From 3e08fd855845e977e30c94547174f79ca14f205a Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 22 Apr 2024 16:15:46 -0600 Subject: [PATCH] Run Facebook Infer on PRs with GitHub Actions --- .github/workflows/infer.yml | 126 ++++++++++++++++++++++++++++++++++++ .github/workflows/main.yml | 18 ++++++ .gitignore | 3 + scripts/infer.sh | 30 ++++++++- 4 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/infer.yml diff --git a/.github/workflows/infer.yml b/.github/workflows/infer.yml new file mode 100644 index 0000000..745b7dd --- /dev/null +++ b/.github/workflows/infer.yml @@ -0,0 +1,126 @@ +name: Common Linux test logic + +on: + workflow_call: + inputs: + os: + required: true + type: string + jdk_distro: + required: true + type: string + jdk_version: + required: true + type: string + wolfssl_configure: + required: true + type: string + +jobs: + build_wolfcryptjni: + runs-on: ${{ inputs.os }} + steps: + - uses: actions/checkout@v4 + + # Download Facebook Infer + - name: Download Infer + run: wget https://github.com/facebook/infer/releases/download/v1.1.0/infer-linux64-v1.1.0.tar.xz + - name: Extract Infer + run: tar -xvf infer-linux64-v1.1.0.tar.xz + - name: Symlink Infer + run: ln -s "$GITHUB_WORKSPACE/infer-linux64-v1.1.0/bin/infer" /usr/local/bin/infer + - name: Test Infer get version + run: infer --version + + # Download Junit JARs + - name: Download junit-4.13.2.jar + run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/junit/junit/4.13.2/junit-4.13.2.jar + - name: Download hamcrest-all-1.3.jar + run: wget --directory-prefix=$GITHUB_WORKSPACE/junit https://repo1.maven.org/maven2/org/hamcrest/hamcrest-all/1.3/hamcrest-all-1.3.jar + + # Build native wolfSSL + - name: Build native wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + repository: wolfSSL/wolfssl + ref: master + path: wolfssl + configure: ${{ inputs.wolfssl_configure }} + check: false + install: true + + # Setup Java + - name: Setup java + uses: actions/setup-java@v4 + with: + distribution: ${{ inputs.jdk_distro }} + java-version: ${{ inputs.jdk_version }} + + - name: Set JUNIT_HOME + run: | + echo "JUNIT_HOME=$GITHUB_WORKSPACE/junit" >> "$GITHUB_ENV" + - name: Set LD_LIBRARY_PATH + run: | + echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib" >> "$GITHUB_ENV" + + # Only copy appropriate makefile for platform currently being tested + - name: Copy makefile + run: | + if [ "$RUNNER_OS" == "Linux" ]; then + cp makefile.linux makefile + elif [ "$RUNNER_OS" == "macOS" ]; then + cp makefile.macosx makefile + else + echo "$RUNNER_OS not supported" + exit 1 + fi + shell: bash + + - name: Build JNI library + run: PREFIX=$GITHUB_WORKSPACE/build-dir make + + # ant build-jni-debug + - name: Build jce-debug JAR (ant build-jni-debug) + run: ant build-jni-debug + - name: Run Java tests (ant test) + run: ant test + - name: Clean JAR + run: ant clean + + # ant build-jni-release + - name: Build jce-debug JAR (ant build-jni-release) + run: ant build-jni-release + - name: Run Java tests (ant test) + run: ant test + - name: Clean JAR + run: ant clean + + # ant build-jce-debug + - name: Build jce-debug JAR (ant build-jce-debug) + run: ant build-jce-debug + - name: Run Java tests (ant test) + run: ant test + - name: Clean JAR + run: ant clean + + # ant build-jce-release + - name: Build jce-debug JAR (ant build-jce-release) + run: ant build-jce-release + - name: Run Java tests (ant test) + run: ant test + - name: Clean JAR + run: ant clean + + - name: Show logs on failure + if: failure() || cancelled() + run: | + cat build/reports/*.txt + + # Run Facebook Infer + - name: Run Facebook Infer + run: ./scripts/infer.sh + + - name: Shows Infer report on failure + if: failure() + run: cat infer-out/report.txt + diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 18aca8f..7624ccb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -100,3 +100,21 @@ jobs: jdk_distro: "zulu" jdk_version: ${{ matrix.jdk_version }} wolfssl_configure: ${{ matrix.wolfssl_configure }} + + # ------------------ Facebook Infer static analysis ------------------- + # Run Facebook infer over PR code, only running on Linux with one + # JDK/version for now. + fb-infer: + strategy: + matrix: + os: [ 'ubuntu-latest' ] + jdk_version: [ '11' ] + wolfssl_configure: [ '--enable-jni --enable-all' ] + name: Facebook Infer (${{ matrix.os }} Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure }}) + uses: ./.github/workflows/infer.yml + with: + os: ${{ matrix.os }} + jdk_distro: "zulu" + jdk_version: ${{ matrix.jdk_version }} + wolfssl_configure: ${{ matrix.wolfssl_configure }} + diff --git a/.gitignore b/.gitignore index cb6c7b5..51f5360 100644 --- a/.gitignore +++ b/.gitignore @@ -25,6 +25,9 @@ IDE/WIN/DLL Debug FIPS IDE/WIN/DLL Release IDE/WIN/DLL Release FIPS +# infer RacerD +infer-out/ + # Maven output directory target/ diff --git a/scripts/infer.sh b/scripts/infer.sh index 1f9dbbd..0a0ac36 100755 --- a/scripts/infer.sh +++ b/scripts/infer.sh @@ -13,10 +13,25 @@ # $ cd wolfcryptjni # $ ./scripts/infer.sh # -# wolfSSL Inc, May 2023 +# By default the generated output and logs from Infer will be deleted. To keep +# them, pass 'keep' to the script: # +# $ ./scripts/infer.sh keep +# +# wolfSSL Inc, April 2024 -infer run -- javac \ + +# These variables may be overridden on the command line. +KEEP="${KEEP:-no}" + +while [ "$1" ]; do + if [ "$1" = 'keep' ]; then + KEEP='yes'; + fi + shift +done + +infer --fail-on-issue run -- javac \ src/main/java/com/wolfssl/wolfcrypt/Aes.java \ src/main/java/com/wolfssl/wolfcrypt/AesGcm.java \ src/main/java/com/wolfssl/wolfcrypt/Asn.java \ @@ -64,9 +79,18 @@ infer run -- javac \ src/main/java/com/wolfssl/provider/jce/WolfCryptSecretKeyFactory.java \ src/main/java/com/wolfssl/provider/jce/WolfCryptSignature.java +RETVAL=$? + # remove compiled class files rm -r ./com # remove infer out directory (comment this out to inspect logs if needed) -rm -r ./infer-out +if [ "$RETVAL" == '0' ] && [ "$KEEP" == 'no' ]; then + rm -r ./infer-out +fi + +if [ "$RETVAL" == '2' ]; then + # GitHub Actions expects return of 1 to mark step as failure + exit 1 +fi