Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't get Coverity Scan to work (Java/Kotlin/Gradle 3.3 on Windows and Travis)

UPDATE: See the solution in Caleb's answer

I am trying really hard to make Coverity work for my build, but so far with little success.

First the details:

  • My project is run of the mill java library (no web or fancy containers), very few compile-only dependencies, built using Gradle
  • The production code is written in Java and Kotlin
  • The complete project is available on github: https://github.com/ddimtirov/nuggets
  • And on Coverity Scan: https://scan.coverity.com/projects/ddimtirov-nuggets?tab=project_settings
  • My development environment is Windows 10, Java 1.8.0_92, Gradle 3.3, CMD shell (though I also tried Cygwin and Mingw Bash)
  • there is also Travis build on Linux

I started by downloading a package from: https://scan.coverity.com/download/java/win64

Then I added the bin directory to my path, went to my project root and ran the following commands.

$ set PATH=%PATH%;C:\Users\dimit\sandbox\cov-analysis\bin
$ gradlew clean
$ cov-build --dir cov-int gradlew jar

The first 2 went as expected, the last - not so much:

Coverity Build Capture (32-bit) version 8.7.0 on Windows 10 Professional, 64-bit (build 14393)
Internal version numbers: b452b3f2c8 p-lodi-push-28091.612

The system cannot execute the specified program.
[WARNING] Build command gradlew.bat jar exited with code 1. Please verify that the build completed successfully.
[WARNING] No files were emitted. This may be due to a problem with your configuration
or because no files were actually compiled by your build command.
Please make sure you have configured the compilers actually used in the compilation.
 For more details, please look at:
    C:/Users/dimit/sandbox/nuggets/cov-int/build-log.txt

I have put the build log here: https://gist.github.com/ddimtirov/9daa0e9f1f0954453f01fcec42ae2198

The "Troubleshoot build failure" on the instructions page was pointing to a forum index page, which does not help at all: https://software-community-synopsys.force.com/s/#4838

Moving on, I thought that if I could only generate the data in some other way I could upload it to the scan service and bypass the problem. I found https://github.com/mjdetullio/gradle-coverity-plugin

The Gradle Coverity plugin emitted the data, but when I zipped it and uploaded to the scan service, it barfed the error email.

As last resort, I tried the TravisCI integration - after a few attempts, I got it to complete without an error, but it didn't seem to upload anything...

https://travis-ci.org/ddimtirov/nuggets/builds/196307253 https://scan.coverity.com/projects/ddimtirov-nuggets?tab=overview

I am close to giving up (BTW, not having docs available online doesn't help)

like image 873
ddimitrov Avatar asked Feb 03 '17 03:02

ddimitrov


People also ask

Does coverity support Kotlin?

Coverity only supports Kotlin projects that are targeted to JVM or Android, not other platforms. For multi-platform projects, Coverity only captures Kotlin source files that are targeted to the supported platforms.

How Coverity Scan works?

Coverity is a static analysis tool. The starting point with Coverity is what we call central analysis. Periodically, an automated process will check out your code from your source control system and then build and analyze it with Coverity. Those results are then sent to a Coverity server.

What is Coverity test?

Coverity® is a fast, accurate, and highly scalable static analysis (SAST) solution that helps development and security teams address security and quality defects early in the software development life cycle (SDLC), track and manage risks across the application portfolio, and ensure compliance with security and coding ...


2 Answers

Issue 1 - "The system cannot execute the specified program."

This issue arose because a Windows 32-bit kit was used to attempt to capture a Windows 64-bit build. The attempt to attach a 32-bit process to a 64-bit one causes failure to execute.

  • The solution here is to match the bitness of Coverity binaries with the bitness of your platform (use a Windows 64-bit kit).

Issue 2 - Failure to capture TravisCI build on Linux

This issue appears to be due to an incompatibility between Coverity's Java Capture and the ErrorProne plugin, as evidenced by messages such as this one in the build log:

WARNING: Failed load class file java/io/FileNotFoundException.class as a resource using the class loader net.ltgt.gradle.errorprone.ErrorProneCompiler$SelfFirstClassLoader@36358417
  • The solution here is to disable that plugin for the Coverity build.

Varia

  • When debugging the issue, the known issue of the Gradle daemon interfering with Coverity was discussed, but was ultimately not relevant to the issue.
  • The noted issues with the "prepend" command are user error; the prepend command is not a separate command to run, it's there for utility purposes.
like image 102
Caleb Avatar answered Oct 06 '22 01:10

Caleb


A few things to note, because reading our documentation is crucial to using our tool successfully:

  1. Kotlin is not supported.
  2. Using the appropriate binaries for your platform is required (so using win32 binaries on a 64 bit platform will generally not work).
like image 42
SCAN Admin Avatar answered Oct 06 '22 00:10

SCAN Admin