || file.status === 'renamed') .map((file) => file.filename) .join('\n'); core.setOutput('added_modified', addedModified); From fb6082bb8e5d1c46115b916c595e79fccc9c5cca Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Apr 2026 23:57:34 +0000 Subject: [PATCH 16/19] Simplify incremental file-status filter Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/91b278f7-4671-4949-9fdf-4738e9e74cc2 Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- .github/workflows/coverity_component_incremental_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coverity_component_incremental_scan.yml b/.github/workflows/coverity_component_incremental_scan.yml index 2026d44..ed68749 100644 --- a/.github/workflows/coverity_component_incremental_scan.yml +++ b/.github/workflows/coverity_component_incremental_scan.yml @@ -89,7 +89,7 @@ jobs: per_page: 100 }); const addedModified = files - .filter((file) => file.status === 'added' || file.status === 'modified' || file.status === 'renamed') + .filter((file) => ['added', 'modified', 'renamed'].includes(file.status)) .map((file) => file.filename) .join('\n'); core.setOutput('added_modified', addedModified); From f637faaafe9576a6f18361df8c1f1c8bfec5b51d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Apr 2026 13:34:32 +0000 Subject: [PATCH 17/19] Fix coverity_local usage examples for bash script Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/2aa35c5a-9a49-4ab4-9ee0-1583470ba8d8 Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- coverity_local.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/coverity_local.sh b/coverity_local.sh index 7493f25..0715f41 100755 --- a/coverity_local.sh +++ b/coverity_local.sh @@ -10,8 +10,8 @@ # docker pull /rdk-docker/docker-rdk-coverity:1.0.7 # # Usage: -# sh coverity_local.sh -# sh coverity_local.sh --image # override image +# bash coverity_local.sh +# ./coverity_local.sh --image # override image set -e IMAGE="${COVERITY_IMAGE:-}" From 5f5170668bfb9563c5e64a9bcf3eae64196104c2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 13:43:54 +0000 Subject: [PATCH 18/19] Address remaining feedback from review thread 4158491490 Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/321e0d03-3bd5-4f4a-bf02-6571fb05b9d0 Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- build_dependencies.sh | 2 +- cov_build.sh | 4 ++-- coverity_local.sh | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/build_dependencies.sh b/build_dependencies.sh index 57ba48f..32a5298 100755 --- a/build_dependencies.sh +++ b/build_dependencies.sh @@ -27,7 +27,7 @@ apt-get install -y --no-install-recommends --fix-missing \ curl wget git \ python3-pip -pip install gcovr || pip3 install gcovr +python3 -m pip install --break-system-packages gcovr # --------------------------------------------------------------------------- # 2. googletest diff --git a/cov_build.sh b/cov_build.sh index 2990e05..7b18782 100755 --- a/cov_build.sh +++ b/cov_build.sh @@ -12,8 +12,8 @@ set -e GITHUB_WORKSPACE="${GITHUB_WORKSPACE:-${PWD}}" cd "${GITHUB_WORKSPACE}" -cmake -B build -S . \ +cmake -B build-dev -S . \ -DCMAKE_BUILD_TYPE=Debug \ -DENABLE_TESTS=ON -cmake --build build --parallel +cmake --build build-dev --parallel diff --git a/coverity_local.sh b/coverity_local.sh index 0715f41..3c727cb 100755 --- a/coverity_local.sh +++ b/coverity_local.sh @@ -31,7 +31,8 @@ if [[ -z "$IMAGE" ]]; then fi docker run --rm \ - --user "$(id -u):$(id -g)" \ + -e HOST_UID="$(id -u)" \ + -e HOST_GID="$(id -g)" \ -v "$(pwd):/workspace" \ -w /workspace \ "$IMAGE" \ @@ -61,6 +62,9 @@ docker run --rm \ mkdir -p coverity_html cov-format-errors --dir coverity_dir --html-output coverity_html + # Keep generated outputs writable by the invoking host user + chown -R "${HOST_UID}:${HOST_GID}" coverity_dir coverity_html || true + echo "" echo "HTML report: coverity_html/index.html" echo "Raw database: coverity_dir/" From c05cf8b99cfccd70213189731908f8ebee0f339c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 14:12:38 +0000 Subject: [PATCH 19/19] Fix gcovr install compatibility across pip versions Agent-Logs-Url: https://github.com/rdkcentral/firebolt-cpp-transport/sessions/4d0f0359-fc8c-4d67-a557-a40e7aba4f8d Co-authored-by: brendanobra <740575+brendanobra@users.noreply.github.com> --- build_dependencies.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/build_dependencies.sh b/build_dependencies.sh index 32a5298..d050731 100755 --- a/build_dependencies.sh +++ b/build_dependencies.sh @@ -27,7 +27,11 @@ apt-get install -y --no-install-recommends --fix-missing \ curl wget git \ python3-pip -python3 -m pip install --break-system-packages gcovr +if python3 -m pip help install | grep -q -- '--break-system-packages'; then + python3 -m pip install --break-system-packages gcovr +else + python3 -m pip install gcovr +fi # --------------------------------------------------------------------------- # 2. googletest