2021-05-30 06:58:51 +02:00
|
|
|
---
|
|
|
|
|
# This Gitlab-CI pipeline offers basic validation that a commit did not
|
|
|
|
|
# introduce easily detectable regressions. Builds run primairly on a new Fedora,
|
|
|
|
|
# which has all the latest upstream build dependencies and thus is the primary
|
|
|
|
|
# testing target, as eventually everything in Fedora becomes the next CentOS and
|
|
|
|
|
# Red Hat releases.
|
|
|
|
|
#
|
|
|
|
|
# In addition test building on CentOS 7 and 8 to ensure that the code base
|
|
|
|
|
# remains reasonably backwards compatible.
|
|
|
|
|
#
|
|
|
|
|
# This is now intentionally simple, to keep it fast and accurate with minimal
|
|
|
|
|
# false positive failures. If one wants to extend it, see debian/salsa-ci.yml
|
|
|
|
|
# for inspiration on more integration tests to run.
|
|
|
|
|
#
|
|
|
|
|
# Also make sure the pipeline stays within the bounds of what CI workers on
|
|
|
|
|
# Gitlab-CI are capable of executing, thus ensuring that any potential
|
|
|
|
|
# contributor can at any point in time fork to their own Gitlab account and
|
|
|
|
|
# start working towards meaningful contributions!
|
|
|
|
|
#
|
|
|
|
|
# NOTE TO MERGERS: Most of the contents in the Gitlab-CI configuration has been
|
|
|
|
|
# tailored for a specific release or MariaDB. As a general rule, do not merge
|
|
|
|
|
# changes in this file across MariaDB branches to avoid breaking the CI. Updates
|
|
|
|
|
# the Gitlab-CI pipeline are most of the time better done manually per major
|
|
|
|
|
# release branch.
|
|
|
|
|
|
|
|
|
|
stages:
|
|
|
|
|
- build
|
|
|
|
|
- test
|
|
|
|
|
- Salsa-CI
|
2023-03-18 02:03:14 +01:00
|
|
|
- sast
|
2021-05-30 06:58:51 +02:00
|
|
|
|
2022-11-11 23:21:56 +01:00
|
|
|
default:
|
|
|
|
|
# Base image for builds and tests unless otherwise defined
|
|
|
|
|
image: fedora:latest
|
|
|
|
|
# Extend build jobs to have longer timeout as the default GitLab
|
|
|
|
|
# timeout (1h) is often not enough
|
|
|
|
|
timeout: 3h
|
2021-05-30 06:58:51 +02:00
|
|
|
|
|
|
|
|
# Define common CMAKE_FLAGS for all builds. Skim down build by omitting all
|
|
|
|
|
# submodules (a commit in this repo does not affect their builds anyway) and
|
|
|
|
|
# many components that are otherwise slow to build.
|
|
|
|
|
variables:
|
2023-04-04 02:21:28 +02:00
|
|
|
CMAKE_FLAGS: "-DWITH_SSL=system -DPLUGIN_COLUMNSTORE=NO -DPLUGIN_ROCKSDB=NO -DPLUGIN_S3=NO -DPLUGIN_MROONGA=NO -DPLUGIN_CONNECT=NO -DPLUGIN_TOKUDB=NO -DWITH_WSREP=OFF"
|
2021-08-05 06:13:04 +02:00
|
|
|
# Major version dictates which branches share the same ccache. E.g. 10.6-abc
|
|
|
|
|
# and 10.6-xyz will have the same cache.
|
2023-06-08 13:09:21 +02:00
|
|
|
MARIADB_MAJOR_VERSION: "11.1"
|
2024-06-03 21:43:21 +02:00
|
|
|
# NOTE! Currently ccache is only used on the Centos 9 build. As each job has
|
2021-08-05 06:13:04 +02:00
|
|
|
# sufficiently different environments they are unable to benefit from each
|
|
|
|
|
# other's ccaches. As each build generates about 1 GB of ccache, having
|
|
|
|
|
# multiple caches would quickly consume all free storage on Gitlab-CI and
|
|
|
|
|
# grind all builds to a halt. Also the network overhead of download/upload
|
|
|
|
|
# decreases the benefit of ccache in Gitlab-CI, and current cache:when and
|
|
|
|
|
# cache:policy are not flexible enough to have a system where the cache is
|
|
|
|
|
# uploaded only once a week and not on every build. Having ccache on at least
|
|
|
|
|
# one build still helps ensure that ccache compatibility is at least tested
|
2024-06-03 21:43:21 +02:00
|
|
|
# and if the Centos 9 build is always significantly faster than all other
|
2021-08-05 06:13:04 +02:00
|
|
|
# builds (e.g. on self-hosted Gitlab instances) then users would at least be
|
|
|
|
|
# able to discover it.
|
|
|
|
|
#
|
2021-05-30 06:58:51 +02:00
|
|
|
# Most steps don't need the source code, only artifacts
|
|
|
|
|
GIT_STRATEGY: none
|
|
|
|
|
# Hack to satisfy directory name length requirement by CPackRPM in CMake 3.x
|
|
|
|
|
# https://cmake.org/cmake/help/v3.7/module/CPackRPM.html#variable:CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX
|
|
|
|
|
GIT_CLONE_PATH: $CI_BUILDS_DIR/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT
|
|
|
|
|
|
|
|
|
|
# Define once, use many times
|
|
|
|
|
.rpm_listfiles: &rpm_listfiles
|
|
|
|
|
- |
|
|
|
|
|
echo "Generating rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log ..."
|
|
|
|
|
for package in *.rpm
|
|
|
|
|
do
|
|
|
|
|
echo "$package"
|
|
|
|
|
rpm -qlpv "$package" | awk '{print $1 " " $3 "/" $4 " ." $9 " " $10 " " $11}' | sort -k 3
|
|
|
|
|
echo "------------------------------------------------"
|
2022-12-09 01:26:20 +01:00
|
|
|
done >> "../rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log"
|
2021-05-30 06:58:51 +02:00
|
|
|
# CPackRPM lists contents in build log, so no need to show the output of this,
|
|
|
|
|
# just store it as a build artifact that can be downloaded and diffed against
|
|
|
|
|
# other builds to detect which files where added/removed/moved
|
|
|
|
|
|
|
|
|
|
fedora:
|
|
|
|
|
stage: build
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
2021-08-05 06:13:04 +02:00
|
|
|
- yum install -y yum-utils rpm-build openssl-devel graphviz
|
2021-05-30 06:58:51 +02:00
|
|
|
# Accelerate builds with unsafe disk access, as we can afford to loose the entire build anyway
|
|
|
|
|
- yum install -y https://github.com/stewartsmith/libeatmydata/releases/download/v129/libeatmydata-129-1.fc33.x86_64.rpm
|
|
|
|
|
# This repository does not have any .spec files, so install dependencies based on Fedora spec file
|
|
|
|
|
- yum-builddep -y mariadb-server
|
|
|
|
|
- mkdir builddir; cd builddir
|
|
|
|
|
- cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
2021-08-05 06:13:04 +02:00
|
|
|
- cmake --graphviz=../dependencies.dot .. && dot -Tpng -o ../dependencies.png ../dependencies.dot
|
|
|
|
|
- eatmydata make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
# @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just
|
|
|
|
|
# get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968
|
|
|
|
|
- make test
|
|
|
|
|
# - make test-force # mysql-test-runner takes too long, run MTR in a separate job instead
|
2021-05-30 06:58:51 +02:00
|
|
|
- *rpm_listfiles
|
|
|
|
|
- mkdir ../rpm; mv *.rpm ../rpm
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Must be able to see logs
|
|
|
|
|
paths:
|
|
|
|
|
- build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpm
|
|
|
|
|
- builddir/_CPack_Packages/Linux/RPM/SPECS/
|
2021-08-05 06:13:04 +02:00
|
|
|
- dependencies.dot
|
|
|
|
|
- dependencies.png
|
|
|
|
|
|
|
|
|
|
fedora-ninja:
|
|
|
|
|
stage: build
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
|
|
|
|
- yum install -y yum-utils rpm-build openssl-devel graphviz ninja-build
|
|
|
|
|
# Accelerate builds with unsafe disk access, as we can afford to loose the entire build anyway
|
|
|
|
|
- yum install -y https://github.com/stewartsmith/libeatmydata/releases/download/v129/libeatmydata-129-1.fc33.x86_64.rpm
|
|
|
|
|
# This repository does not have any .spec files, so install dependencies based on Fedora spec file
|
|
|
|
|
- yum-builddep -y mariadb-server
|
|
|
|
|
- mkdir builddir; cd builddir
|
|
|
|
|
- cmake -DRPM=generic $CMAKE_FLAGS -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON -G Ninja .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- ninja -t graph > ../dependencies.dot && dot -Tpng -o ../dependencies.png ../dependencies.dot
|
Fix Ninja builds on Gitlab-CI by limiting parallelism
In previous versions it was stated that MDEV-25968 was causing other
jobs in the pipeline to fail if not run with "-j 2" but this bug was not
affecting fedora-ninja. This is still true for the public gitlab runners.
However, running the fedora-ninja job on custom runners with more processors
without the "-j 2" flag will cause the compiler to crash.
When running the build with 2,4,8,16,32 threads, build times were
consistent indicating that the typical bottleneck is I/O and not CPU
cores. Therefore, "-j 2" is not a big drawback and it was chosen in
order to remain consistent with the other builds affected by MDEV-25968.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
2022-05-27 20:30:24 +02:00
|
|
|
- eatmydata ninja package -j 2 --verbose 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
# @TODO: Unlike other builds, the Ninja builds using Gitlab.com runners don't get stuck, but they do get
|
|
|
|
|
# stuck on runners with more processors, see https://jira.mariadb.org/browse/MDEV-25968.
|
|
|
|
|
# Thus, use the same limitation on Ninja builds as well to ensure it never gets stuck due to this bug.
|
2021-08-05 06:13:04 +02:00
|
|
|
- ninja test
|
|
|
|
|
- *rpm_listfiles
|
|
|
|
|
- mkdir ../rpm; mv *.rpm ../rpm
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Must be able to see logs
|
2021-05-30 06:58:51 +02:00
|
|
|
paths:
|
2021-08-05 06:13:04 +02:00
|
|
|
- build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpm
|
|
|
|
|
- builddir/_CPack_Packages/Linux/RPM/SPECS/
|
|
|
|
|
- dependencies.dot
|
|
|
|
|
- dependencies.png
|
|
|
|
|
|
|
|
|
|
fedora-clang:
|
|
|
|
|
stage: build
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
|
|
|
|
- yum install -y yum-utils rpm-build openssl-devel graphviz clang
|
|
|
|
|
# Accelerate builds with unsafe disk access, as we can afford to loose the entire build anyway
|
|
|
|
|
- yum install -y https://github.com/stewartsmith/libeatmydata/releases/download/v129/libeatmydata-129-1.fc33.x86_64.rpm
|
|
|
|
|
# This repository does not have any .spec files, so install dependencies based on Fedora spec file
|
|
|
|
|
- yum-builddep -y mariadb-server
|
|
|
|
|
- mkdir builddir; cd builddir
|
|
|
|
|
- export CXX=${CXX:-clang++}
|
|
|
|
|
- export CC=${CC:-clang}
|
|
|
|
|
- export CXX_FOR_BUILD=${CXX_FOR_BUILD:-clang++}
|
|
|
|
|
- export CC_FOR_BUILD=${CC_FOR_BUILD:-clang}
|
|
|
|
|
- export CFLAGS='-Wno-unused-command-line-argument'
|
|
|
|
|
- export CXXFLAGS='-Wno-unused-command-line-argument'
|
|
|
|
|
- cmake -DRPM=generic $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- cmake --graphviz=../dependencies.dot .. && dot -Tpng -o ../dependencies.png ../dependencies.dot
|
|
|
|
|
- eatmydata make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
# @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just
|
|
|
|
|
# get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968
|
|
|
|
|
- make test
|
|
|
|
|
# - make test-force # mysql-test-runner takes too long, run MTr in a separate job instead
|
|
|
|
|
- *rpm_listfiles
|
|
|
|
|
- mkdir ../rpm; mv *.rpm ../rpm
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Must be able to see logs
|
|
|
|
|
paths:
|
|
|
|
|
- build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpm
|
|
|
|
|
- builddir/_CPack_Packages/Linux/RPM/SPECS/
|
|
|
|
|
- dependencies.dot
|
|
|
|
|
- dependencies.png
|
2021-05-30 06:58:51 +02:00
|
|
|
|
2022-11-29 14:08:14 +01:00
|
|
|
fedora-sanitizer:
|
|
|
|
|
stage: build
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
|
|
|
|
- yum install -y yum-utils rpm-build openssl-devel clang
|
2022-12-09 01:26:20 +01:00
|
|
|
- yum install -y libasan libtsan libubsan
|
2022-11-29 14:08:14 +01:00
|
|
|
# This repository does not have any .spec files, so install dependencies based on Fedora spec file
|
|
|
|
|
- yum-builddep -y mariadb-server
|
|
|
|
|
- mkdir builddir; cd builddir
|
|
|
|
|
- export CXX=${CXX:-clang++}
|
|
|
|
|
- export CC=${CC:-clang}
|
|
|
|
|
- export CXX_FOR_BUILD=${CXX_FOR_BUILD:-clang++}
|
|
|
|
|
- export CC_FOR_BUILD=${CC_FOR_BUILD:-clang}
|
|
|
|
|
- export CFLAGS='-Wno-unused-command-line-argument'
|
|
|
|
|
- export CXXFLAGS='-Wno-unused-command-line-argument'
|
|
|
|
|
- cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS $SANITIZER .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
# @TODO: the build will fail consistently at 24% when trying to make using eatmydata
|
|
|
|
|
- make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- *rpm_listfiles
|
|
|
|
|
- mkdir ../rpm; mv *.rpm ../rpm
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Must be able to see logs
|
|
|
|
|
paths:
|
|
|
|
|
- build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpm
|
|
|
|
|
- builddir/_CPack_Packages/Linux/RPM/SPECS/
|
|
|
|
|
parallel:
|
|
|
|
|
matrix:
|
2023-03-18 01:19:08 +01:00
|
|
|
- SANITIZER: [-DWITH_ASAN=YES, -DWITH_TSAN=YES, -DWITH_UBSAN=YES]
|
2022-11-29 14:08:14 +01:00
|
|
|
|
2024-06-03 21:43:21 +02:00
|
|
|
centos9:
|
2021-05-30 06:58:51 +02:00
|
|
|
stage: build
|
2024-06-03 21:43:21 +02:00
|
|
|
image: quay.io/centos/centos:stream9 # CentOS 9 is deprecated, use this Stream9 instead
|
2021-05-30 06:58:51 +02:00
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
2024-06-03 21:43:21 +02:00
|
|
|
- yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
|
|
|
|
|
- yum install -y yum-utils rpm-build openssl-devel libeatmydata ccache
|
|
|
|
|
# Install missing dependencies
|
|
|
|
|
- yum install -y https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/Judy-devel-1.0.5-28.el9.x86_64.rpm
|
|
|
|
|
- yum install -y https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/bison-devel-3.7.4-5.el9.x86_64.rpm
|
|
|
|
|
- yum install -y https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/multilib-rpm-config-1-19.el9.noarch.rpm
|
|
|
|
|
# Configure ccache
|
2021-05-30 06:58:51 +02:00
|
|
|
- source /etc/profile.d/ccache.sh
|
2021-08-05 06:13:04 +02:00
|
|
|
- export CCACHE_DIR="$(pwd)/.ccache"; ccache --zero-stats
|
2021-05-30 06:58:51 +02:00
|
|
|
# This repository does not have any .spec files, so install dependencies based on CentOS spec file
|
|
|
|
|
- yum-builddep -y mariadb-server
|
|
|
|
|
- mkdir builddir; cd builddir
|
|
|
|
|
- cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
2021-08-05 06:13:04 +02:00
|
|
|
- eatmydata make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
# @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just
|
|
|
|
|
# get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968
|
|
|
|
|
- make test
|
|
|
|
|
# - make test-force # mysql-test-runner takes too long, run it MTR a separate job instead
|
2021-05-30 06:58:51 +02:00
|
|
|
- *rpm_listfiles
|
|
|
|
|
- mkdir ../rpm; mv *.rpm ../rpm
|
|
|
|
|
- ccache -s
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Must be able to see logs
|
|
|
|
|
paths:
|
|
|
|
|
- build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpm
|
|
|
|
|
- builddir/_CPack_Packages/Linux/RPM/SPECS/
|
|
|
|
|
cache:
|
2021-08-05 06:13:04 +02:00
|
|
|
key: $MARIADB_MAJOR_VERSION
|
2021-05-30 06:58:51 +02:00
|
|
|
paths:
|
|
|
|
|
- .ccache
|
|
|
|
|
|
|
|
|
|
centos7:
|
|
|
|
|
stage: build
|
|
|
|
|
image: centos:7
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
|
|
|
|
# This repository does not have any .spec files, so install dependencies based on Fedora spec file
|
|
|
|
|
- yum-builddep -y mariadb-server
|
|
|
|
|
# ..with a few extra ones, as CentOS 7 is very old and these are added in newer MariaDB releases
|
2022-03-03 04:46:07 +01:00
|
|
|
- yum install -y yum-utils rpm-build gcc gcc-c++ bison libxml2-devel libevent-devel openssl-devel pcre2-devel
|
2021-05-30 06:58:51 +02:00
|
|
|
- mkdir builddir; cd builddir
|
|
|
|
|
- cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
2021-08-05 06:13:04 +02:00
|
|
|
- make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
# @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just
|
|
|
|
|
# get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968
|
|
|
|
|
- make test
|
|
|
|
|
# - make test-force # mysql-test-runner takes too long, run it in a separate job instead
|
2021-05-30 06:58:51 +02:00
|
|
|
- *rpm_listfiles
|
|
|
|
|
- mkdir ../rpm; mv *.rpm ../rpm
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Must be able to see logs
|
|
|
|
|
paths:
|
|
|
|
|
- build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
- rpm
|
|
|
|
|
- builddir/_CPack_Packages/Linux/RPM/SPECS/
|
|
|
|
|
|
2024-04-25 19:46:33 +02:00
|
|
|
.mysql-test-run: &mysql-test-run-def |
|
2021-05-30 06:58:51 +02:00
|
|
|
# Install packages so tests and the dependencies install
|
2021-08-05 06:13:04 +02:00
|
|
|
# @TODO: RPM missing 'patch' and 'diff' as dependency, so installing it manually for now
|
2024-04-25 19:46:33 +02:00
|
|
|
yum install -y rpm/*.rpm patch diffutils
|
2021-05-30 06:58:51 +02:00
|
|
|
# mtr expects to be launched in-place and with write access to it's own directories
|
2024-04-25 19:46:33 +02:00
|
|
|
cd /usr/share/mariadb-test
|
2021-08-05 06:13:04 +02:00
|
|
|
# Skip failing tests
|
2024-04-25 19:46:33 +02:00
|
|
|
echo "
|
2021-08-05 06:13:04 +02:00
|
|
|
main.mysqldump : Field separator argument is not what is expected; check the manual when executing 'SELECT INTO OUTFILE'
|
|
|
|
|
main.flush_logs_not_windows : query 'flush logs' succeeded - should have failed with error ER_CANT_CREATE_FILE (1004)
|
|
|
|
|
main.mysql_upgrade_noengine : upgrade output order does not match the expected
|
2023-03-18 01:19:08 +01:00
|
|
|
main.func_math : MDEV-20966 - Wrong error code
|
2024-04-25 19:46:33 +02:00
|
|
|
" > skiplist
|
|
|
|
|
$SIMULATE_TIME ./mtr --suite=main --force --parallel=auto --xml-report=$CI_PROJECT_DIR/junit.xml --skip-test-list=skiplist $MTR_FLAGS
|
2022-11-29 14:08:14 +01:00
|
|
|
|
|
|
|
|
mysql-test-run:
|
|
|
|
|
stage: test
|
|
|
|
|
dependencies:
|
|
|
|
|
- fedora
|
2022-12-09 01:26:20 +01:00
|
|
|
needs:
|
|
|
|
|
- fedora
|
2024-04-25 19:46:33 +02:00
|
|
|
script:
|
|
|
|
|
- *mysql-test-run-def
|
2022-11-29 14:08:14 +01:00
|
|
|
artifacts:
|
|
|
|
|
when: always # Also show results when tests fail
|
|
|
|
|
reports:
|
|
|
|
|
junit:
|
|
|
|
|
- junit.xml
|
|
|
|
|
|
|
|
|
|
# Duplicate of the above jobs, except we use sanitizer build jobs as a dependency. This is so we can keep
|
|
|
|
|
# sanitizer errors separate from functional test failures. Currently, there is no way to run the same
|
|
|
|
|
# job for different dependencies.
|
|
|
|
|
#
|
|
|
|
|
# Additionally, for each sanitizer MTR job, we enable --force-restart so that
|
|
|
|
|
# sanitizer errors can be traced to individual tests. The difference in test
|
|
|
|
|
# suite runtime as a result of this flag is negligable (~30s for the entire test suite).
|
|
|
|
|
# (see https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_MYSQL_TEST_RUN_PL.html)
|
|
|
|
|
mysql-test-run-asan:
|
|
|
|
|
stage: test
|
|
|
|
|
variables:
|
2024-04-25 19:46:33 +02:00
|
|
|
MTR_FLAGS: "--force-restart"
|
2022-11-29 14:08:14 +01:00
|
|
|
dependencies:
|
|
|
|
|
- "fedora-sanitizer: [-DWITH_ASAN=YES]"
|
2022-12-09 01:26:20 +01:00
|
|
|
needs:
|
|
|
|
|
- "fedora-sanitizer: [-DWITH_ASAN=YES]"
|
2024-04-25 19:46:33 +02:00
|
|
|
script:
|
|
|
|
|
- *mysql-test-run-def
|
2023-02-08 20:49:47 +01:00
|
|
|
allow_failure: true
|
2022-11-29 14:08:14 +01:00
|
|
|
artifacts:
|
|
|
|
|
when: always # Also show results when tests fail
|
|
|
|
|
reports:
|
|
|
|
|
junit:
|
|
|
|
|
- junit.xml
|
|
|
|
|
|
|
|
|
|
mysql-test-run-tsan:
|
|
|
|
|
stage: test
|
|
|
|
|
variables:
|
2024-04-25 19:46:33 +02:00
|
|
|
MTR_FLAGS: "--force-restart"
|
2022-11-29 14:08:14 +01:00
|
|
|
dependencies:
|
|
|
|
|
- "fedora-sanitizer: [-DWITH_TSAN=YES]"
|
2022-12-09 01:26:20 +01:00
|
|
|
needs:
|
|
|
|
|
- "fedora-sanitizer: [-DWITH_TSAN=YES]"
|
2024-04-25 19:46:33 +02:00
|
|
|
script:
|
|
|
|
|
- *mysql-test-run-def
|
2022-11-29 14:08:14 +01:00
|
|
|
allow_failure: true
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Also show results when tests fail
|
|
|
|
|
reports:
|
|
|
|
|
junit:
|
|
|
|
|
- junit.xml
|
|
|
|
|
|
|
|
|
|
mysql-test-run-ubsan:
|
|
|
|
|
stage: test
|
|
|
|
|
variables:
|
2024-04-25 19:46:33 +02:00
|
|
|
MTR_FLAGS: "--force-restart"
|
2022-11-29 14:08:14 +01:00
|
|
|
dependencies:
|
|
|
|
|
- "fedora-sanitizer: [-DWITH_UBSAN=YES]"
|
2022-12-09 01:26:20 +01:00
|
|
|
needs:
|
|
|
|
|
- "fedora-sanitizer: [-DWITH_UBSAN=YES]"
|
2024-04-25 19:46:33 +02:00
|
|
|
script:
|
|
|
|
|
- *mysql-test-run-def
|
2022-11-29 14:08:14 +01:00
|
|
|
allow_failure: true
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Also show results when tests fail
|
|
|
|
|
reports:
|
|
|
|
|
junit:
|
|
|
|
|
- junit.xml
|
|
|
|
|
|
2024-04-25 19:46:33 +02:00
|
|
|
mysql-test-run-future:
|
|
|
|
|
stage: test
|
|
|
|
|
variables:
|
|
|
|
|
MTR_FLAGS: "--max-test-fail=0"
|
|
|
|
|
dependencies:
|
|
|
|
|
- fedora
|
|
|
|
|
needs:
|
|
|
|
|
- fedora
|
|
|
|
|
script:
|
|
|
|
|
- yum install -y faketime
|
|
|
|
|
- *mysql-test-run-def
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Also show results when tests fail
|
|
|
|
|
reports:
|
|
|
|
|
junit:
|
|
|
|
|
- junit.xml
|
|
|
|
|
parallel:
|
|
|
|
|
matrix:
|
|
|
|
|
# The reason we test in two different future times is for the ability to separate between
|
|
|
|
|
# failures pertaining to general time expiry issues and failures specific to the 32-bit time/Y2038 problem
|
|
|
|
|
- SIMULATE_TIME: ["faketime 2038-01-20", "faketime 2038-01-18"]
|
|
|
|
|
|
2021-05-30 06:58:51 +02:00
|
|
|
rpmlint:
|
|
|
|
|
stage: test
|
|
|
|
|
dependencies:
|
|
|
|
|
- fedora
|
2022-12-09 01:26:20 +01:00
|
|
|
needs:
|
|
|
|
|
- fedora
|
2021-05-30 06:58:51 +02:00
|
|
|
script:
|
|
|
|
|
- yum install -y rpmlint
|
|
|
|
|
- rm -f rpm/*debuginfo* # Not relevant in this test
|
|
|
|
|
# Limit output to 1000 lines as Gitlab-CI max output is 4194304 bytes
|
|
|
|
|
# Save everything in a log file so it can be viewed in full via artifacts
|
|
|
|
|
- rpmlint --info rpm/*.rpm | tee -a rpmlint-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always # Also show results when tests fail
|
|
|
|
|
paths:
|
|
|
|
|
- rpmlint-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log
|
|
|
|
|
allow_failure: true
|
|
|
|
|
# @TODO: The package is not rpmlint clean, must allow failure for now
|
|
|
|
|
|
|
|
|
|
fedora install:
|
|
|
|
|
stage: test
|
|
|
|
|
dependencies:
|
|
|
|
|
- fedora
|
2022-12-09 01:26:20 +01:00
|
|
|
needs:
|
|
|
|
|
- fedora
|
2021-05-30 06:58:51 +02:00
|
|
|
script:
|
|
|
|
|
- rm -f rpm/*debuginfo* # Not relevant in this test
|
|
|
|
|
# Nothing provides galera-4 on Fedora, so this step fails if built with wsrep
|
|
|
|
|
- yum install -y rpm/*.rpm
|
|
|
|
|
# Fedora does not support running services in Docker (like Debian packages do) so start it manually
|
|
|
|
|
- /usr/bin/mariadb-install-db -u mysql
|
|
|
|
|
- sudo -u mysql /usr/sbin/mariadbd & sleep 10
|
2021-08-05 06:13:04 +02:00
|
|
|
# Dump database contents as is before upgrade
|
|
|
|
|
- mariadb-dump --all-databases --all-tablespaces --triggers --routines --events --skip-extended-insert > installed-database.sql
|
|
|
|
|
# Since we did a manual start, we also need to run upgrade manually
|
|
|
|
|
- /usr/bin/mariadb-upgrade -u root
|
|
|
|
|
# Dump database contents as is after upgrade
|
|
|
|
|
- mariadb-dump --all-databases --all-tablespaces --triggers --routines --events --skip-extended-insert > upgraded-database.sql
|
2021-05-30 06:58:51 +02:00
|
|
|
- |
|
2021-08-05 06:13:04 +02:00
|
|
|
mariadb --skip-column-names -e "SELECT @@version, @@version_comment" | tee /tmp/version
|
|
|
|
|
grep $MARIADB_MAJOR_VERSION /tmp/version || echo "MariaDB didn't install properly"
|
|
|
|
|
- mariadb --table -e "SELECT * FROM mysql.global_priv; SHOW CREATE USER root@localhost; SHOW CREATE USER 'mariadb.sys'@localhost"
|
|
|
|
|
- mariadb --table -e "SELECT * FROM mysql.plugin; SHOW PLUGINS"
|
|
|
|
|
- mariadb -e "SHUTDOWN;"
|
|
|
|
|
- rm -rf /var/lib/mysql/* # Clear datadir before next run
|
|
|
|
|
# Start database without install-db step
|
|
|
|
|
- sudo -u mysql /usr/sbin/mariadbd --skip-network --skip-grant & sleep 10
|
|
|
|
|
# Dump database contents in initial state
|
|
|
|
|
- mariadb-dump --all-databases --all-tablespaces --triggers --routines --events --skip-extended-insert > empty-database.sql
|
|
|
|
|
artifacts:
|
|
|
|
|
paths:
|
|
|
|
|
- installed-database.sql
|
|
|
|
|
- upgraded-database.sql
|
2021-05-30 06:58:51 +02:00
|
|
|
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
cppcheck:
|
|
|
|
|
allow_failure: true
|
2023-03-18 01:19:08 +01:00
|
|
|
stage: sast
|
|
|
|
|
needs: []
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
2021-05-30 06:58:51 +02:00
|
|
|
script:
|
2023-03-18 01:19:08 +01:00
|
|
|
- yum install -y cppcheck diffutils
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
# --template: output format
|
2023-03-18 01:19:08 +01:00
|
|
|
# --force: check large directories without warning
|
|
|
|
|
# -i<directory>: ignore this directory when scanning
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
# -I<directory>: include path, reduces false positives
|
|
|
|
|
# related to inability to resolve symbols
|
2023-03-18 01:19:08 +01:00
|
|
|
# -j: run multiple cppcheck threads
|
|
|
|
|
# Use newline to escape colon in yaml
|
|
|
|
|
- >
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
cppcheck --template="{file}:{line}\n{code}\n{severity}: {message}" --force --check-level=exhaustive
|
2023-03-18 01:19:08 +01:00
|
|
|
client dbug extra include libmariadb libmysqld libservices mysql-test mysys mysys_ssl pcre plugin
|
|
|
|
|
strings tests unittest vio wsrep-lib sql sql-common storage
|
|
|
|
|
-istorage/mroonga -istorage/tokudb -istorage/spider -istorage/rocksdb -iextra/ -ilibmariadb/ -istorage/columnstore
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
-Iinclude -Istorage/innobase/include
|
|
|
|
|
--output-file=initial-cppcheck_output.txt -j $(nproc)
|
|
|
|
|
# when including {code} in the cppcheck template, some more pre-processing needs to be done
|
|
|
|
|
#
|
|
|
|
|
# sample cppcheck finding: <file>:<line>
|
|
|
|
|
# foo.bar()
|
|
|
|
|
# ^
|
|
|
|
|
# <severity>: <message>
|
|
|
|
|
#
|
|
|
|
|
# 1. remove all lines with "^"
|
|
|
|
|
# 2. merge every 3 lines into 1 so it can be sorted (example: <file> foo.bar() <severity>: <message>)
|
|
|
|
|
# 3. sort to match ignorelist since parallel jobs may output findings in an nondeterministic order
|
|
|
|
|
# 4. remove findings likely to be false positives (i.e, "unknown macros")
|
|
|
|
|
# 5. remove line numbers for diffing against ignorelist
|
|
|
|
|
- |
|
|
|
|
|
cat initial-cppcheck_output.txt | grep -v '\^$' > preprocessed-cppcheck_circumflex_removed.txt
|
|
|
|
|
cat preprocessed-cppcheck_circumflex_removed.txt | awk 'NR%3==1 {printf "%s", (NR==1) ? "" : "\n"; printf "%s", $0} NR%3!=1 {printf " %s", $0}' > preprocessed-cppcheck_oneline.txt
|
|
|
|
|
cat preprocessed-cppcheck_oneline.txt | sort > preprocessed-cppcheck_sorted.txt
|
|
|
|
|
cat preprocessed-cppcheck_sorted.txt | grep -v "There is an unknown macro here somewhere" > results-cppcheck_all_findings.txt
|
|
|
|
|
sed 's/:[0-9]\+//' results-cppcheck_all_findings.txt > preprocessed_final-cppcheck_no_line_nums.txt
|
2023-03-18 01:19:08 +01:00
|
|
|
# Only print new issues not found in ignore list
|
|
|
|
|
- echo "Problems found in ignore list that were not discovered by cppcheck (may have been fixed)."
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
- diff --changed-group-format='%>' --unchanged-group-format='' preprocessed_final-cppcheck_no_line_nums.txt tests/code_quality/cppcheck_ignorelist.txt || true
|
2023-03-18 01:19:08 +01:00
|
|
|
- echo "Problems found by cppcheck that were not in ignore list."
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
- diff --changed-group-format='%<' --unchanged-group-format='' preprocessed_final-cppcheck_no_line_nums.txt tests/code_quality/cppcheck_ignorelist.txt > results-cppcheck_new_findings.txt || true
|
|
|
|
|
- cat results-cppcheck_new_findings.txt && test ! -s results-cppcheck_new_findings.txt
|
2021-08-05 06:13:04 +02:00
|
|
|
artifacts:
|
2023-03-18 01:19:08 +01:00
|
|
|
when: always
|
2021-08-05 06:13:04 +02:00
|
|
|
paths:
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
# save all steps of pre-processing in-case it ever breaks
|
|
|
|
|
- initial-cppcheck_output.txt
|
|
|
|
|
- preprocessed-cppcheck_circumflex_removed.txt
|
|
|
|
|
- preprocessed-cppcheck_sorted.txt
|
|
|
|
|
- preprocessed_final-cppcheck_no_line_nums.txt
|
|
|
|
|
- results-cppcheck_all_findings.txt
|
|
|
|
|
- results-cppcheck_new_findings.txt
|
2021-05-30 06:58:51 +02:00
|
|
|
|
2023-03-18 01:19:08 +01:00
|
|
|
flawfinder:
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
allow_failure: true
|
2023-03-18 01:19:08 +01:00
|
|
|
stage: sast
|
|
|
|
|
needs: []
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
|
|
|
|
- yum install -y python3 python3-pip jq diffutils git
|
|
|
|
|
- pip install flawfinder
|
|
|
|
|
- flawfinder --falsepositive --quiet --html . > flawfinder-all-vulnerabilities.html
|
|
|
|
|
- cat flawfinder-all-vulnerabilities.html | grep "Hits ="
|
|
|
|
|
- flawfinder --falsepositive --quiet --minlevel=5 --sarif . > flawfinder-output.json
|
|
|
|
|
# FlawFinder's --sarif output will display all vulnerabilities despite having --minlevel=5 specified.
|
|
|
|
|
# Therefore, we postprocess the results with jq and filter out findings where the vulnerability level is less than 5.
|
|
|
|
|
# Also in the SARIF output format, the vulnerabilities are ranked as 0.2/0.4/0.6/0.8/1.0 which correspond to the --minlevel=1/2/3/4/5 of FlawFinder.
|
|
|
|
|
# Additionally, we sort the results because individual findings are consistent across different runs, but their ordering may not be.
|
|
|
|
|
# Vulnerabilities can also be ignored in-line (/* Flawfinder: ignore */), but this option was chosen as to not clutter the codebase.
|
|
|
|
|
- jq 'del(.runs[] | .tool | .driver | .rules) | del(.runs[] | .results[] | select(.rank < 1)) | del(.runs[] | .results[] | .locations[] | .physicalLocation | .region | .startLine) | .runs[0].results|=sort_by(.fingerprints)' flawfinder-output.json > flawfinder-min-level5.json
|
|
|
|
|
# Diff against known vulnerabilities, but ignore the line number.
|
|
|
|
|
- echo "Problems found in ignore list that were not discovered by flawfinder (may have been fixed)."
|
|
|
|
|
- diff --changed-group-format='%>' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json || true
|
|
|
|
|
- echo "Problems found by flawfinder that were not in ignore list."
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
- diff --changed-group-format='%<' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json > flawfinder_new_findings.txt || true
|
|
|
|
|
- cat flawfinder_new_findings.txt && test ! -s flawfinder_new_findings.txt
|
2023-03-18 01:19:08 +01:00
|
|
|
artifacts:
|
|
|
|
|
when: always
|
|
|
|
|
paths:
|
Refactor GitLab cppcheck and update SAST ignorelists
Line numbers had to be removed from the ignorelists in order to be
diffed against since locations of the same findings can differ
across runs. Therefore preprocessing has to be done on the CI findings
so that it can be compared to the ignorelist and new findings can be
outputted. However, since line numbers have to be removed, a situation
occurs where it is difficult to reference the location of findings
in code given the output of the CI job.
To lessen this pain, change the cppcheck template to include
code snippets which make it easier to reference where in the code
the finding is referring to, even in the absence of line numbers.
Ignorelisting works as before since locations of the finding may
change but not the code it is referring to.
Furthermore, due to the innate difficulty in maintaining ignorelists
across branches and triaging new findings, allow failure as to not
have constantly failing pipelines as a result of a new findings that
have not been addressed yet.
Lastly, update SAST ignorelists to match the newly refactored cppcheck
job and the current state of the codebase.
All new code of the whole pull request, including one or several
files that are either new files or modified ones, are contributed
under the BSD-new license. I am contributing on behalf of my
employer Amazon Web Services, Inc.
2024-05-11 02:37:05 +02:00
|
|
|
- flawfinder_new_findings.txt
|
2023-03-18 01:19:08 +01:00
|
|
|
- flawfinder-all-vulnerabilities.html
|
|
|
|
|
- flawfinder-min-level5.json
|
|
|
|
|
|
2021-10-11 21:53:11 +02:00
|
|
|
mini-benchmark:
|
|
|
|
|
stage: test
|
|
|
|
|
dependencies:
|
|
|
|
|
- fedora
|
2023-02-08 20:49:47 +01:00
|
|
|
needs:
|
|
|
|
|
- fedora
|
2021-10-11 21:53:11 +02:00
|
|
|
script:
|
|
|
|
|
- ls -la rpm; rm -vf rpm/*.el?.* # Delete artifacts from Centos builds
|
|
|
|
|
# Don't use cracklib, otherwise the Sysbench user password will be rejected
|
|
|
|
|
- rm -vf rpm/*cracklib*.rpm
|
|
|
|
|
# Nothing provides galera-4 on Fedora, so this step fails if built with wsrep
|
|
|
|
|
- yum install -y rpm/*.rpm
|
|
|
|
|
# Fedora does not support running services in Docker (like Debian packages do) so start it manually
|
|
|
|
|
- /usr/bin/mariadb-install-db -u mysql
|
|
|
|
|
- sudo -u mysql /usr/sbin/mariadbd & sleep 10
|
|
|
|
|
# Since we did a manual start, we also need to run upgrade manually
|
|
|
|
|
- /usr/bin/mariadb-upgrade -u root
|
|
|
|
|
- |
|
|
|
|
|
mariadb --skip-column-names -e "SELECT @@version, @@version_comment" | tee /tmp/version
|
|
|
|
|
grep $MARIADB_MAJOR_VERSION /tmp/version || echo "MariaDB didn't install properly"
|
2024-03-22 23:45:55 +01:00
|
|
|
- yum install -y sysbench procps-ng perf flamegraph flamegraph-stackcollapse-perf util-linux dnf-utils
|
2022-12-12 04:20:08 +01:00
|
|
|
- /usr/share/mariadb/mini-benchmark
|
2024-03-22 23:45:55 +01:00
|
|
|
- cp -av */sysbench-run-*.log */metrics.txt . # Move files one level down so they can be saved as artifacts
|
2021-10-11 21:53:11 +02:00
|
|
|
artifacts:
|
|
|
|
|
when: always
|
|
|
|
|
paths:
|
|
|
|
|
- sysbench-run-*.log
|
|
|
|
|
reports:
|
|
|
|
|
metrics:
|
|
|
|
|
- metrics.txt
|
|
|
|
|
|
2023-03-18 02:03:14 +01:00
|
|
|
cppcheck:
|
|
|
|
|
stage: sast
|
|
|
|
|
needs: []
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
|
|
|
|
- yum install -y cppcheck diffutils
|
|
|
|
|
# --template: use a single-line template
|
|
|
|
|
# --force: check large directories without warning
|
|
|
|
|
# -i<directory>: ignore this directory when scanning
|
|
|
|
|
# -j: run multiple cppcheck threads
|
|
|
|
|
# Use newline to escape colon in yaml
|
|
|
|
|
- >
|
|
|
|
|
cppcheck --template="{file}:{line}: {severity}: {message}" --force
|
|
|
|
|
client dbug extra include libmariadb libmysqld libservices mysql-test mysys mysys_ssl pcre plugin
|
|
|
|
|
strings tests unittest vio wsrep-lib sql sql-common storage
|
|
|
|
|
-istorage/mroonga -istorage/tokudb -istorage/spider -istorage/rocksdb -iextra/ -ilibmariadb/ -istorage/columnstore
|
|
|
|
|
--output-file=cppcheck.txt -j $(nproc)
|
|
|
|
|
# Parallel jobs may output findings in an nondeterministic order. Sort to match ignorelist.
|
|
|
|
|
- cat cppcheck.txt | sort > cppcheck_sorted.txt
|
|
|
|
|
# Remove line numbers for diff
|
|
|
|
|
- sed 's/:[^:]*:/:/' cppcheck_sorted.txt > cppcheck_sorted_no_line_numbers.txt
|
|
|
|
|
# Only print new issues not found in ignore list
|
|
|
|
|
- echo "Problems found in ignore list that were not discovered by cppcheck (may have been fixed)."
|
|
|
|
|
- diff --changed-group-format='%>' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt || true
|
|
|
|
|
- echo "Problems found by cppcheck that were not in ignore list."
|
|
|
|
|
- diff --changed-group-format='%<' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt > lines_not_ignored.txt || true
|
|
|
|
|
- cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always
|
|
|
|
|
paths:
|
|
|
|
|
- cppcheck_sorted.txt
|
|
|
|
|
|
|
|
|
|
flawfinder:
|
|
|
|
|
stage: sast
|
|
|
|
|
needs: []
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: fetch
|
|
|
|
|
GIT_SUBMODULE_STRATEGY: normal
|
|
|
|
|
script:
|
|
|
|
|
- yum install -y python3 python3-pip jq diffutils git
|
|
|
|
|
- pip install flawfinder
|
|
|
|
|
- flawfinder --falsepositive --quiet --html . > flawfinder-all-vulnerabilities.html
|
|
|
|
|
- cat flawfinder-all-vulnerabilities.html | grep "Hits ="
|
|
|
|
|
- flawfinder --falsepositive --quiet --minlevel=5 --sarif . > flawfinder-output.json
|
|
|
|
|
# FlawFinder's --sarif output will display all vulnerabilities despite having --minlevel=5 specified.
|
|
|
|
|
# Therefore, we postprocess the results with jq and filter out findings where the vulnerability level is less than 5.
|
|
|
|
|
# Also in the SARIF output format, the vulnerabilities are ranked as 0.2/0.4/0.6/0.8/1.0 which correspond to the --minlevel=1/2/3/4/5 of FlawFinder.
|
|
|
|
|
# Additionally, we sort the results because individual findings are consistent across different runs, but their ordering may not be.
|
|
|
|
|
# Vulnerabilities can also be ignored in-line (/* Flawfinder: ignore */), but this option was chosen as to not clutter the codebase.
|
|
|
|
|
- jq 'del(.runs[] | .tool | .driver | .rules) | del(.runs[] | .results[] | select(.rank < 1)) | del(.runs[] | .results[] | .locations[] | .physicalLocation | .region | .startLine) | .runs[0].results|=sort_by(.fingerprints)' flawfinder-output.json > flawfinder-min-level5.json
|
|
|
|
|
# Diff against known vulnerabilities, but ignore the line number.
|
|
|
|
|
- echo "Problems found in ignore list that were not discovered by flawfinder (may have been fixed)."
|
|
|
|
|
- diff --changed-group-format='%>' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json || true
|
|
|
|
|
- echo "Problems found by flawfinder that were not in ignore list."
|
|
|
|
|
- diff --changed-group-format='%<' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json > lines_not_ignored.txt || true
|
|
|
|
|
- cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt
|
|
|
|
|
artifacts:
|
|
|
|
|
when: always
|
|
|
|
|
paths:
|
|
|
|
|
- flawfinder-all-vulnerabilities.html
|
|
|
|
|
- flawfinder-min-level5.json
|
|
|
|
|
|
2023-04-04 02:21:28 +02:00
|
|
|
fedora upgrade-from:
|
|
|
|
|
stage: test
|
|
|
|
|
image: fedora:latest
|
|
|
|
|
variables:
|
|
|
|
|
GIT_STRATEGY: pull
|
|
|
|
|
dependencies:
|
|
|
|
|
- fedora
|
|
|
|
|
needs:
|
|
|
|
|
- fedora
|
|
|
|
|
parallel:
|
|
|
|
|
matrix:
|
|
|
|
|
# Get latest versions of all major versions
|
|
|
|
|
- UPGRADE_PATH:
|
|
|
|
|
- "10.6>11.0"
|
|
|
|
|
- "10.3"
|
|
|
|
|
- "10.4"
|
|
|
|
|
- "10.4.8" # Test unexpected table rebuilds as in https://jira.mariadb.org/browse/MDEV-28727
|
|
|
|
|
- "10.5"
|
|
|
|
|
- "10.6"
|
|
|
|
|
- "10.11"
|
|
|
|
|
- "11.0"
|
|
|
|
|
script:
|
|
|
|
|
- |
|
|
|
|
|
if [[ $UPGRADE_PATH == *">"* ]]; then
|
|
|
|
|
SOURCE=$(echo "$UPGRADE_PATH" | cut -d'>' -f1)
|
|
|
|
|
TARGET=$(echo "$UPGRADE_PATH" | cut -d'>' -f2)
|
|
|
|
|
else
|
|
|
|
|
SOURCE=$(echo "$UPGRADE_PATH")
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Test upgrade from earlier minor version
|
|
|
|
|
- ./tests/upgrade_from/test_upgrade.sh $SOURCE $TARGET
|
|
|
|
|
artifacts:
|
|
|
|
|
paths:
|
|
|
|
|
- "*.sql"
|
|
|
|
|
- "test_upgrade*.log"
|
|
|
|
|
|
2021-05-30 06:58:51 +02:00
|
|
|
# Once all RPM builds and tests have passed, also run the DEB builds and tests
|
|
|
|
|
# @NOTE: This is likely to work well only on salsa.debian.org as the Gitlab.com
|
|
|
|
|
# runners are too small for everything this stage does.
|
|
|
|
|
# build_deb:
|
|
|
|
|
# stage: Salsa-CI
|
|
|
|
|
# trigger:
|
|
|
|
|
# include: debian/salsa-ci.yml
|