apparmor/.gitlab-ci.yml

---
image: ubuntu:latest

# XXX - add a deploy stage to publish man pages, docs, and coverage
# reports

stages:
  - build
  - test

.ubuntu-before_script:
  before_script:
    - export DEBIAN_FRONTEND=noninteractive
    - apt-get update -qq
    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
    - lsb_release -a
    - uname -a

.install-c-build-deps: &install-c-build-deps
  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev

build-all:
  stage: build
  extends:
    - .ubuntu-before_script
  artifacts:
    name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
    expire_in: 30 days
    untracked: true
    paths:
      - libraries/libapparmor/
      - parser/
      - binutils/
      - utils/
      - changehat/mod_apparmor/
      - changehat/pam_apparmor/
      - profiles/
  script:
    - *install-c-build-deps
    - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
    - make -C parser
    - make -C binutils
    - make -C utils
    - make -C changehat/mod_apparmor
    - make -C changehat/pam_apparmor
    - make -C profiles

test-libapparmor:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - *install-c-build-deps
    - make -C libraries/libapparmor check

test-parser:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - *install-c-build-deps
    - make -C parser check

test-binutils:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - make -C binutils check

test-utils:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
    # See apparmor/apparmor#221
    - make -C parser/tst gen_dbus
    - make -C parser/tst gen_xtrans
    - make -C utils check
    - make -C utils/test coverage-regression
  artifacts:
    paths:
      - utils/test/htmlcov/
    when: always

test-mod-apparmor:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - make -C changehat/mod_apparmor check

test-profiles:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - make -C profiles check-parser
    - make -C profiles check-abstractions.d
    - make -C profiles check-extras

shellcheck:
  stage: test
  needs: []
  extends:
    - .ubuntu-before_script
  script:
  - apt-get install --no-install-recommends -y file shellcheck xmlstarlet
  - shellcheck --version
  - './tests/bin/shellcheck-tree --format=checkstyle
       | xmlstarlet tr tests/checkstyle2junit.xslt
       > shellcheck.xml'
  artifacts:
    when: always
    reports:
      junit: shellcheck.xml

# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
#   - make -C profiles check-profiles

# test-pam_apparmor:
#  - stage: test
#  - script:
#    - cd changehat/pam_apparmor && make check

include:
  - template: SAST.gitlab-ci.yml
  - template: Secret-Detection.gitlab-ci.yml

variables:
  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
  SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"

.send-to-coverity: &send-to-coverity
  - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
    --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
    --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
    --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"

coverity:
  stage: .post
  extends:
    - .ubuntu-before_script
  only:
    refs:
      - master
  script:
      - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
      - *install-c-build-deps
      - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
        --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
      - tar xfz /tmp/cov-analysis-linux64.tgz
      - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
      - PATH=$PATH:$(pwd)/$COV_VERSION/bin
      - make coverity
      - *send-to-coverity
  artifacts:
    paths:
      - "apparmor-*.tar.gz"
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00			`---`
			`image: ubuntu:latest`

			`# XXX - add a deploy stage to publish man pages, docs, and coverage`
			`# reports`

			`stages:`
			`- build`
			`- test`

CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`.ubuntu-before_script:`
			`before_script:`
			`- export DEBIAN_FRONTEND=noninteractive`
			`- apt-get update -qq`
			`- apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make`
			`- lsb_release -a`
			`- uname -a`

CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`.install-c-build-deps: &install-c-build-deps`
makefiles: test for support of flto-partition flag Test for compiler support of "-flto-partition=none" flag before passing it. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/310 2024-02-24 15:08:36 +00:00			`- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00			`build-all:`
			`stage: build`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00			`artifacts:`
			`name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}`
			`expire_in: 30 days`
			`untracked: true`
			`paths:`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- libraries/libapparmor/`
			`- parser/`
			`- binutils/`
			`- utils/`
			`- changehat/mod_apparmor/`
			`- changehat/pam_apparmor/`
			`- profiles/`
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00			`script:`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- *install-c-build-deps`
			`- cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. \|\| { cat config.log ; exit 1 ; }`
			`- make -C parser`
			`- make -C binutils`
			`- make -C utils`
			`- make -C changehat/mod_apparmor`
			`- make -C changehat/pam_apparmor`
			`- make -C profiles`
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`test-libapparmor:`
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00			`stage: test`
CI: add shellcheck job, with minimum severity set to error We have way too many warnings to enable lower severity levels, but let's at least we don't introduce new errors. 2022-02-13 07:49:52 +00:00			`needs: ["build-all"]`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00			`script:`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- *install-c-build-deps`
			`- make -C libraries/libapparmor check`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00
			`test-parser:`
			`stage: test`
			`needs: ["build-all"]`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`script:`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- *install-c-build-deps`
			`- make -C parser check`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00
			`test-binutils:`
			`stage: test`
			`needs: ["build-all"]`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`script:`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- make -C binutils check`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00
			`test-utils:`
			`stage: test`
			`needs: ["build-all"]`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`script:`
add setuptools to test-utils CI job 2022-07-16 20:42:07 +02:00			`- apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools`
CI: ensure test-utils runs all intended tests 2022-02-13 15:39:11 +00:00			`# See apparmor/apparmor#221`
			`- make -C parser/tst gen_dbus`
			`- make -C parser/tst gen_xtrans`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- make -C utils check`
			`- make -C utils/test coverage-regression`
Generate and keep html in utils coverage-regression We sometimes have random coverage changes that are not reproducible and therefore hard to debug. Generate html coverage as part of make coverage-regression, and keep the resulting utils/test/htmlcov/ as artifact to make debugging easier. coverage-html needs JS files from various libjs-* packages, install them in before_script 2021-07-13 12:21:52 +02:00			`artifacts:`
			`paths:`
			`- utils/test/htmlcov/`
CI: always collect test artifacts The default is to collect them on success, but that's not helpful to debug failure cases. 2021-08-15 16:28:35 +02:00			`when: always`
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`test-mod-apparmor:`
			`stage: test`
			`needs: ["build-all"]`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`script:`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- make -C changehat/mod_apparmor check`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00
			`test-profiles:`
			`stage: test`
			`needs: ["build-all"]`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00			`script:`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`- make -C profiles check-parser`
			`- make -C profiles check-abstractions.d`
CI: check extra profiles for local/ includes 2023-04-18 22:43:00 +02:00			`- make -C profiles check-extras`
CI: parallelize across multiple jobs, only install necessary dependencies 2022-02-13 09:02:58 +00:00
CI: add shellcheck job, with minimum severity set to error We have way too many warnings to enable lower severity levels, but let's at least we don't introduce new errors. 2022-02-13 07:49:52 +00:00			`shellcheck:`
			`stage: test`
			`needs: []`
CI: only run Debian'ish commands on jobs run on Debian'ish systems 2022-02-13 12:26:19 +00:00			`extends:`
			`- .ubuntu-before_script`
CI: add shellcheck job, with minimum severity set to error We have way too many warnings to enable lower severity levels, but let's at least we don't introduce new errors. 2022-02-13 07:49:52 +00:00			`script:`
			`- apt-get install --no-install-recommends -y file shellcheck xmlstarlet`
			`- shellcheck --version`
CI: enable all shellcheck severity levels The few previous commits make this pass, let's profit. 2022-02-13 08:47:30 +00:00			`- './tests/bin/shellcheck-tree --format=checkstyle`
CI: add shellcheck job, with minimum severity set to error We have way too many warnings to enable lower severity levels, but let's at least we don't introduce new errors. 2022-02-13 07:49:52 +00:00			`\| xmlstarlet tr tests/checkstyle2junit.xslt`
			`> shellcheck.xml'`
			`artifacts:`
			`when: always`
			`reports:`
			`junit: shellcheck.xml`

misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00			`# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing`
CI: normalize indentation 2022-02-13 11:14:20 +00:00			`# - make -C profiles check-profiles`
misc: add initial gitlab-ci.yml for running build/tests This commit adds an initial gitlab-ci.yml file to perform test builds and run tests on each commit. v2: add liblocale-gettext-perl dependency for parser simple test v3: - set noninteractive prompt to avoid debconf queries when installing packages - disable profiles test against aa-logprof; even if library and python path issues are resolved, aa-logprof early aborts due to being unable to find /sbin/apparmor_parser Signed-off-by: Steve Beattie <steve.beattie@canonical.com> Acked-by: Tyler Hicks <tyler.hicks@canonical.com> PR: https://gitlab.com/apparmor/apparmor/merge_requests/101 2018-04-18 22:04:23 -07:00
			`# test-pam_apparmor:`
			`# - stage: test`
			`# - script:`
			`# - cd changehat/pam_apparmor && make check`
CI: enable SAST, Secret-Detection, and Dependency Scanning 2020-07-21 16:39:53 +00:00
			`include:`
			`- template: SAST.gitlab-ci.yml`
Revert "gitlab: testing: temporarily disable secret-detect" This reverts commit 8b4344c17bc180fda3b140167f861c4c4f5ed1e5. 2022-02-21 11:31:44 -08:00			`- template: Secret-Detection.gitlab-ci.yml`
CI: disable spotbugs SAST analyzer It requires building our Ant projects, which have not been touched in years. 2022-02-13 12:49:21 +00:00
			`variables:`
CI: disable SemGrep SAST analyzer It runs the flawfinder checks, so let's disable this one for the same reason we disabled flawfinder. 2022-02-13 13:20:07 +00:00			`SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"`
CI: don't run the Bandit SAST analyzer on our test suites Let's focus for now on code that runs on our users' systems. 2022-02-13 13:28:38 +00:00			`SAST_BANDIT_EXCLUDED_PATHS: "/tst/, /test/"`
.gitlab-ci.yml: add support to run coverity Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2023-03-27 10:05:40 -03:00
			`.send-to-coverity: &send-to-coverity`
			`- curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME`
			`--form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL`
			`--form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"`
			`--form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"`

			`coverity:`
			`stage: .post`
			`extends:`
			`- .ubuntu-before_script`
			`only:`
			`refs:`
Enable coverity scans for master ... so that each change in master gets scanned (until we reach the scan limit). This will give us more timely results than only scanning the coverity branch whenever someone manually updates it. 2023-06-13 20:35:07 +02:00			`- master`
.gitlab-ci.yml: add support to run coverity Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> 2023-03-27 10:05:40 -03:00			`script:`
			`- apt-get install --no-install-recommends -y curl git texlive-latex-recommended`
			`- *install-c-build-deps`
			`- curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64`
			`--form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN`
			`- tar xfz /tmp/cov-analysis-linux64.tgz`
			`- COV_VERSION=$(ls -dt cov-analysis-linux64-* \| head -1)`
			`- PATH=$PATH:$(pwd)/$COV_VERSION/bin`
			`- make coverity`
			`- *send-to-coverity`
			`artifacts:`
			`paths:`
			`- "apparmor-*.tar.gz"`