RDKB-63009 RDKB-63010: Native build for Coverity#9
RDKB-63009 RDKB-63010: Native build for Coverity#9sowmiyachelliah wants to merge 4 commits intodevelopfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build XDNS component in github rdkcentral | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: native build | ||
| run: | | ||
| chmod +x cov_docker_script/run_setup_dependencies.sh | ||
| ./cov_docker_script/run_setup_dependencies.sh | ||
| chmod +x cov_docker_script/run_native_build.sh | ||
| ./cov_docker_script/run_native_build.sh | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 days ago
In general, the fix is to explicitly scope the GITHUB_TOKEN permissions for this workflow (or job) to the minimum required, instead of relying on repository defaults. For a build job that only checks out code and runs shell scripts without interacting with Pull Requests, issues, or pushing commits, contents: read is typically sufficient.
The best fix here, without changing existing functionality, is to add a permissions block at the workflow root (top level, alongside on: and jobs:). This will apply to all jobs that do not override permissions; there is only one job in the provided snippet, so that’s enough. Based on the visible steps: actions/checkout@v3 needs read access to repo contents; there’s no indication of any write operations back to GitHub, so we set permissions: contents: read. No other permissions (issues, pull-requests, packages, etc.) are necessary from what is shown. Concretely, in .github/workflows/native-build.yml, add:
permissions:
contents: readright after the workflow name: (line 1–2), before the on: block. No additional imports, methods, or definitions are required because this is a declarative YAML change only.
| @@ -1,5 +1,8 @@ | ||
| name: Build XDNS Component in Native Environment | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ main, 'sprint/**', 'release/**', develop ] |
There was a problem hiding this comment.
Pull request overview
This PR enables Coverity scanning using a native build approach for the XDNS component. It introduces wrapper scripts that clone and utilize the build_tools_workflows repository to set up dependencies and perform native builds in a containerized CI environment.
Changes:
- Added three wrapper scripts for orchestrating dependency setup, native builds, and external builds
- Created configuration files defining build dependencies, compiler flags, and component settings
- Implemented a GitHub Actions workflow to automate native builds on push and pull request events
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 17 comments.
Show a summary per file
| File | Description |
|---|---|
| cov_docker_script/run_setup_dependencies.sh | Clones build_tools_workflows repository and runs dependency setup script |
| cov_docker_script/run_native_build.sh | Executes native build and cleans up build tools directory |
| cov_docker_script/run_external_build.sh | Handles external dependency builds with separate clone logic |
| cov_docker_script/configure_options.conf | Defines extensive autotools configure flags for MoCA agent compilation |
| cov_docker_script/component_config.json | Specifies dependency repositories and build configurations in JSON format |
| .github/workflows/native-build.yml | GitHub Actions workflow for automated native builds across multiple branches |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "" | ||
| log "Running common_external_build.sh from build_tools_workflows..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" "$SCRIPT_DIR/component_config.json" "$NATIVE_COMPONENT_DIR" |
There was a problem hiding this comment.
There is a trailing space after the second argument on this line. While this won't cause functional issues, it's inconsistent with run_native_build.sh line 41 which doesn't have trailing whitespace in the equivalent command invocation.
| "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" "$SCRIPT_DIR/component_config.json" "$NATIVE_COMPONENT_DIR" | |
| "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" "$SCRIPT_DIR/component_config.json" "$NATIVE_COMPONENT_DIR" |
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 |
There was a problem hiding this comment.
The workflow uses 'actions/checkout@v3' which is an older version. GitHub Actions has released newer versions (v4 is available as of 2023). Consider updating to '@v4' for improved performance and features. This is the same pattern used in the L1-tests.yml workflow, so updating both together would maintain consistency.
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
| ], | ||
| "build": { | ||
| "type": "script", | ||
| "script": "cov_docker_script/run_external_build.sh" | ||
| } |
There was a problem hiding this comment.
Same issue as with common-library dependency at lines 39-42. The build configuration references "cov_docker_script/run_external_build.sh" which may cause conflicts if run_setup_dependencies.sh has already cloned build_tools_workflows, or create race conditions if dependencies build in parallel.
| ], | |
| "build": { | |
| "type": "script", | |
| "script": "cov_docker_script/run_external_build.sh" | |
| } | |
| ] |
| #!/usr/bin/env bash | ||
| set -e |
There was a problem hiding this comment.
This script is missing a copyright header. Other shell scripts in the repository (e.g., autogen.sh and source/test/run_ut.sh) include Apache 2.0 license headers with RDK Management copyright. For consistency and legal compliance, this script should include the same copyright and license header as used in other scripts in the codebase.
|
|
||
| # Core system defines | ||
| -DSAFEC_DUMMY_API | ||
| -D_COSA_HAL_ |
There was a problem hiding this comment.
Similar to line 31, the flag '-U_COSA_SIM_' explicitly undefines a macro without a prior definition in this configuration. While this might be defensive programming to ensure simulation mode is disabled, consider adding a comment explaining the intent.
| -D_COSA_HAL_ | |
| -D_COSA_HAL_ | |
| # Explicitly undefine simulation mode macro to ensure non-sim build, even if defined elsewhere |
| #!/usr/bin/env bash | ||
| set -e |
There was a problem hiding this comment.
This script is missing a copyright header. Other shell scripts in the repository (e.g., autogen.sh and source/test/run_ut.sh) include Apache 2.0 license headers with RDK Management copyright. For consistency and legal compliance, this script should include the same copyright and license header as used in other scripts in the codebase.
| # Clone build_tools_workflows if it doesn't exist | ||
| if [[ ! -d "$BUILD_TOOLS_DIR" ]]; then | ||
| log "build_tools_workflows not found, cloning repository..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } | ||
| ok "Repository cloned successfully" | ||
| else | ||
| log "build_tools_workflows already exists" | ||
| fi |
There was a problem hiding this comment.
This script clones the build_tools_workflows repository if it doesn't exist, but unlike run_native_build.sh, it doesn't clean up the directory after completion. This creates an inconsistency in cleanup behavior - run_native_build.sh cleans up build_tools_workflows (lines 46-49), but this script leaves it behind. Consider either: 1) Adding cleanup at the end of this script for consistency, or 2) Documenting why cleanup is handled differently for external builds vs native builds.
| fi | ||
|
|
||
| if [[ ! -f "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" ]]; then | ||
| err "common_external_build.sh not found in build_tools_workflows. Please run run_setup_dependencies.sh first." |
There was a problem hiding this comment.
The error message states "Please run run_setup_dependencies.sh first", but this script actually clones the repository itself at lines 25-33 if it doesn't exist. This makes the error message misleading - if the directory exists but the script is missing, it suggests running run_setup_dependencies.sh, but that script won't help since the directory already exists and won't be re-cloned. Consider either: 1) Removing the self-cloning logic and truly requiring run_setup_dependencies.sh to be run first, or 2) Changing the error message to reflect that the cloned repository is missing expected files.
| err "common_external_build.sh not found in build_tools_workflows. Please run run_setup_dependencies.sh first." | |
| err "common_external_build.sh not found in build_tools_workflows. The repository may be incomplete or out of date. Please delete '$BUILD_TOOLS_DIR' and rerun this script, or run run_setup_dependencies.sh to re-fetch the build_tools_workflows dependencies." |
| else | ||
| log "Cloning build_tools_workflows (develop)" | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } |
There was a problem hiding this comment.
This script clones build_tools_workflows from GitHub using a mutable branch (-b develop) and then runs build scripts from that repo as part of the pipeline. Because the reference is not pinned or integrity-checked, a compromise or force-push of the develop branch could inject arbitrary code into your build environment and execute with CI privileges. To reduce supply-chain risk, fetch from a pinned commit or signed tag (or vendor the scripts locally) and/or add integrity verification before executing tools from this repository.
| if [[ ! -d "$BUILD_TOOLS_DIR" ]]; then | ||
| log "build_tools_workflows not found, cloning repository..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } |
There was a problem hiding this comment.
This script clones build_tools_workflows from GitHub using the mutable develop branch and then relies on build scripts from that checkout. Without pinning to a specific commit or verifying integrity, an attacker who compromises or force-pushes the develop branch could run arbitrary code in your CI/build environment via common_external_build.sh. Consider pinning this dependency to a known-good commit or signed tag (or vendoring it) and/or adding integrity checks before executing scripts from the cloned repository.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "include_path": "$HOME/usr/include/rdkb/", | ||
| "lib_output_path": "$HOME/usr/local/lib/", |
There was a problem hiding this comment.
All paths throughout the configuration use "$HOME" for constructing include and library paths (e.g., lines 14, 95, 96). While this provides flexibility, it assumes HOME is properly set in the build environment. In containerized builds or CI environments, this might not always point to the expected location. Consider documenting this requirement or adding validation in the build scripts to ensure HOME is set correctly before proceeding with the build.
| if [[ ! -d "$BUILD_TOOLS_DIR" ]]; then | ||
| log "build_tools_workflows not found, cloning repository..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } |
There was a problem hiding this comment.
Similar to run_setup_dependencies.sh, this git clone command does not pin to a specific commit SHA or tag, relying instead on the 'develop' branch. This could lead to inconsistent builds or unexpected failures if the upstream repository changes. Consider pinning to a specific version for more reproducible builds.
| } | ||
| ] | ||
| }, | ||
|
|
There was a problem hiding this comment.
There is a trailing comma after the closing brace of the "dependencies" object. While many JSON parsers are lenient and accept trailing commas, this is technically invalid according to the JSON specification and could cause parsing errors in strict JSON parsers. Remove the comma on this line.
|
|
||
| "native_component": { | ||
| "_comment": "Configuration for the main component being built", | ||
| "name": "xdns", |
There was a problem hiding this comment.
The component name in this configuration is "xdns" (line 94) but the PR title mentions "RDKB-63009 RDKB-63010" without mentioning the XDNS component name. Additionally, this appears to be in a repository that should be named consistently with the component. Please verify this is the correct component name for this repository.
| ], | ||
| "build": { | ||
| "type": "script", | ||
| "script": "cov_docker_script/run_external_build.sh" |
There was a problem hiding this comment.
The build configuration for the "Utopia" dependency references "cov_docker_script/run_external_build.sh" as the build script. However, this creates a circular dependency issue: run_external_build.sh is meant to be called from the build_tools_workflows repository to build external dependencies, but here it's being referenced as a script within a dependency being built. This will likely fail as the script path would need to exist within the Utopia repository, not this repository. Consider using the correct script path from build_tools_workflows or using "common_external_build.sh" directly.
| "script": "cov_docker_script/run_external_build.sh" | |
| "script": "cov_docker_script/common_external_build.sh" |
| -DHAVE_CONFIG_H | ||
|
|
||
| # Include paths | ||
| -I$HOME/usr/include/rdkb/ |
There was a problem hiding this comment.
The script uses "$HOME" variable in multiple paths (lines 13-14, 135), but this assumes HOME is set in the build environment. While this is typically true, in containerized or CI environments, HOME might not be set as expected. Consider verifying that HOME is set or using a more explicit path variable that's controlled by the build system.
| -I$HOME/usr/include/rdkb/ | |
| -I${HOME:?HOME environment variable is not set}/usr/include/rdkb/ |
| chmod +x cov_docker_script/run_native_build.sh | ||
| ./cov_docker_script/run_native_build.sh | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} No newline at end of file |
There was a problem hiding this comment.
The GITHUB_TOKEN environment variable is set to use a custom secret 'secrets.RDKCM_RDKE', but it's not clear if this is actually needed for the build process. If the build scripts are cloning public repositories (as seen in run_setup_dependencies.sh where it clones from https://github.com/rdkcentral/build_tools_workflows), the default GITHUB_TOKEN provided by GitHub Actions should be sufficient. If this custom token is required, please add a comment explaining why. If it's not needed, consider removing it to reduce secret dependencies.
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} | |
| GITHUB_TOKEN: ${{ github.token }} |
1 participant
Reason for change: Enable coverity scan using native build.
Test Procedure: All the checks should pass in github
Risks: Low
Priority: P1
Signed-off-by: sowmiya_chelliah@comcast.com