--- # This Gitlab-CI pipeline offers basic validation that a commit did not # introduce easily detectable regressions. Builds run primairly on a new Fedora, # which has all the latest upstream build dependencies and thus is the primary # testing target, as eventually everything in Fedora becomes the next CentOS and # Red Hat releases. # # In addition test building on CentOS 7 and 8 to ensure that the code base # remains reasonably backwards compatible. # # This is now intentionally simple, to keep it fast and accurate with minimal # false positive failures. If one wants to extend it, see debian/salsa-ci.yml # for inspiration on more integration tests to run. # # Also make sure the pipeline stays within the bounds of what CI workers on # Gitlab-CI are capable of executing, thus ensuring that any potential # contributor can at any point in time fork to their own Gitlab account and # start working towards meaningful contributions! # # NOTE TO MERGERS: Most of the contents in the Gitlab-CI configuration has been # tailored for a specific release or MariaDB. As a general rule, do not merge # changes in this file across MariaDB branches to avoid breaking the CI. Updates # the Gitlab-CI pipeline are most of the time better done manually per major # release branch. stages: - build - test - Salsa-CI - sast default: # Base image for builds and tests unless otherwise defined image: fedora:latest # Extend build jobs to have longer timeout as the default GitLab # timeout (1h) is often not enough timeout: 3h # Define common CMAKE_FLAGS for all builds. Skim down build by omitting all # submodules (a commit in this repo does not affect their builds anyway) and # many components that are otherwise slow to build. variables: CMAKE_FLAGS: "-DWITH_SSL=system -DPLUGIN_COLUMNSTORE=NO -DPLUGIN_ROCKSDB=NO -DPLUGIN_S3=NO -DPLUGIN_MROONGA=NO -DPLUGIN_CONNECT=NO -DPLUGIN_TOKUDB=NO -DWITH_WSREP=OFF" # Major version dictates which branches share the same ccache. E.g. 10.6-abc # and 10.6-xyz will have the same cache. MARIADB_MAJOR_VERSION: "11.1" # NOTE! Currently ccache is only used on the Centos 9 build. As each job has # sufficiently different environments they are unable to benefit from each # other's ccaches. As each build generates about 1 GB of ccache, having # multiple caches would quickly consume all free storage on Gitlab-CI and # grind all builds to a halt. Also the network overhead of download/upload # decreases the benefit of ccache in Gitlab-CI, and current cache:when and # cache:policy are not flexible enough to have a system where the cache is # uploaded only once a week and not on every build. Having ccache on at least # one build still helps ensure that ccache compatibility is at least tested # and if the Centos 9 build is always significantly faster than all other # builds (e.g. on self-hosted Gitlab instances) then users would at least be # able to discover it. # # Most steps don't need the source code, only artifacts GIT_STRATEGY: none # Hack to satisfy directory name length requirement by CPackRPM in CMake 3.x # https://cmake.org/cmake/help/v3.7/module/CPackRPM.html#variable:CPACK_RPM_BUILD_SOURCE_DIRS_PREFIX GIT_CLONE_PATH: $CI_BUILDS_DIR/CPACK_BUILD_SOURCE_DIRS_LONG_NAME_REQUIREMENT # Define once, use many times .rpm_listfiles: &rpm_listfiles - | echo "Generating rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log ..." for package in *.rpm do echo "$package" rpm -qlpv "$package" | awk '{print $1 " " $3 "/" $4 " ." $9 " " $10 " " $11}' | sort -k 3 echo "------------------------------------------------" done >> "../rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log" # CPackRPM lists contents in build log, so no need to show the output of this, # just store it as a build artifact that can be downloaded and diffed against # other builds to detect which files where added/removed/moved fedora: stage: build variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y yum-utils rpm-build openssl-devel graphviz # Accelerate builds with unsafe disk access, as we can afford to loose the entire build anyway - yum install -y https://github.com/stewartsmith/libeatmydata/releases/download/v129/libeatmydata-129-1.fc33.x86_64.rpm # This repository does not have any .spec files, so install dependencies based on Fedora spec file - yum-builddep -y mariadb-server - mkdir builddir; cd builddir - cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - cmake --graphviz=../dependencies.dot .. && dot -Tpng -o ../dependencies.png ../dependencies.dot - eatmydata make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log # @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just # get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968 - make test # - make test-force # mysql-test-runner takes too long, run MTR in a separate job instead - *rpm_listfiles - mkdir ../rpm; mv *.rpm ../rpm artifacts: when: always # Must be able to see logs paths: - build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpm - builddir/_CPack_Packages/Linux/RPM/SPECS/ - dependencies.dot - dependencies.png fedora-ninja: stage: build variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y yum-utils rpm-build openssl-devel graphviz ninja-build # Accelerate builds with unsafe disk access, as we can afford to loose the entire build anyway - yum install -y https://github.com/stewartsmith/libeatmydata/releases/download/v129/libeatmydata-129-1.fc33.x86_64.rpm # This repository does not have any .spec files, so install dependencies based on Fedora spec file - yum-builddep -y mariadb-server - mkdir builddir; cd builddir - cmake -DRPM=generic $CMAKE_FLAGS -DCMAKE_BUILD_WITH_INSTALL_RPATH=ON -G Ninja .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - ninja -t graph > ../dependencies.dot && dot -Tpng -o ../dependencies.png ../dependencies.dot - eatmydata ninja package -j 2 --verbose 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log # @TODO: Unlike other builds, the Ninja builds using Gitlab.com runners don't get stuck, but they do get # stuck on runners with more processors, see https://jira.mariadb.org/browse/MDEV-25968. # Thus, use the same limitation on Ninja builds as well to ensure it never gets stuck due to this bug. - ninja test - *rpm_listfiles - mkdir ../rpm; mv *.rpm ../rpm artifacts: when: always # Must be able to see logs paths: - build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpm - builddir/_CPack_Packages/Linux/RPM/SPECS/ - dependencies.dot - dependencies.png fedora-clang: stage: build variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y yum-utils rpm-build openssl-devel graphviz clang # Accelerate builds with unsafe disk access, as we can afford to loose the entire build anyway - yum install -y https://github.com/stewartsmith/libeatmydata/releases/download/v129/libeatmydata-129-1.fc33.x86_64.rpm # This repository does not have any .spec files, so install dependencies based on Fedora spec file - yum-builddep -y mariadb-server - mkdir builddir; cd builddir - export CXX=${CXX:-clang++} - export CC=${CC:-clang} - export CXX_FOR_BUILD=${CXX_FOR_BUILD:-clang++} - export CC_FOR_BUILD=${CC_FOR_BUILD:-clang} - export CFLAGS='-Wno-unused-command-line-argument' - export CXXFLAGS='-Wno-unused-command-line-argument' - cmake -DRPM=generic $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - cmake --graphviz=../dependencies.dot .. && dot -Tpng -o ../dependencies.png ../dependencies.dot - eatmydata make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log # @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just # get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968 - make test # - make test-force # mysql-test-runner takes too long, run MTr in a separate job instead - *rpm_listfiles - mkdir ../rpm; mv *.rpm ../rpm artifacts: when: always # Must be able to see logs paths: - build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpm - builddir/_CPack_Packages/Linux/RPM/SPECS/ - dependencies.dot - dependencies.png fedora-sanitizer: stage: build variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y yum-utils rpm-build openssl-devel clang - yum install -y libasan libtsan libubsan # This repository does not have any .spec files, so install dependencies based on Fedora spec file - yum-builddep -y mariadb-server - mkdir builddir; cd builddir - export CXX=${CXX:-clang++} - export CC=${CC:-clang} - export CXX_FOR_BUILD=${CXX_FOR_BUILD:-clang++} - export CC_FOR_BUILD=${CC_FOR_BUILD:-clang} - export CFLAGS='-Wno-unused-command-line-argument' - export CXXFLAGS='-Wno-unused-command-line-argument' - cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS $SANITIZER .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log # @TODO: the build will fail consistently at 24% when trying to make using eatmydata - make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - *rpm_listfiles - mkdir ../rpm; mv *.rpm ../rpm artifacts: when: always # Must be able to see logs paths: - build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpm - builddir/_CPack_Packages/Linux/RPM/SPECS/ parallel: matrix: - SANITIZER: [-DWITH_ASAN=YES, -DWITH_TSAN=YES, -DWITH_UBSAN=YES] centos9: stage: build image: quay.io/centos/centos:stream9 # CentOS 9 is deprecated, use this Stream9 instead variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm - yum install -y yum-utils rpm-build openssl-devel libeatmydata ccache # Install missing dependencies - yum install -y https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/Judy-devel-1.0.5-28.el9.x86_64.rpm - yum install -y https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/bison-devel-3.7.4-5.el9.x86_64.rpm - yum install -y https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/multilib-rpm-config-1-19.el9.noarch.rpm # Configure ccache - source /etc/profile.d/ccache.sh - export CCACHE_DIR="$(pwd)/.ccache"; ccache --zero-stats # This repository does not have any .spec files, so install dependencies based on CentOS spec file - yum-builddep -y mariadb-server - mkdir builddir; cd builddir - cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - eatmydata make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log # @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just # get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968 - make test # - make test-force # mysql-test-runner takes too long, run it MTR a separate job instead - *rpm_listfiles - mkdir ../rpm; mv *.rpm ../rpm - ccache -s artifacts: when: always # Must be able to see logs paths: - build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpm - builddir/_CPack_Packages/Linux/RPM/SPECS/ cache: key: $MARIADB_MAJOR_VERSION paths: - .ccache centos7: stage: build image: centos:7 variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: # This repository does not have any .spec files, so install dependencies based on Fedora spec file - yum-builddep -y mariadb-server # ..with a few extra ones, as CentOS 7 is very old and these are added in newer MariaDB releases - yum install -y yum-utils rpm-build gcc gcc-c++ bison libxml2-devel libevent-devel openssl-devel pcre2-devel - mkdir builddir; cd builddir - cmake -DRPM=$CI_JOB_NAME $CMAKE_FLAGS .. 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - make package -j 2 2>&1 | tee -a ../build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log # @TODO: Don't use -j without the limit of 2 on Gitlab.com as builds just # get stuck when running multi-proc and out of memory, see https://jira.mariadb.org/browse/MDEV-25968 - make test # - make test-force # mysql-test-runner takes too long, run it in a separate job instead - *rpm_listfiles - mkdir ../rpm; mv *.rpm ../rpm artifacts: when: always # Must be able to see logs paths: - build-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpmlist-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log - rpm - builddir/_CPack_Packages/Linux/RPM/SPECS/ .mysql-test-run: &mysql-test-run-def | # Install packages so tests and the dependencies install # @TODO: RPM missing 'patch' and 'diff' as dependency, so installing it manually for now yum install -y rpm/*.rpm patch diffutils # mtr expects to be launched in-place and with write access to it's own directories cd /usr/share/mariadb-test # Skip failing tests echo " main.mysqldump : Field separator argument is not what is expected; check the manual when executing 'SELECT INTO OUTFILE' main.flush_logs_not_windows : query 'flush logs' succeeded - should have failed with error ER_CANT_CREATE_FILE (1004) main.mysql_upgrade_noengine : upgrade output order does not match the expected main.func_math : MDEV-20966 - Wrong error code " > skiplist $SIMULATE_TIME ./mtr --suite=main --force --parallel=auto --xml-report=$CI_PROJECT_DIR/junit.xml --skip-test-list=skiplist $MTR_FLAGS mysql-test-run: stage: test dependencies: - fedora needs: - fedora script: - *mysql-test-run-def artifacts: when: always # Also show results when tests fail reports: junit: - junit.xml # Duplicate of the above jobs, except we use sanitizer build jobs as a dependency. This is so we can keep # sanitizer errors separate from functional test failures. Currently, there is no way to run the same # job for different dependencies. # # Additionally, for each sanitizer MTR job, we enable --force-restart so that # sanitizer errors can be traced to individual tests. The difference in test # suite runtime as a result of this flag is negligable (~30s for the entire test suite). # (see https://dev.mysql.com/doc/dev/mysql-server/latest/PAGE_MYSQL_TEST_RUN_PL.html) mysql-test-run-asan: stage: test variables: MTR_FLAGS: "--force-restart" dependencies: - "fedora-sanitizer: [-DWITH_ASAN=YES]" needs: - "fedora-sanitizer: [-DWITH_ASAN=YES]" script: - *mysql-test-run-def allow_failure: true artifacts: when: always # Also show results when tests fail reports: junit: - junit.xml mysql-test-run-tsan: stage: test variables: MTR_FLAGS: "--force-restart" dependencies: - "fedora-sanitizer: [-DWITH_TSAN=YES]" needs: - "fedora-sanitizer: [-DWITH_TSAN=YES]" script: - *mysql-test-run-def allow_failure: true artifacts: when: always # Also show results when tests fail reports: junit: - junit.xml mysql-test-run-ubsan: stage: test variables: MTR_FLAGS: "--force-restart" dependencies: - "fedora-sanitizer: [-DWITH_UBSAN=YES]" needs: - "fedora-sanitizer: [-DWITH_UBSAN=YES]" script: - *mysql-test-run-def allow_failure: true artifacts: when: always # Also show results when tests fail reports: junit: - junit.xml mysql-test-run-future: stage: test variables: MTR_FLAGS: "--max-test-fail=0" dependencies: - fedora needs: - fedora script: - yum install -y faketime - *mysql-test-run-def artifacts: when: always # Also show results when tests fail reports: junit: - junit.xml parallel: matrix: # The reason we test in two different future times is for the ability to separate between # failures pertaining to general time expiry issues and failures specific to the 32-bit time/Y2038 problem - SIMULATE_TIME: ["faketime 2038-01-20", "faketime 2038-01-18"] rpmlint: stage: test dependencies: - fedora needs: - fedora script: - yum install -y rpmlint - rm -f rpm/*debuginfo* # Not relevant in this test # Limit output to 1000 lines as Gitlab-CI max output is 4194304 bytes # Save everything in a log file so it can be viewed in full via artifacts - rpmlint --info rpm/*.rpm | tee -a rpmlint-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log artifacts: when: always # Also show results when tests fail paths: - rpmlint-$CI_JOB_NAME-$CI_COMMIT_REF_SLUG.log allow_failure: true # @TODO: The package is not rpmlint clean, must allow failure for now fedora install: stage: test dependencies: - fedora needs: - fedora script: - rm -f rpm/*debuginfo* # Not relevant in this test # Nothing provides galera-4 on Fedora, so this step fails if built with wsrep - yum install -y rpm/*.rpm # Fedora does not support running services in Docker (like Debian packages do) so start it manually - /usr/bin/mariadb-install-db -u mysql - sudo -u mysql /usr/sbin/mariadbd & sleep 10 # Dump database contents as is before upgrade - mariadb-dump --all-databases --all-tablespaces --triggers --routines --events --skip-extended-insert > installed-database.sql # Since we did a manual start, we also need to run upgrade manually - /usr/bin/mariadb-upgrade -u root # Dump database contents as is after upgrade - mariadb-dump --all-databases --all-tablespaces --triggers --routines --events --skip-extended-insert > upgraded-database.sql - | mariadb --skip-column-names -e "SELECT @@version, @@version_comment" | tee /tmp/version grep $MARIADB_MAJOR_VERSION /tmp/version || echo "MariaDB didn't install properly" - mariadb --table -e "SELECT * FROM mysql.global_priv; SHOW CREATE USER root@localhost; SHOW CREATE USER 'mariadb.sys'@localhost" - mariadb --table -e "SELECT * FROM mysql.plugin; SHOW PLUGINS" - mariadb -e "SHUTDOWN;" - rm -rf /var/lib/mysql/* # Clear datadir before next run # Start database without install-db step - sudo -u mysql /usr/sbin/mariadbd --skip-network --skip-grant & sleep 10 # Dump database contents in initial state - mariadb-dump --all-databases --all-tablespaces --triggers --routines --events --skip-extended-insert > empty-database.sql artifacts: paths: - installed-database.sql - upgraded-database.sql cppcheck: allow_failure: true stage: sast needs: [] variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y cppcheck diffutils # --template: output format # --force: check large directories without warning # -i: ignore this directory when scanning # -I: include path, reduces false positives # related to inability to resolve symbols # -j: run multiple cppcheck threads # Use newline to escape colon in yaml - > cppcheck --template="{file}:{line}\n{code}\n{severity}: {message}" --force --check-level=exhaustive client dbug extra include libmariadb libmysqld libservices mysql-test mysys mysys_ssl pcre plugin strings tests unittest vio wsrep-lib sql sql-common storage -istorage/mroonga -istorage/tokudb -istorage/spider -istorage/rocksdb -iextra/ -ilibmariadb/ -istorage/columnstore -Iinclude -Istorage/innobase/include --output-file=initial-cppcheck_output.txt -j $(nproc) # when including {code} in the cppcheck template, some more pre-processing needs to be done # # sample cppcheck finding: : # foo.bar() # ^ # : # # 1. remove all lines with "^" # 2. merge every 3 lines into 1 so it can be sorted (example: foo.bar() : ) # 3. sort to match ignorelist since parallel jobs may output findings in an nondeterministic order # 4. remove findings likely to be false positives (i.e, "unknown macros") # 5. remove line numbers for diffing against ignorelist - | cat initial-cppcheck_output.txt | grep -v '\^$' > preprocessed-cppcheck_circumflex_removed.txt cat preprocessed-cppcheck_circumflex_removed.txt | awk 'NR%3==1 {printf "%s", (NR==1) ? "" : "\n"; printf "%s", $0} NR%3!=1 {printf " %s", $0}' > preprocessed-cppcheck_oneline.txt cat preprocessed-cppcheck_oneline.txt | sort > preprocessed-cppcheck_sorted.txt cat preprocessed-cppcheck_sorted.txt | grep -v "There is an unknown macro here somewhere" > results-cppcheck_all_findings.txt sed 's/:[0-9]\+//' results-cppcheck_all_findings.txt > preprocessed_final-cppcheck_no_line_nums.txt # Only print new issues not found in ignore list - echo "Problems found in ignore list that were not discovered by cppcheck (may have been fixed)." - diff --changed-group-format='%>' --unchanged-group-format='' preprocessed_final-cppcheck_no_line_nums.txt tests/code_quality/cppcheck_ignorelist.txt || true - echo "Problems found by cppcheck that were not in ignore list." - diff --changed-group-format='%<' --unchanged-group-format='' preprocessed_final-cppcheck_no_line_nums.txt tests/code_quality/cppcheck_ignorelist.txt > results-cppcheck_new_findings.txt || true - cat results-cppcheck_new_findings.txt && test ! -s results-cppcheck_new_findings.txt artifacts: when: always paths: # save all steps of pre-processing in-case it ever breaks - initial-cppcheck_output.txt - preprocessed-cppcheck_circumflex_removed.txt - preprocessed-cppcheck_sorted.txt - preprocessed_final-cppcheck_no_line_nums.txt - results-cppcheck_all_findings.txt - results-cppcheck_new_findings.txt flawfinder: allow_failure: true stage: sast needs: [] variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y python3 python3-pip jq diffutils git - pip install flawfinder - flawfinder --falsepositive --quiet --html . > flawfinder-all-vulnerabilities.html - cat flawfinder-all-vulnerabilities.html | grep "Hits =" - flawfinder --falsepositive --quiet --minlevel=5 --sarif . > flawfinder-output.json # FlawFinder's --sarif output will display all vulnerabilities despite having --minlevel=5 specified. # Therefore, we postprocess the results with jq and filter out findings where the vulnerability level is less than 5. # Also in the SARIF output format, the vulnerabilities are ranked as 0.2/0.4/0.6/0.8/1.0 which correspond to the --minlevel=1/2/3/4/5 of FlawFinder. # Additionally, we sort the results because individual findings are consistent across different runs, but their ordering may not be. # Vulnerabilities can also be ignored in-line (/* Flawfinder: ignore */), but this option was chosen as to not clutter the codebase. - jq 'del(.runs[] | .tool | .driver | .rules) | del(.runs[] | .results[] | select(.rank < 1)) | del(.runs[] | .results[] | .locations[] | .physicalLocation | .region | .startLine) | .runs[0].results|=sort_by(.fingerprints)' flawfinder-output.json > flawfinder-min-level5.json # Diff against known vulnerabilities, but ignore the line number. - echo "Problems found in ignore list that were not discovered by flawfinder (may have been fixed)." - diff --changed-group-format='%>' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json || true - echo "Problems found by flawfinder that were not in ignore list." - diff --changed-group-format='%<' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json > flawfinder_new_findings.txt || true - cat flawfinder_new_findings.txt && test ! -s flawfinder_new_findings.txt artifacts: when: always paths: - flawfinder_new_findings.txt - flawfinder-all-vulnerabilities.html - flawfinder-min-level5.json mini-benchmark: stage: test dependencies: - fedora needs: - fedora script: - ls -la rpm; rm -vf rpm/*.el?.* # Delete artifacts from Centos builds # Don't use cracklib, otherwise the Sysbench user password will be rejected - rm -vf rpm/*cracklib*.rpm # Nothing provides galera-4 on Fedora, so this step fails if built with wsrep - yum install -y rpm/*.rpm # Fedora does not support running services in Docker (like Debian packages do) so start it manually - /usr/bin/mariadb-install-db -u mysql - sudo -u mysql /usr/sbin/mariadbd & sleep 10 # Since we did a manual start, we also need to run upgrade manually - /usr/bin/mariadb-upgrade -u root - | mariadb --skip-column-names -e "SELECT @@version, @@version_comment" | tee /tmp/version grep $MARIADB_MAJOR_VERSION /tmp/version || echo "MariaDB didn't install properly" - yum install -y sysbench procps-ng perf flamegraph flamegraph-stackcollapse-perf util-linux dnf-utils - /usr/share/mariadb/mini-benchmark - cp -av */sysbench-run-*.log */metrics.txt . # Move files one level down so they can be saved as artifacts artifacts: when: always paths: - sysbench-run-*.log reports: metrics: - metrics.txt cppcheck: stage: sast needs: [] variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y cppcheck diffutils # --template: use a single-line template # --force: check large directories without warning # -i: ignore this directory when scanning # -j: run multiple cppcheck threads # Use newline to escape colon in yaml - > cppcheck --template="{file}:{line}: {severity}: {message}" --force client dbug extra include libmariadb libmysqld libservices mysql-test mysys mysys_ssl pcre plugin strings tests unittest vio wsrep-lib sql sql-common storage -istorage/mroonga -istorage/tokudb -istorage/spider -istorage/rocksdb -iextra/ -ilibmariadb/ -istorage/columnstore --output-file=cppcheck.txt -j $(nproc) # Parallel jobs may output findings in an nondeterministic order. Sort to match ignorelist. - cat cppcheck.txt | sort > cppcheck_sorted.txt # Remove line numbers for diff - sed 's/:[^:]*:/:/' cppcheck_sorted.txt > cppcheck_sorted_no_line_numbers.txt # Only print new issues not found in ignore list - echo "Problems found in ignore list that were not discovered by cppcheck (may have been fixed)." - diff --changed-group-format='%>' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt || true - echo "Problems found by cppcheck that were not in ignore list." - diff --changed-group-format='%<' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt > lines_not_ignored.txt || true - cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt artifacts: when: always paths: - cppcheck_sorted.txt flawfinder: stage: sast needs: [] variables: GIT_STRATEGY: fetch GIT_SUBMODULE_STRATEGY: normal script: - yum install -y python3 python3-pip jq diffutils git - pip install flawfinder - flawfinder --falsepositive --quiet --html . > flawfinder-all-vulnerabilities.html - cat flawfinder-all-vulnerabilities.html | grep "Hits =" - flawfinder --falsepositive --quiet --minlevel=5 --sarif . > flawfinder-output.json # FlawFinder's --sarif output will display all vulnerabilities despite having --minlevel=5 specified. # Therefore, we postprocess the results with jq and filter out findings where the vulnerability level is less than 5. # Also in the SARIF output format, the vulnerabilities are ranked as 0.2/0.4/0.6/0.8/1.0 which correspond to the --minlevel=1/2/3/4/5 of FlawFinder. # Additionally, we sort the results because individual findings are consistent across different runs, but their ordering may not be. # Vulnerabilities can also be ignored in-line (/* Flawfinder: ignore */), but this option was chosen as to not clutter the codebase. - jq 'del(.runs[] | .tool | .driver | .rules) | del(.runs[] | .results[] | select(.rank < 1)) | del(.runs[] | .results[] | .locations[] | .physicalLocation | .region | .startLine) | .runs[0].results|=sort_by(.fingerprints)' flawfinder-output.json > flawfinder-min-level5.json # Diff against known vulnerabilities, but ignore the line number. - echo "Problems found in ignore list that were not discovered by flawfinder (may have been fixed)." - diff --changed-group-format='%>' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json || true - echo "Problems found by flawfinder that were not in ignore list." - diff --changed-group-format='%<' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json > lines_not_ignored.txt || true - cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt artifacts: when: always paths: - flawfinder-all-vulnerabilities.html - flawfinder-min-level5.json fedora upgrade-from: stage: test image: fedora:latest variables: GIT_STRATEGY: pull dependencies: - fedora needs: - fedora parallel: matrix: # Get latest versions of all major versions - UPGRADE_PATH: - "10.6>11.0" - "10.3" - "10.4" - "10.4.8" # Test unexpected table rebuilds as in https://jira.mariadb.org/browse/MDEV-28727 - "10.5" - "10.6" - "10.11" - "11.0" script: - | if [[ $UPGRADE_PATH == *">"* ]]; then SOURCE=$(echo "$UPGRADE_PATH" | cut -d'>' -f1) TARGET=$(echo "$UPGRADE_PATH" | cut -d'>' -f2) else SOURCE=$(echo "$UPGRADE_PATH") fi # Test upgrade from earlier minor version - ./tests/upgrade_from/test_upgrade.sh $SOURCE $TARGET artifacts: paths: - "*.sql" - "test_upgrade*.log" # Once all RPM builds and tests have passed, also run the DEB builds and tests # @NOTE: This is likely to work well only on salsa.debian.org as the Gitlab.com # runners are too small for everything this stage does. # build_deb: # stage: Salsa-CI # trigger: # include: debian/salsa-ci.yml