Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
32afda2
ci: consolidate fuzz and coverity workflows
roshan-ku Jun 3, 2026
c58341b
ci: fix zizmor template-injection findings
roshan-ku Jun 3, 2026
69020ee
ci: update workflow configuration
roshan-ku Jun 3, 2026
37b50b1
commented coverity section
roshan-ku Jun 4, 2026
3dc02dc
Merge branch 'main' into workflowUpdates
dmkarthi Jun 30, 2026
3f05c14
ci: inline coverity in shared workflows
roshan-ku Jun 30, 2026
72189f4
fix(coverity): handle scan.coverity.com build-only package
roshan-ku Jul 1, 2026
6dcbe42
fix(coverity): simplify scan.coverity.com flow to match reference
roshan-ku Jul 1, 2026
82edd98
fix(coverity): remove unused env variables, keep only COVERITY_TOKEN
roshan-ku Jul 1, 2026
6de3083
ci: add on-demand Coverity scan workflow
roshan-ku Jul 1, 2026
01deda6
docs: add Coverity Scan badge to README
roshan-ku Jul 1, 2026
e4a1510
fix(coverity): use github.sha for checkout ref
roshan-ku Jul 1, 2026
95f2ef7
fix(coverity): use correct scan.coverity.com project slug
roshan-ku Jul 1, 2026
772a9f1
ci: add explanatory comments to security-events permissions
roshan-ku Jul 1, 2026
7806370
fix(coverity): revert API URLs to URL-encoded format
roshan-ku Jul 1, 2026
1b851bf
fix(coverity): update submission email address
roshan-ku Jul 1, 2026
9140dab
fix(coverity): use cov-int as build capture directory name
roshan-ku Jul 1, 2026
41a633c
fix: update MTL default version to v26.01
roshan-ku Jul 1, 2026
31204ce
docs: update Coverity badge with correct project ID
roshan-ku Jul 1, 2026
7433a04
fix: revert MTL version to ffmpeg-plugin-extra-pixel-format
roshan-ku Jul 1, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 86 additions & 0 deletions .github/actions/analysis/afl-fuzz/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'AFL Fuzz'
description: 'Build and run AFL++ fuzzing for config parser harness'

inputs:
max-seconds:
description: 'Maximum AFL fuzzing run time in seconds'
required: false
default: '300'

runs:
using: composite
steps:
- name: Install AFL dependencies
shell: bash
run: |
sudo apt-get update -qq
sudo apt-get install -y -qq afl++ libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config

- name: Verify AFL environment
shell: bash
run: |
echo "=== AFL++ ==="
afl-clang-fast --version || { echo "ERROR: afl-clang-fast not found"; exit 1; }
echo ""
echo "=== libavutil ==="
dpkg -l libavutil-dev | grep -q ii || { echo "ERROR: libavutil-dev not installed"; exit 1; }
echo " Header: $(find /usr/include -name 'avutil.h' | head -1)"
echo " Library: $(find /usr/lib -name 'libavutil.so*' | head -1)"
echo ""
echo "=== Compiler ==="
gcc --version | head -1
echo ""
echo "Environment OK"

- name: Build AFL fuzz harness
shell: bash
run: |
cd fuzz
export CC=afl-clang-fast
$CC -g -O1 -fno-omit-frame-pointer -I../include -c fuzz_config_reader.c -o fuzz_config_reader.o
$CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/config_reader.c -o config_reader.o
$CC -g -O1 -fno-omit-frame-pointer -I../include -c ../src/util/logger.c -o logger.o
$CC -o fuzz_config_reader fuzz_config_reader.o config_reader.o logger.o -lavutil -lm
echo "Build successful: $(file fuzz_config_reader)"

- name: Run AFL fuzzer
shell: bash
env:
MAX_SECONDS: ${{ inputs.max-seconds }}
run: |
cd fuzz
if ! [[ "$MAX_SECONDS" =~ ^[0-9]+$ ]]; then
echo "ERROR: max-seconds must be a positive integer"
exit 1
fi
mkdir -p findings
export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
export AFL_SKIP_CPUFREQ=1
timeout "$MAX_SECONDS" afl-fuzz -i corpus/ -o findings/ -V "$MAX_SECONDS" -- ./fuzz_config_reader @@ || true

- name: Check AFL crashes
shell: bash
run: |
cd fuzz
CRASH_COUNT=$(find findings/default/crashes -type f ! -name "README.txt" 2>/dev/null | wc -l)
echo "Crashes found: $CRASH_COUNT"
if [ "$CRASH_COUNT" -gt 0 ]; then
echo "::error::AFL found $CRASH_COUNT crash(es)!"
ls -la findings/default/crashes/
exit 1
fi
echo "No crashes found - fuzzing passed."

- name: Sanitize AFL filenames
if: always()
shell: bash
run: |
cd fuzz/findings
find . -name '*:*' | while read -r f; do
mv "$f" "$(echo "$f" | tr ':' '_')"
done
192 changes: 192 additions & 0 deletions .github/actions/analysis/coverity/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'Coverity Scan'
description: 'Install Coverity, run static analysis, and emit JSON + SARIF reports'

runs:
using: composite
steps:
- name: Detect Coverity credentials
id: coverity_secrets
shell: bash
env:
COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }}
run: |
set -euo pipefail
if [ -n "${COVERITY_TOKEN:-}" ]; then
echo "available=true" >> "$GITHUB_OUTPUT"
else
echo "available=false" >> "$GITHUB_OUTPUT"
echo "Coverity secrets are not available; skipping Coverity analysis."
fi

- name: Install Coverity
if: steps.coverity_secrets.outputs.available == 'true'
shell: bash
env:
COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }}
run: |
set -euo pipefail
echo "===== Coverity Setup ====="
COVERITY_DIR="$HOME/coverity"
COVERITY_TARBALL="/tmp/coverity.tar.gz"

if [ -x "$COVERITY_DIR/bin/cov-build" ]; then
echo " [OK] Coverity already installed at $COVERITY_DIR"
"$COVERITY_DIR/bin/cov-build" --ident | head -1 || true
exit 0
fi

rm -f "$COVERITY_TARBALL"
mkdir -p "$COVERITY_DIR"

echo " Downloading Coverity from scan.coverity.com..."
wget -q --post-data "token=${COVERITY_TOKEN}&project=OpenVisualCloud%2Fdirectview-led-software-toolkit" \
-O "$COVERITY_TARBALL" "https://scan.coverity.com/download/linux64"

if [ ! -s "$COVERITY_TARBALL" ]; then
echo "ERROR: Coverity download failed."
exit 1
fi

tar xzf "$COVERITY_TARBALL" --strip-components=1 -C "$COVERITY_DIR"
rm -f "$COVERITY_TARBALL"

if [ ! -x "$COVERITY_DIR/bin/cov-build" ]; then
echo "ERROR: Coverity install incomplete (missing cov-build)."
exit 1
fi

echo " [OK] Downloaded from scan.coverity.com"
"$COVERITY_DIR/bin/cov-build" --ident | head -1 || true

- name: Run Coverity analysis
if: steps.coverity_secrets.outputs.available == 'true'
shell: bash
env:
COVERITY_TOKEN: ${{ env.COVERITY_TOKEN }}
run: |
set -euo pipefail
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/local/lib/x86_64-linux-gnu/pkgconfig:${PKG_CONFIG_PATH:-}
if ! pkg-config --exists mtl 2>/dev/null; then
MTL_PC=$(find /usr /home /opt -name "mtl.pc" 2>/dev/null | head -1)
if [ -z "$MTL_PC" ]; then
echo "ERROR: MTL pkg-config file not found."
exit 1
fi
MTL_PC_DIR=$(dirname "$MTL_PC")
echo "Found MTL pkgconfig at: $MTL_PC_DIR"
export PKG_CONFIG_PATH="${MTL_PC_DIR}:${PKG_CONFIG_PATH}"
fi

REPORT_DIR="$GITHUB_WORKSPACE/reports"
mkdir -p "$REPORT_DIR"

$HOME/coverity/bin/cov-configure --compiler cc --comptype gcc --template
rm -rf build cov-int
meson setup build
$HOME/coverity/bin/cov-build --dir cov-int ninja -C build

echo "===== Submitting build to scan.coverity.com ====="
tail cov-int/build-log.txt
tar czf /tmp/cov-int.tar.gz cov-int/
ls -lh /tmp/cov-int.tar.gz

curl --form "token=${COVERITY_TOKEN}" \
--form "email=karthik.d.m@intel.com" \
--form "file=@/tmp/cov-int.tar.gz" \
--form "version=$(git rev-parse --short HEAD 2>/dev/null || echo unknown)" \
--form "description=CI build from branch ${GITHUB_REF_NAME:-unknown}" \
"https://scan.coverity.com/builds?project=OpenVisualCloud%2Fdirectview-led-software-toolkit"

rm -f /tmp/cov-int.tar.gz
echo '{"issues":[]}' > "$REPORT_DIR/coverity-report.json"
echo " Results will be available at: https://scan.coverity.com/projects/openvisualcloud-directview-led-software-toolkit"

- name: Convert Coverity JSON to SARIF
if: steps.coverity_secrets.outputs.available == 'true'
shell: bash
run: |
REPORT_DIR="$GITHUB_WORKSPACE/reports"
python3 - <<'EOF'
import json, sys

sarif = {
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "Coverity",
"informationUri": "https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html",
"rules": []
}
},
"results": []
}]
}

try:
with open("reports/coverity-report.json") as f:
cov = json.load(f)
except (FileNotFoundError, json.JSONDecodeError):
with open("reports/coverity-results.sarif", "w") as f:
json.dump(sarif, f, indent=2)
sys.exit(0)

rules_map = {}
results = []

for issue in cov.get("issues", []):
checker = issue.get("checkerName", "unknown")
if checker not in rules_map:
rule_idx = len(rules_map)
rules_map[checker] = rule_idx
sarif["runs"][0]["tool"]["driver"]["rules"].append({
"id": checker,
"shortDescription": {"text": issue.get("checkerProperties", {}).get("subcategoryShortDescription", checker)},
"helpUri": f"https://community.synopsys.com/s/article/{checker}"
})

events = issue.get("events", [])
main_event = events[0] if events else {}
file_path = main_event.get("strippedFilePathname", main_event.get("filePathname", "unknown"))
line = main_event.get("lineNumber", 1)

results.append({
"ruleId": checker,
"ruleIndex": rules_map[checker],
"level": "warning",
"message": {"text": issue.get("checkerProperties", {}).get("subcategoryLongDescription", checker)},
"locations": [{
"physicalLocation": {
"artifactLocation": {"uri": file_path, "uriBaseId": "%SRCROOT%"},
"region": {"startLine": line}
}
}]
})

sarif["runs"][0]["results"] = results

with open("reports/coverity-results.sarif", "w") as f:
json.dump(sarif, f, indent=2)

print(f"Converted {len(results)} Coverity issues to SARIF")
EOF

- name: Write empty SARIF when Coverity is skipped
if: steps.coverity_secrets.outputs.available != 'true'
shell: bash
run: |
mkdir -p "$GITHUB_WORKSPACE/reports"
cat > "$GITHUB_WORKSPACE/reports/coverity-results.sarif" <<'EOF'
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": []
}
EOF

78 changes: 78 additions & 0 deletions .github/actions/analysis/libfuzzer/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#
# BSD 3-Clause License
# Copyright (C) 2026 Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
#
name: 'libFuzzer'
description: 'Build and run libFuzzer with ASan and UBSan for config parser harness'

inputs:
max-seconds:
description: 'Maximum libFuzzer run time in seconds per sanitizer mode'
required: false
default: '300'

runs:
using: composite
steps:
- name: Install libFuzzer dependencies
shell: bash
run: |
sudo apt-get update -qq
sudo apt-get install -y -qq clang libavutil-dev libavformat-dev libavcodec-dev libswscale-dev pkg-config

- name: Build and run libFuzzer (ASan)
shell: bash
env:
MAX_SECONDS: ${{ inputs.max-seconds }}
run: |
if ! [[ "$MAX_SECONDS" =~ ^[0-9]+$ ]]; then
echo "ERROR: max-seconds must be a positive integer"
exit 1
fi
cd fuzz
export CC=clang
$CC -fsanitize=fuzzer,address -g -O1 -fno-omit-frame-pointer -I../include \
fuzz_config_reader_libfuzzer.c \
../src/util/config_reader.c \
../src/util/logger.c \
-o fuzz_config_reader_libfuzzer \
$(pkg-config --cflags --libs libavutil) -lm

mkdir -p libfuzzer_corpus
./fuzz_config_reader_libfuzzer \
libfuzzer_corpus/ corpus/ \
-max_total_time="$MAX_SECONDS" \
-print_final_stats=1 || FUZZ_EXIT=$?
if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then
echo "::error::libFuzzer found a crash (exit code $FUZZ_EXIT)!"
exit 1
fi

- name: Build and run libFuzzer (UBSan)
shell: bash
env:
MAX_SECONDS: ${{ inputs.max-seconds }}
run: |
if ! [[ "$MAX_SECONDS" =~ ^[0-9]+$ ]]; then
echo "ERROR: max-seconds must be a positive integer"
exit 1
fi
cd fuzz
export CC=clang
$CC -fsanitize=fuzzer,undefined -g -O1 -fno-omit-frame-pointer -I../include \
fuzz_config_reader_libfuzzer.c \
../src/util/config_reader.c \
../src/util/logger.c \
-o fuzz_config_reader_ubsan \
$(pkg-config --cflags --libs libavutil) -lm

mkdir -p ubsan_corpus
./fuzz_config_reader_ubsan \
ubsan_corpus/ corpus/ \
-max_total_time="$MAX_SECONDS" \
-print_final_stats=1 || FUZZ_EXIT=$?
if [ "${FUZZ_EXIT:-0}" -ne 0 ]; then
echo "::error::libFuzzer+UBSan found an issue (exit code $FUZZ_EXIT)!"
exit 1
fi
2 changes: 1 addition & 1 deletion .github/actions/environment-check/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ inputs:
mtl-version:
description: 'MTL release tag to build'
required: false
default: 'v26.01'
default: 'ffmpeg-plugin-extra-pixel-format'
ffmpeg-version:
description: 'FFmpeg release branch to build'
required: false
Expand Down
Loading
Loading