Tuesday, December 8, 2015

Configure Coverity using Jenkins on MAC

Skip to end of metadata
I recently took up a task to configure the Coverity on a MAC running from a Jenkins server.

Getting started

  • Install Coverity software on the MAC mini where Jenkins is installed.
  • Install the plugin using the Plugin Manager, and restart Jenkins
  • Go to the global configuration page ( Manage Jenkins > Configure System)
  • If the Coverity Static Analysis tools are not on the PATH, configure the location for the master.
  • Add connection details for any number of Coverity Connect instances you want to use. Click ‘check’ to validate your settings.
Since our Coverity connect implementation was using a self signed certificate, the certificate had to be entered in to the JRE certsore. As we are using El Capitan, the server did not allow allow any changes to /System directory tree due to  "System Integrity Protection” feature. To disable it temporarily we had to reboot the box in recovery mode, disable it, reboot again without SIP, add the cert and then reboot in recovery mode again to re-enable SIP and then reboot once more.
There were multiple JVM on the system. Had to do a trail and error method to add the certificates to the correct cacert stores
  1. /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts
  2. /Users/Shared/Jenkins/Home/tools/hudson.model.JDK/Oracle_Account/jre/lib/security/cacerts
  3. /Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/itms/java/lib/security/cacerts
  4. /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts
  5. /Library/Java/JavaVirtualMachines/jdk1.8.0_40.jdk/Contents/Home/jre/lib/security/cacerts  <- strong=""> Adding the cert to this cacert file fixed the issue
Mac-mini:security root# keytool -list -v -keystore ./cacerts | grep coverity
Enter keystore password:  changeit
Mac-mini:security root# keytool -import -trustcacerts -alias CACoverity -file ./signature.crt -keystore ./cacerts
Enter keystore password:

Trust this certificate? [no]:  yes
Certificate was added to keystore
Mac-mini:security root# keytool -list -v -keystore ./cacerts | grep coverity
Enter keystore password:  changeit
Alias name: cacoverity
  • For any node where Coverity Static Analysis is not on the PATH (and is on a different location than on the master), configure the location on the node configuration page.

Job Setup
  • Create the job, by creating it from scratch or copying from an existing job
  • Under Post-build actions, check ‘Coverity’
  • Select the Coverity Connect instance, project and stream relevant for this job


OS Not Supported Error
If you run cov-configure on Mac OSX 10.6 you will get an error be: Platform info:Sysname = DarwinRelease = 10.4.0Machine = i386 [ERROR] This platform is not supported by Coverity. There is potential for confusion as the release number 10.4.0 refers to Darwin (the kernel version) and not to Mac OSX (the OS version). The supported Mac OS 10.5 uses Darwin 9.x and Mac OSX 10.2 actually used Darwin version 6!  Darwin 10.2, 10.3, 10.4 are all versions of Snow Leopard which Coverity SA does not yet support.
Exporting the variable COVERITY_UNSUPPORTED with a value of 1, and cov-configure helped to trick the executable to be supported on the latest OS.

No comments: