RDKB-63009 RDKB-63010: Native build for Coverity #9
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Build XDNS component in github rdkcentral | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: native build | ||
| run: | | ||
| chmod +x cov_docker_script/run_setup_dependencies.sh | ||
| ./cov_docker_script/run_setup_dependencies.sh | ||
| chmod +x cov_docker_script/run_native_build.sh | ||
| ./cov_docker_script/run_native_build.sh | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to add an explicit permissions block either at the workflow root (affecting all jobs) or at the job level, granting only the minimal required scopes. Since this workflow only checks out code and runs build scripts, contents: read is sufficient in most cases.
For this specific file, the minimal, non‑disruptive change is to add a job-level permissions block to build-xdns-on-pr, just under the job name (or runs-on). This will limit the workflow’s automatically provided GITHUB_TOKEN to read-only repository contents while leaving the rest of the job unchanged. Because the job already uses a secret RDKCM_RDKE for the GITHUB_TOKEN environment variable, adding this block does not interfere with that secret; it only constrains the implicit GITHUB_TOKEN that GitHub injects. No imports or additional methods are needed, only YAML changes in .github/workflows/native-build.yml.
Concretely:
- Edit
.github/workflows/native-build.yml. - Under
build-xdns-on-pr:(around line 11), insert:permissions: contents: read
- Keep indentation aligned with other job keys (
name,runs-on, etc.).
No other functional behavior needs to change.
| @@ -9,6 +9,8 @@ | ||
| jobs: | ||
| build-xdns-on-pr: | ||
| name: Build XDNS component in github rdkcentral | ||
| permissions: | ||
| contents: read | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: ghcr.io/rdkcentral/docker-rdk-ci:latest |
There was a problem hiding this comment.
Pull request overview
This PR enables Coverity scanning using a native build approach for the XDNS component. It introduces wrapper scripts that clone and utilize the build_tools_workflows repository to set up dependencies and perform native builds in a containerized CI environment.
Changes:
- Added three wrapper scripts for orchestrating dependency setup, native builds, and external builds
- Created configuration files defining build dependencies, compiler flags, and component settings
- Implemented a GitHub Actions workflow to automate native builds on push and pull request events
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 17 comments.
Show a summary per file
| File | Description |
|---|---|
| cov_docker_script/run_setup_dependencies.sh | Clones build_tools_workflows repository and runs dependency setup script |
| cov_docker_script/run_native_build.sh | Executes native build and cleans up build tools directory |
| cov_docker_script/run_external_build.sh | Handles external dependency builds with separate clone logic |
| cov_docker_script/configure_options.conf | Defines extensive autotools configure flags for MoCA agent compilation |
| cov_docker_script/component_config.json | Specifies dependency repositories and build configurations in JSON format |
| .github/workflows/native-build.yml | GitHub Actions workflow for automated native builds across multiple branches |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "" | ||
| log "Running common_external_build.sh from build_tools_workflows..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" "$SCRIPT_DIR/component_config.json" "$NATIVE_COMPONENT_DIR" |
There was a problem hiding this comment.
There is a trailing space after the second argument on this line. While this won't cause functional issues, it's inconsistent with run_native_build.sh line 41 which doesn't have trailing whitespace in the equivalent command invocation.
| "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" "$SCRIPT_DIR/component_config.json" "$NATIVE_COMPONENT_DIR" | |
| "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" "$SCRIPT_DIR/component_config.json" "$NATIVE_COMPONENT_DIR" |
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 |
There was a problem hiding this comment.
The workflow uses 'actions/checkout@v3' which is an older version. GitHub Actions has released newer versions (v4 is available as of 2023). Consider updating to '@v4' for improved performance and features. This is the same pattern used in the L1-tests.yml workflow, so updating both together would maintain consistency.
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
| ], | ||
| "build": { | ||
| "type": "script", | ||
| "script": "cov_docker_script/run_external_build.sh" | ||
| } |
There was a problem hiding this comment.
Same issue as with common-library dependency at lines 39-42. The build configuration references "cov_docker_script/run_external_build.sh" which may cause conflicts if run_setup_dependencies.sh has already cloned build_tools_workflows, or create race conditions if dependencies build in parallel.
| ], | |
| "build": { | |
| "type": "script", | |
| "script": "cov_docker_script/run_external_build.sh" | |
| } | |
| ] |
| #!/usr/bin/env bash | ||
| set -e |
There was a problem hiding this comment.
This script is missing a copyright header. Other shell scripts in the repository (e.g., autogen.sh and source/test/run_ut.sh) include Apache 2.0 license headers with RDK Management copyright. For consistency and legal compliance, this script should include the same copyright and license header as used in other scripts in the codebase.
|
|
||
| # Core system defines | ||
| -DSAFEC_DUMMY_API | ||
| -D_COSA_HAL_ |
There was a problem hiding this comment.
Similar to line 31, the flag '-U_COSA_SIM_' explicitly undefines a macro without a prior definition in this configuration. While this might be defensive programming to ensure simulation mode is disabled, consider adding a comment explaining the intent.
| -D_COSA_HAL_ | |
| -D_COSA_HAL_ | |
| # Explicitly undefine simulation mode macro to ensure non-sim build, even if defined elsewhere |
| #!/usr/bin/env bash | ||
| set -e |
There was a problem hiding this comment.
This script is missing a copyright header. Other shell scripts in the repository (e.g., autogen.sh and source/test/run_ut.sh) include Apache 2.0 license headers with RDK Management copyright. For consistency and legal compliance, this script should include the same copyright and license header as used in other scripts in the codebase.
| # Clone build_tools_workflows if it doesn't exist | ||
| if [[ ! -d "$BUILD_TOOLS_DIR" ]]; then | ||
| log "build_tools_workflows not found, cloning repository..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } | ||
| ok "Repository cloned successfully" | ||
| else | ||
| log "build_tools_workflows already exists" | ||
| fi |
There was a problem hiding this comment.
This script clones the build_tools_workflows repository if it doesn't exist, but unlike run_native_build.sh, it doesn't clean up the directory after completion. This creates an inconsistency in cleanup behavior - run_native_build.sh cleans up build_tools_workflows (lines 46-49), but this script leaves it behind. Consider either: 1) Adding cleanup at the end of this script for consistency, or 2) Documenting why cleanup is handled differently for external builds vs native builds.
| fi | ||
|
|
||
| if [[ ! -f "$BUILD_TOOLS_DIR/cov_docker_script/common_external_build.sh" ]]; then | ||
| err "common_external_build.sh not found in build_tools_workflows. Please run run_setup_dependencies.sh first." |
There was a problem hiding this comment.
The error message states "Please run run_setup_dependencies.sh first", but this script actually clones the repository itself at lines 25-33 if it doesn't exist. This makes the error message misleading - if the directory exists but the script is missing, it suggests running run_setup_dependencies.sh, but that script won't help since the directory already exists and won't be re-cloned. Consider either: 1) Removing the self-cloning logic and truly requiring run_setup_dependencies.sh to be run first, or 2) Changing the error message to reflect that the cloned repository is missing expected files.
| err "common_external_build.sh not found in build_tools_workflows. Please run run_setup_dependencies.sh first." | |
| err "common_external_build.sh not found in build_tools_workflows. The repository may be incomplete or out of date. Please delete '$BUILD_TOOLS_DIR' and rerun this script, or run run_setup_dependencies.sh to re-fetch the build_tools_workflows dependencies." |
| else | ||
| log "Cloning build_tools_workflows (develop)" | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } |
There was a problem hiding this comment.
This script clones build_tools_workflows from GitHub using a mutable branch (-b develop) and then runs build scripts from that repo as part of the pipeline. Because the reference is not pinned or integrity-checked, a compromise or force-push of the develop branch could inject arbitrary code into your build environment and execute with CI privileges. To reduce supply-chain risk, fetch from a pinned commit or signed tag (or vendor the scripts locally) and/or add integrity verification before executing tools from this repository.
| if [[ ! -d "$BUILD_TOOLS_DIR" ]]; then | ||
| log "build_tools_workflows not found, cloning repository..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } |
There was a problem hiding this comment.
This script clones build_tools_workflows from GitHub using the mutable develop branch and then relies on build scripts from that checkout. Without pinning to a specific commit or verifying integrity, an attacker who compromises or force-pushes the develop branch could run arbitrary code in your CI/build environment via common_external_build.sh. Consider pinning this dependency to a known-good commit or signed tag (or vendoring it) and/or adding integrity checks before executing scripts from the cloned repository.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "include_path": "$HOME/usr/include/rdkb/", | ||
| "lib_output_path": "$HOME/usr/local/lib/", |
There was a problem hiding this comment.
All paths throughout the configuration use "$HOME" for constructing include and library paths (e.g., lines 14, 95, 96). While this provides flexibility, it assumes HOME is properly set in the build environment. In containerized builds or CI environments, this might not always point to the expected location. Consider documenting this requirement or adding validation in the build scripts to ensure HOME is set correctly before proceeding with the build.
| if [[ ! -d "$BUILD_TOOLS_DIR" ]]; then | ||
| log "build_tools_workflows not found, cloning repository..." | ||
| cd "$NATIVE_COMPONENT_DIR" | ||
| git clone -b develop "$BUILD_TOOLS_REPO_URL" || { err "Clone failed"; exit 1; } |
There was a problem hiding this comment.
Similar to run_setup_dependencies.sh, this git clone command does not pin to a specific commit SHA or tag, relying instead on the 'develop' branch. This could lead to inconsistent builds or unexpected failures if the upstream repository changes. Consider pinning to a specific version for more reproducible builds.
| } | ||
| ] | ||
| }, | ||
|
|
There was a problem hiding this comment.
There is a trailing comma after the closing brace of the "dependencies" object. While many JSON parsers are lenient and accept trailing commas, this is technically invalid according to the JSON specification and could cause parsing errors in strict JSON parsers. Remove the comma on this line.
|
|
||
| "native_component": { | ||
| "_comment": "Configuration for the main component being built", | ||
| "name": "xdns", |
There was a problem hiding this comment.
The component name in this configuration is "xdns" (line 94) but the PR title mentions "RDKB-63009 RDKB-63010" without mentioning the XDNS component name. Additionally, this appears to be in a repository that should be named consistently with the component. Please verify this is the correct component name for this repository.
| ], | ||
| "build": { | ||
| "type": "script", | ||
| "script": "cov_docker_script/run_external_build.sh" |
There was a problem hiding this comment.
The build configuration for the "Utopia" dependency references "cov_docker_script/run_external_build.sh" as the build script. However, this creates a circular dependency issue: run_external_build.sh is meant to be called from the build_tools_workflows repository to build external dependencies, but here it's being referenced as a script within a dependency being built. This will likely fail as the script path would need to exist within the Utopia repository, not this repository. Consider using the correct script path from build_tools_workflows or using "common_external_build.sh" directly.
| "script": "cov_docker_script/run_external_build.sh" | |
| "script": "cov_docker_script/common_external_build.sh" |
| -DHAVE_CONFIG_H | ||
|
|
||
| # Include paths | ||
| -I$HOME/usr/include/rdkb/ |
There was a problem hiding this comment.
The script uses "$HOME" variable in multiple paths (lines 13-14, 135), but this assumes HOME is set in the build environment. While this is typically true, in containerized or CI environments, HOME might not be set as expected. Consider verifying that HOME is set or using a more explicit path variable that's controlled by the build system.
| -I$HOME/usr/include/rdkb/ | |
| -I${HOME:?HOME environment variable is not set}/usr/include/rdkb/ |
| chmod +x cov_docker_script/run_native_build.sh | ||
| ./cov_docker_script/run_native_build.sh | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} No newline at end of file |
There was a problem hiding this comment.
The GITHUB_TOKEN environment variable is set to use a custom secret 'secrets.RDKCM_RDKE', but it's not clear if this is actually needed for the build process. If the build scripts are cloning public repositories (as seen in run_setup_dependencies.sh where it clones from https://github.com/rdkcentral/build_tools_workflows), the default GITHUB_TOKEN provided by GitHub Actions should be sufficient. If this custom token is required, please add a comment explaining why. If it's not needed, consider removing it to reduce secret dependencies.
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} | |
| GITHUB_TOKEN: ${{ github.token }} |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # MoCA Agent Configure Options | ||
| # This file contains autotools configure options for the moca-agent component |
There was a problem hiding this comment.
The header comment says this file is for the 'moca-agent' component, but this PR configures a native build for the XDNS component. Please update the header/comments to match XDNS to avoid confusion when maintaining these build flags.
| # MoCA Agent Configure Options | |
| # This file contains autotools configure options for the moca-agent component | |
| # XDNS Configure Options | |
| # This file contains autotools configure options for the XDNS component |
| -D_COSA_INTEL_USG_ARM_ | ||
| -D_COSA_FOR_COMCAST_ | ||
| -D_COSA_BCM_ARM_ | ||
| -D_XB6_PRODUCT_REQ_ | ||
| -D_XB7_PRODUCT_REQ_ | ||
| -D_XB8_PRODUCT_REQ_ |
There was a problem hiding this comment.
Multiple product/platform macros that are typically mutually exclusive are defined simultaneously. This makes the native build configuration hard to reason about and can enable unintended compile-time paths. Consider splitting these into per-target option sets (or selecting a single platform/product via a variable in the build scripts) instead of enabling all of them at once.
| -D_COSA_INTEL_USG_ARM_ | |
| -D_COSA_FOR_COMCAST_ | |
| -D_COSA_BCM_ARM_ | |
| -D_XB6_PRODUCT_REQ_ | |
| -D_XB7_PRODUCT_REQ_ | |
| -D_XB8_PRODUCT_REQ_ | |
| # NOTE: | |
| # The following macros represent mutually exclusive platform/product | |
| # combinations. Only enable the ones that match the target you are | |
| # building for. By default, we build for the BCM ARM XB8 profile. | |
| # | |
| # Platform selection (choose exactly one): | |
| # -D_COSA_INTEL_USG_ARM_ # Intel USG ARM platform | |
| # -D_COSA_FOR_COMCAST_ # Generic Comcast platform profile | |
| -D_COSA_BCM_ARM_ # Broadcom ARM platform (default) | |
| # | |
| # Product selection (choose exactly one): | |
| # -D_XB6_PRODUCT_REQ_ # XB6 product requirements | |
| # -D_XB7_PRODUCT_REQ_ # XB7 product requirements | |
| -D_XB8_PRODUCT_REQ_ # XB8 product requirements (default) |
| -D__USE_XOPEN | ||
|
|
There was a problem hiding this comment.
__USE_XOPEN is a libc-internal feature test macro (glibc uses __USE_* internally) and should not be defined by applications. Prefer using standard feature test macros (for example _XOPEN_SOURCE with an explicit value) or remove this define if it isn't required.
| -D__USE_XOPEN |
| [LDFLAGS] | ||
| -L$HOME/usr/local/lib/ | ||
| -Wl,--allow-shlib-undefined | ||
| -Wl,--unresolved-symbols=ignore-all |
There was a problem hiding this comment.
These linker flags suppress unresolved symbol errors, which can mask real integration problems and produce binaries that fail at runtime. If this is only needed for Coverity analysis, consider gating these flags behind a Coverity-specific mode (or removing them from the default native build) so CI still fails on genuine unresolved symbols.
| -Wl,--unresolved-symbols=ignore-all |
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 |
There was a problem hiding this comment.
Consider upgrading to actions/checkout@v4 to stay current with GitHub Actions runtime updates and avoid potential deprecation issues tied to older major versions.
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v4 |
| chmod +x build_tools_workflows/cov_docker_script/build_native.sh | ||
| ./build_tools_workflows/cov_docker_script/build_native.sh ./cov_docker_script/component_config.json "$(pwd)" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} No newline at end of file |
There was a problem hiding this comment.
This overrides the built-in GITHUB_TOKEN with a repository secret, which increases the risk of credential exposure because the subsequent scripts run code from the checked-out repository in a PR context. Prefer using the default ${{ github.token }} for GitHub API operations, and if an elevated token is required, pass it under a different env name and ensure the workflow does not run untrusted PR code with that secret available.
| GITHUB_TOKEN: ${{ secrets.RDKCM_RDKE }} | |
| GITHUB_TOKEN: ${{ github.token }} |
1 participant
Reason for change: Enable coverity scan using native build.
Test Procedure: All the checks should pass in github
Risks: Low
Priority: P1
Signed-off-by: sowmiya_chelliah@comcast.com