merge: branch 'jv/add-coverity-ci'

gitlab-ci: add coverity submissions to weekly scheduled CI

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1973

.gitlab-ci.yml

@@ -49,6 +49,7 @@ stages:
   - tier3
   - deploy
   - triage
+  - coverity
 
 variables:
   FDO_UPSTREAM_REPO: NetworkManager/NetworkManager
@@ -59,11 +60,11 @@ variables:
   #
   # This is done by running `ci-fairy generate-template` and possibly bumping
   # ".default_tag".
-  ALPINE_TAG:  'tag-ec99bc32ed7f'
-  CENTOS_TAG:  'tag-a76c3f2e9d0f'
-  DEBIAN_TAG:  'tag-3f6892bcd503'
-  FEDORA_TAG:  'tag-a76c3f2e9d0f'
-  UBUNTU_TAG:  'tag-3f6892bcd503'
+  ALPINE_TAG:  'tag-f0b648c04526'
+  CENTOS_TAG:  'tag-c2d500e0391f'
+  DEBIAN_TAG:  'tag-7687baa06688'
+  FEDORA_TAG:  'tag-c2d500e0391f'
+  UBUNTU_TAG:  'tag-7687baa06688'
 
   ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
   CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@@ -639,6 +640,24 @@ triage:issues:
     - gem install gitlab-triage
     - gitlab-triage --debug --token $API_TOKEN --source-id $CI_PROJECT_ID
 
+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+  variables:
+    FDO_DISTRIBUTION_VERSION: '40'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  stage: coverity
+  needs: []
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'schedule'
+  script:
+    - dnf install -y curl
+    - BUILD_TYPE=meson CC=gcc CONFIGURE_ONLY=1 contrib/scripts/nm-ci-run.sh
+    - cd build
+    - ../.gitlab-ci/coverity.sh download
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja
+    - ../.gitlab-ci/coverity.sh upload
+
 # Clean the generated images periodically to get updated snapshots of the distribution images.
 # Create an scheduled pipeline to run it, passing an AUTHFILE environment variable of type
 # 'File' with an authentication token with API access level.

.gitlab-ci/ci.template

@@ -53,6 +53,7 @@ stages:
   - tier3
   - deploy
   - triage
+  - coverity
 
 variables:
   FDO_UPSTREAM_REPO: NetworkManager/NetworkManager
@@ -248,6 +249,24 @@ triage:issues:
     - gem install gitlab-triage
     - gitlab-triage --debug --token $API_TOKEN --source-id $CI_PROJECT_ID
 
+coverity:
+  extends:
+    - .fdo.distribution-image@fedora
+  variables:
+    FDO_DISTRIBUTION_VERSION: '40'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  stage: coverity
+  needs: []
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'schedule'
+  script:
+    - dnf install -y curl
+    - BUILD_TYPE=meson CC=gcc CONFIGURE_ONLY=1 contrib/scripts/nm-ci-run.sh
+    - cd build
+    - ../.gitlab-ci/coverity.sh download
+    - cov-analysis-linux64-*/bin/cov-build --dir cov-int ninja
+    - ../.gitlab-ci/coverity.sh upload
+
 # Clean the generated images periodically to get updated snapshots of the distribution images.
 # Create an scheduled pipeline to run it, passing an AUTHFILE environment variable of type
 # 'File' with an authentication token with API access level.

.gitlab-ci/coverity.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+set -e
+
+[ "$COVERITY_SCAN_PROJECT_NAME" = "" ] && echo "missing COVERITY_SCAN_PROJECT_NAME" >&2 && exit 1
+[ "$COVERITY_SCAN_TOKEN" = "" ] && echo "missing COVERITY_SCAN_PROJECT_NAME" >&2 && exit 1
+
+if [ "$1" = "download" ]; then
+    curl https://scan.coverity.com/download/linux64 \
+         -o /tmp/cov-analysis-linux64.tar.gz        \
+         --form "project=$COVERITY_SCAN_PROJECT_NAME" \
+         --form "token=$COVERITY_SCAN_TOKEN"
+
+    tar xvzf /tmp/cov-analysis-linux64.tar.gz
+elif [ "$1" = "upload" ]; then
+    tar cvzf cov-int.tar.gz cov-int
+    ls -l cov-int.tar.gz
+    curl "https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME" \
+          --form "token=$COVERITY_SCAN_TOKEN" --form "email=$GITLAB_USER_EMAIL" \
+          --form file=@cov-int.tar.gz --form version="`meson introspect --projectinfo | jq -r .version`" \
+          --form description="ci run: $CI_COMMIT_TITLE / `git rev-parse --short HEAD`"
+    rm -rf cov-int*
+else
+    echo "invalid command: $1" >&2
+    exit 1
+fi

src/libnm-platform/nm-linux-platform.c

@@ -337,6 +337,11 @@ struct _ifla_vf_vlan_info {
 #define BRIDGE_VLAN_INFO_RANGE_END   (1 << 4) /* VLAN is end of vlan range */
 #endif
 
+/* Appeared in kernel 4.2 dated August 2015 */
+#ifndef RTM_F_LOOKUP_TABLE
+#define RTM_F_LOOKUP_TABLE 0x1000 /* set rtm_table to FIB lookup result */
+#endif
+
 /*****************************************************************************/
 
 #define PSCHED_TIME_UNITS_PER_SEC 1000000
@@ -7784,17 +7789,42 @@ _nl_msg_new_dump_rtnl(NMPObjectType obj_type, int preferred_addr_family)
             g_return_val_if_reached(NULL);
     } break;
     case NMP_OBJECT_TYPE_LINK:
+    {
+        struct ifinfomsg ifm = {};
+
+        if (nlmsg_append_struct(nlmsg, &ifm) < 0)
+            g_return_val_if_reached(NULL);
+        break;
+    }
     case NMP_OBJECT_TYPE_IP4_ADDRESS:
     case NMP_OBJECT_TYPE_IP6_ADDRESS:
-    case NMP_OBJECT_TYPE_IP4_ROUTE:
-    case NMP_OBJECT_TYPE_IP6_ROUTE:
-    case NMP_OBJECT_TYPE_ROUTING_RULE:
     {
-        const struct rtgenmsg gmsg = {
-            .rtgen_family = preferred_addr_family,
+        struct ifaddrmsg ifm = {
+            .ifa_family = preferred_addr_family,
         };
 
-        if (nlmsg_append_struct(nlmsg, &gmsg) < 0)
+        if (nlmsg_append_struct(nlmsg, &ifm) < 0)
+            g_return_val_if_reached(NULL);
+        break;
+    }
+    case NMP_OBJECT_TYPE_IP4_ROUTE:
+    case NMP_OBJECT_TYPE_IP6_ROUTE:
+    {
+        struct rtmsg rtm = {
+            .rtm_family = preferred_addr_family,
+        };
+
+        if (nlmsg_append_struct(nlmsg, &rtm) < 0)
+            g_return_val_if_reached(NULL);
+        break;
+    }
+    case NMP_OBJECT_TYPE_ROUTING_RULE:
+    {
+        struct fib_rule_hdr frh = {
+            .family = preferred_addr_family,
+        };
+
+        if (nlmsg_append_struct(nlmsg, &frh) < 0)
             g_return_val_if_reached(NULL);
     } break;
     default:
@@ -10307,7 +10337,7 @@ ip_route_get(NMPlatform   *platform,
             .r.rtm_family  = addr_family,
             .r.rtm_tos     = 0,
             .r.rtm_dst_len = IS_IPv4 ? 32 : 128,
-            .r.rtm_flags   = 0x1000 /* RTM_F_LOOKUP_TABLE */,
+            .r.rtm_flags   = IS_IPv4 ? RTM_F_LOOKUP_TABLE : 0,
         };
 
         nm_clear_pointer(&route, nmp_object_unref);

src/libnm-platform/nm-netlink.c

@@ -1152,6 +1152,7 @@ nl_socket_new(struct nl_sock **out_sk,
 
     i_val = 1;
     (void) setsockopt(sk->s_fd, SOL_NETLINK, NETLINK_EXT_ACK, &i_val, sizeof(i_val));
+    (void) setsockopt(sk->s_fd, SOL_NETLINK, NETLINK_GET_STRICT_CHK, &i_val, sizeof(i_val));
 
     if (NM_FLAGS_HAS(flags, NL_SOCKET_FLAGS_PASSCRED)) {
         err = nl_socket_set_passcred(sk, 1);