RDKB-62995 : [GitHub Coverity] Enable Coverity Scan for hotspot using Native Build…#36
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build hotspot component in github rdkcentral | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: native build | ||
| run: | | ||
| # Trust the workspace | ||
| git config --global --add safe.directory '*' | ||
| # Pull the latest changes for the native build system | ||
| git submodule update --init --recursive --remote | ||
| # Build and install dependencies | ||
| chmod +x build_tools_workflows/cov_docker_script/setup_dependencies.sh | ||
| ./build_tools_workflows/cov_docker_script/setup_dependencies.sh ./cov_docker_script/component_config.json | ||
| # Build component | ||
| chmod +x build_tools_workflows/cov_docker_script/build_native.sh | ||
| ./build_tools_workflows/cov_docker_script/build_native.sh ./cov_docker_script/component_config.json "$(pwd)" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, the fix is to explicitly declare minimal permissions for the workflow/job so that the auto-generated GITHUB_TOKEN is restricted, rather than inheriting possibly broad default permissions from the repository or organization. For a build job that only checks out code and runs local scripts, contents: read is typically sufficient.
For this specific workflow, we should add a permissions block to the build-hotspot-on-pr job (or at the root). Since we only see this single job and it just checks out the repository and runs shell scripts, we can safely restrict the token to read-only repository contents. We will therefore insert:
permissions:
contents: readunder the build-hotspot-on-pr job (aligned with other job keys like name and runs-on). No other functionality needs to change, and no additional imports or steps are required. The custom secret secrets.RDKCM_RDKE is unaffected by this setting.
| @@ -10,6 +10,8 @@ | ||
| build-hotspot-on-pr: | ||
| name: Build hotspot component in github rdkcentral | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||
|
|
There was a problem hiding this comment.
Pull request overview
Enable Coverity scan support for the hotspot component by introducing a native-build configuration, dependency metadata, and a GitHub Actions workflow that builds inside the RDK CI container.
Changes:
- Added native-build dependency configuration (
component_config.json) and autotools flags (configure_options.conf) for hotspot. - Added documentation for the native build/Coverity setup under
cov_docker_script/README.md. - Introduced
build_tools_workflowsas a git submodule and added a GitHub Actions workflow to run the native build.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
cov_docker_script/configure_options.conf |
Defines CPPFLAGS/CFLAGS/LDFLAGS used by the native autotools build for Coverity. |
cov_docker_script/component_config.json |
Declares external dependency repos and the native build steps for hotspot. |
cov_docker_script/README.md |
Documents how to use the native build/Coverity configuration. |
build_tools_workflows |
Adds the build tools repo as a pinned submodule commit. |
.gitmodules |
Registers build_tools_workflows as a submodule tracking develop. |
.github/workflows/native-build.yml |
Adds CI job to set up dependencies and build hotspot natively in a container. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: native build | ||
| run: | | ||
| # Trust the workspace | ||
| git config --global --add safe.directory '*' |
There was a problem hiding this comment.
Setting safe.directory to * disables Git's ownership safety checks for all paths inside the container. Restrict this to the workspace path only (e.g., $GITHUB_WORKSPACE or the repository directory) to avoid trusting unintended directories.
| git config --global --add safe.directory '*' | |
| git config --global --add safe.directory "$GITHUB_WORKSPACE" |
| # Trust the workspace | ||
| git config --global --add safe.directory '*' | ||
| # Pull the latest changes for the native build system | ||
| git submodule update --init --recursive --remote |
There was a problem hiding this comment.
Using --remote makes CI pull the latest submodule branch tip instead of the commit pinned in the PR, which can break reproducibility and cause unrelated CI failures. Drop --remote so the workflow uses the submodule SHA committed in this repo (or pin to an explicit ref via checkout settings).
| git submodule update --init --recursive --remote | |
| git submodule update --init --recursive |
| name: Build hotspot component in github rdkcentral | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest |
There was a problem hiding this comment.
Using the latest container tag reduces build reproducibility because the environment can change without warning. Prefer pinning to a specific version tag or digest so Coverity/native builds remain consistent over time.
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | |
| image: ghcr.io/rdkcentral/docker-rdk-ci:1.0.0 |
| Add the following to your component's `.gitignore` to exclude temporary build artifacts: | ||
|
|
||
| ```gitignore | ||
| # Build tools (downloaded by wrapper scripts) | ||
| build_tools_workflows/ | ||
|
|
There was a problem hiding this comment.
The README instructs users to add build_tools_workflows/ to .gitignore, but this PR adds build_tools_workflows as a tracked git submodule. Ignoring it will break submodule checkouts and CI parity; update this section to reflect that build_tools_workflows is a submodule (and should not be ignored).
| Add the following to your component's `.gitignore` to exclude temporary build artifacts: | |
| ```gitignore | |
| # Build tools (downloaded by wrapper scripts) | |
| build_tools_workflows/ | |
| The `build_tools_workflows` directory is provided as a tracked git submodule and **must not** be added to `.gitignore`. Only temporary build artifacts should be ignored. | |
| Add the following to your component's `.gitignore` to exclude temporary build artifacts: | |
| ```gitignore |
| -DPATH_MAX=1024 | ||
| -D__686__ | ||
|
|
There was a problem hiding this comment.
Defining PATH_MAX manually can conflict with system headers and lead to inconsistent behavior across environments. Also, __686__ uses a reserved identifier form (double underscore) and is not a standard architecture macro; if this is intended to signal i686, consider using a non-reserved project macro name (or rely on compiler-provided arch macros) rather than defining a reserved token.
| -DPATH_MAX=1024 | |
| -D__686__ | |
| -DI686_ARCH |
| -Wl,--allow-shlib-undefined | ||
| -Wl,--unresolved-symbols=ignore-all No newline at end of file |
There was a problem hiding this comment.
These linker flags explicitly tolerate unresolved symbols, which can hide real link errors and produce binaries that fail at runtime. If the goal is only to get a Coverity capture/build to complete, consider scoping these flags to Coverity-only builds (or documenting why they're required) rather than applying them unconditionally.
| -Wl,--allow-shlib-undefined | |
| -Wl,--unresolved-symbols=ignore-all | |
| # NOTE: The following linker flags tolerate unresolved symbols and can hide | |
| # real link errors. They should NOT be used for normal builds. If absolutely | |
| # required for a Coverity-only capture/build, uncomment them locally and | |
| # ensure this configuration is not used for production binaries. | |
| # -Wl,--allow-shlib-undefined | |
| # -Wl,--unresolved-symbols=ignore-all |
| "_version": "2.0", | ||
| "_description": "Defines dependencies and build settings for the native component", | ||
|
|
||
| "dependencies": { |
There was a problem hiding this comment.
JSON formatting/indentation is inconsistent at the top-level (\"dependencies\" is not aligned with the surrounding keys). Consider reformatting the file (e.g., consistent 2-space indentation) to improve readability and reduce diff noise in future changes.
| "dependencies": { | |
| "dependencies": { |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Trust the workspace | ||
| git config --global --add safe.directory '*' | ||
| # Pull the latest changes for the native build system | ||
| git submodule update --init --recursive --remote |
There was a problem hiding this comment.
Using safe.directory '*' disables git’s safety checks for all directories, and git submodule update --remote makes the build non-reproducible (and can unintentionally pull unreviewed submodule changes). Prefer setting safe.directory to the current workspace path only, and drop --remote so the workflow builds the submodule commit pinned by the PR.
| # Trust the workspace | |
| git config --global --add safe.directory '*' | |
| # Pull the latest changes for the native build system | |
| git submodule update --init --recursive --remote | |
| # Trust only the current workspace | |
| git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| # Initialize and update submodules to the commits pinned by the repository | |
| git submodule update --init --recursive |
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 |
There was a problem hiding this comment.
Update to actions/checkout@v4 for the latest security and performance fixes (v3 is outdated).
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
| # Standard/system defines | ||
| #-DSAFEC_DUMMY_API | ||
| -DPATH_MAX=1024 | ||
| -D__686__ |
There was a problem hiding this comment.
-D__686__ looks like a typo and is likely not the intended architecture macro (commonly __i686__). Defining an incorrect macro can change conditional compilation unexpectedly; consider correcting it or removing it if not required.
| -D__686__ |
| # 🔧 Coverity Native Build System for RDK-B Components | ||
|
|
||
| The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows](https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md) |
There was a problem hiding this comment.
The emoji in the header can be noisy for screen readers and can reduce accessibility in some documentation pipelines. Consider removing it or moving it to plain text.
| # 🔧 Coverity Native Build System for RDK-B Components | |
| The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows](https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md) | |
| # Coverity Native Build System for RDK-B Components | |
| 🔧 The documentation and source for the RDK-B native build system has been centralized in [rdkcentral/build_tools_workflows](https://github.com/rdkcentral/build_tools_workflows/blob/develop/cov_docker_script/README.md) |
Reason for change: Enable coverity scan using native build.
Test Procedure: All the checks should pass in github
Risks: Low
Priority: P1
Signed-off-by: Balajichowday_unnam@comcast.com