mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
34a46bd8f2
... so that each change in master gets scanned (until we reach the scan limit). This will give us more timely results than only scanning the coverity branch whenever someone manually updates it.
166 lines
4.5 KiB
YAML
166 lines
4.5 KiB
YAML
---
|
|
image: ubuntu:latest
|
|
|
|
# XXX - add a deploy stage to publish man pages, docs, and coverage
|
|
# reports
|
|
|
|
stages:
|
|
- build
|
|
- test
|
|
|
|
.ubuntu-before_script:
|
|
before_script:
|
|
- export DEBIAN_FRONTEND=noninteractive
|
|
- apt-get update -qq
|
|
- apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
|
|
- lsb_release -a
|
|
- uname -a
|
|
|
|
.install-c-build-deps: &install-c-build-deps
|
|
- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
|
|
|
|
build-all:
|
|
stage: build
|
|
extends:
|
|
- .ubuntu-before_script
|
|
artifacts:
|
|
name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
|
|
expire_in: 30 days
|
|
untracked: true
|
|
paths:
|
|
- libraries/libapparmor/
|
|
- parser/
|
|
- binutils/
|
|
- utils/
|
|
- changehat/mod_apparmor/
|
|
- changehat/pam_apparmor/
|
|
- profiles/
|
|
script:
|
|
- *install-c-build-deps
|
|
- cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
|
|
- make -C parser
|
|
- make -C binutils
|
|
- make -C utils
|
|
- make -C changehat/mod_apparmor
|
|
- make -C changehat/pam_apparmor
|
|
- make -C profiles
|
|
|
|
test-libapparmor:
|
|
stage: test
|
|
needs: ["build-all"]
|
|
extends:
|
|
- .ubuntu-before_script
|
|
script:
|
|
- *install-c-build-deps
|
|
- make -C libraries/libapparmor check
|
|
|
|
test-parser:
|
|
stage: test
|
|
needs: ["build-all"]
|
|
extends:
|
|
- .ubuntu-before_script
|
|
script:
|
|
- *install-c-build-deps
|
|
- make -C parser check
|
|
|
|
test-binutils:
|
|
stage: test
|
|
needs: ["build-all"]
|
|
extends:
|
|
- .ubuntu-before_script
|
|
script:
|
|
- make -C binutils check
|
|
|
|
test-utils:
|
|
stage: test
|
|
needs: ["build-all"]
|
|
extends:
|
|
- .ubuntu-before_script
|
|
script:
|
|
- apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
|
|
# See apparmor/apparmor#221
|
|
- make -C parser/tst gen_dbus
|
|
- make -C parser/tst gen_xtrans
|
|
- make -C utils check
|
|
- make -C utils/test coverage-regression
|
|
artifacts:
|
|
paths:
|
|
- utils/test/htmlcov/
|
|
when: always
|
|
|
|
test-mod-apparmor:
|
|
stage: test
|
|
needs: ["build-all"]
|
|
extends:
|
|
- .ubuntu-before_script
|
|
script:
|
|
- make -C changehat/mod_apparmor check
|
|
|
|
test-profiles:
|
|
stage: test
|
|
needs: ["build-all"]
|
|
extends:
|
|
- .ubuntu-before_script
|
|
script:
|
|
- make -C profiles check-parser
|
|
- make -C profiles check-abstractions.d
|
|
- make -C profiles check-extras
|
|
|
|
shellcheck:
|
|
stage: test
|
|
needs: []
|
|
extends:
|
|
- .ubuntu-before_script
|
|
script:
|
|
- apt-get install --no-install-recommends -y file shellcheck xmlstarlet
|
|
- shellcheck --version
|
|
- './tests/bin/shellcheck-tree --format=checkstyle
|
|
| xmlstarlet tr tests/checkstyle2junit.xslt
|
|
> shellcheck.xml'
|
|
artifacts:
|
|
when: always
|
|
reports:
|
|
junit: shellcheck.xml
|
|
|
|
# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
|
|
# - make -C profiles check-profiles
|
|
|
|
# test-pam_apparmor:
|
|
# - stage: test
|
|
# - script:
|
|
# - cd changehat/pam_apparmor && make check
|
|
|
|
include:
|
|
- template: SAST.gitlab-ci.yml
|
|
- template: Secret-Detection.gitlab-ci.yml
|
|
|
|
variables:
|
|
SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
|
|
SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"
|
|
|
|
.send-to-coverity: &send-to-coverity
|
|
- curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
|
|
--form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
|
|
--form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
|
|
--form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
|
|
|
|
coverity:
|
|
stage: .post
|
|
extends:
|
|
- .ubuntu-before_script
|
|
only:
|
|
refs:
|
|
- master
|
|
script:
|
|
- apt-get install --no-install-recommends -y curl git texlive-latex-recommended
|
|
- *install-c-build-deps
|
|
- curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
|
|
--form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
|
|
- tar xfz /tmp/cov-analysis-linux64.tgz
|
|
- COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
|
|
- PATH=$PATH:$(pwd)/$COV_VERSION/bin
|
|
- make coverity
|
|
- *send-to-coverity
|
|
artifacts:
|
|
paths:
|
|
- "apparmor-*.tar.gz"
|