Coverity Plugin

Skip to end of metadata
Go to start of metadata

Plugin Information

Plugin ID coverity Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Dependencies
1.5.0 (archives)
Jan 29, 2015
1.509.4
mailer (version:1.4)
Source Code
Issue Tracking
Maintainer(s)
GitHub
Open Issues
Ken Dang (id: kdang)
Usage Installations 2014-Mar 979
2014-Apr 982
2014-May 1012
2014-Jun 1054
2014-Jul 1111
2014-Aug 1079
2014-Sep 1156
2014-Oct 1173
2014-Nov 1177
2014-Dec 1178
2015-Jan 1234
2015-Feb 1219

This plugin integrates Jenkins with the Coverity Integrity Manager and Coverity Static Analysis tools.

Official build located at: https://buildhive.cloudbees.com/job/jenkinsci/job/coverity-plugin/

Compatibility with Coverity Connect

Plugin version Coverity Integrity Manager/Connect version
1.2.4 and earlier 5.4 to 6.5
1.2.5 to 1.2.6 6.0.3.hotfix and later, excluding some intermediate versions
1.2.7 6.0.0 to 6.5
1.4.1 and later 6.5.0 and later

Goal

The Coverity plugin for Jenkins performs 4 functions:

  • It can transparently invoke the Coverity Static Analysis tools during your build (optionally)
  • It can transparently invoke the Coverity Test Advisor tools during your build (optionally)
  • It can fail the build if defects are found matching certain criteria
  • It reports found defects after the build

Getting started

  • Install the plugin using the Plugin Manager, and restart Jenkins
  • Go to the global configuration page ( Manage Jenkins > Configure System)
  • If the Coverity Static Analysis tools are not on the PATH, configure the location (for the master) here.
  • Add connection details for any number of Integrity Manager instances you want to use. Click ‘check’ to validate your settings.
  • For any node where Coverity Static Analysis is not on the PATH (and is on a different location than on the master), configure the location on the node configuration page.

Job Setup

  • Create the job, by creating it from scratch or copying from an existing job
  • Under Post-build actions, check ‘Coverity’
  • Select the Integrity Manager instance, project and stream relevant for this job
  • If you want the plugin to invoke cov-build/cov-analyze/cov-commit-defects for you, check ‘Perform Coverity build, analysis and commit’. You can add additional arguments for each of these tools, and configure the intermediate directory used (all optional).
  • If your build already invokes Coverity, leave the checkbox unchecked.
  • If you want to fail the build when defects are found, check the corresponding checkbox. By default all defects are considered, but you can specify filters. Every filter should match for a defect to be included.
  • If you want the plugin to invoke test and Test Advisor functions for you, check "Perform Coverity Test Advisor and Commit". You can add additional arguments and functionality to the build by inputting your source control configurations (optional).

Now start your build. After the build has completed, a link to Coverity Defects will be available on the build page. On the project page, a graph with historical defect counts will be visible (as soon as more than one build has been performed).

Troubleshooting

When you encounter problems while using the plugin, please provide the following information:

  • What you were doing when the problem occurred
  • The error message
  • The Jenkins server log file (the location is dependent on the container you use)
  • The content of ‘Manage Jenkins > System Information’ (Jenkins root/systemInfo)
  • The configuration file for the job (Jenkins root/jobs/job name/config.xml)
  • The global configuration file for Jenkins (Jenkins root/config.xml)
  • In case of problems while saving the job configuration, a screenshot before submitting, and the browser you are using

Upgrading

When upgrading, make sure that all jobs using the Coverity plugin are finished and not running during upgrade. For best results, restart your Jenkins after upgrade.

Changelog

Version 1.5.0 (January 30, 2015)

  • User input in configuration now resolves environment variables
  • Added new checkers to the defect list for each language. List has been updated to all checkers present to 7.6.0 
  • New C/C++ Checkers
    ASSIGN_NOT_RETURNING_STAR_THIS
    ATOMICITY
    BAD_EQ
    BAD_EQ_TYPES
    BAD_LOCK_OBJECT
    BAD_OVERRIDE
    BAD_SHIFT
    BUFFER_SIZE
    CALL_SUPER
    CHROOT
    COM.ADDROF_LEAK
    COM.BAD_FREE
    COM.BSTR.ALLOC
    COM.BSTR.BAD_COMPARE
    COM.BSTR.CONV
    COM.BSTR.NE_NON_BSTR
    CONFIG.STRUTS2_ENABLED_DEV_MODE
    COPY_PASTE_ERROR
    COPY_WITHOUT_ASSIGN
    CTOR_DTOR_LEAK
    DC.STREAM_BUFFER
    DC.STRING_BUFFER
    DC.WEAK_CRYPTO
    DELETE_ARRAY
    DELETE_VOID
    GUARDED_BY_VIOLATION
    HFA
    IDENTICAL_BRANCHES
    INTEGER_OVERFLOW
    INVALIDATE_ITERATOR
    LOCK
    LOCK_EVASION
    LOCK_INVERSION
    MISMATCHED_ITERATOR
    MISSING_ASSIGN
    MISSING_COMMA
    MISSING_COPY
    MISSING_COPY_OR_ASSIGN
    MISSING_LOCK
    MISSING_RESTORE
    MISSING_THROW
    NON_STATIC_GUARDING_STATIC
    OPEN_ARGS
    ORDER_REVERSAL
    OVERRUN_STATIC
    PARSE_ERROR
    PASS_BY_VALUE
    PW.INCLUDE_RECURSION
    READLINK
    RISKY_CRYPTO
    RW.ROUTINE_NOT_EMITTED
    SECURE_CODING
    SECURE_TEMP
    SELF_ASSIGN
    SLEEP
    SW.INCOMPLETE_TYPE_NOT_ALLOWED
    SWAPPED_ARGUMENTS
    SYMBIAN.CLEANUP_STACK
    SYMBIAN.NAMING
    UNCAUGHT_EXCEPT
    UNINIT
    UNINIT_CTOR
    UNINTENDED_INTEGER_DIVISION
    UNREACHABLE
    UNUSED_VALUE
    USELESS_CALL
    USE_AFTER_FREE
    VARARGS
    VIRTUAL_DTOR
    VOLATILE_ATOMICITY
    WRAPPER_ESCAPE
  • New Java Checkers
    ATOMICITY
    BAD_CHECK_OF_WAIT_COND
    BAD_LOCK_OBJECT
    BAD_SHIFT
    CONFIG.DUPLICATE_SERVLET_DEFINITION
    CONFIG.DWR_DEBUG_MODE
    CONFIG.DYNAMIC_DATA_HTML_COMMENT
    CONFIG.HTTP_VERB_TAMPERING
    CONFIG.JAVAEE_MISSING_HTTPONLY
    CONFIG.MISSING_GLOBAL_EXCEPTION_HANDLER
    CONFIG.MISSING_JSF2_SECURITY_CONSTRAINT
    CONFIG.SPRING_SECURITY_DEBUG_MODE
    CONFIG.SPRING_SECURITY_DISABLE_AUTH_TAGS
    CONFIG.SPRING_SECURITY_HARDCODED_CREDENTIALS
    CONFIG.SPRING_SECURITY_REMEMBER_ME_HARDCODED_KEY
    CONFIG.SPRING_SECURITY_SESSION_FIXATION
    CONFIG.STRUTS2_CONFIG_BROWSER_PLUGIN
    CONFIG.STRUTS2_DYNAMIC_METHOD_INVOCATION
    CONFIG.STRUTS2_ENABLED_DEV_MODE
    CONSTANT_EXPRESSION_RESULT
    COPY_PASTE_ERROR
    CSRF
    DC.CODING_STYLE
    DC.DANGEROUS
    DC.DEADLOCK
    DC.EXPLICIT_DEPRECATION
    DC.GC
    DC.JRE14COMPATIBLE
    DC.JRE15COMPATIBLE
    DC.LOCALIZATION
    DC.PERFORMANCE
    DC.THREADING
    DEADCODE
    DIVIDE_BY_ZERO
    DOUBLE_CHECK_LOCK
    EL_INJECTION
    GUARDED_BY_VIOLATION
    HARDCODED_CREDENTIALS
    HEADER_INJECTION
    HIBERNATE_BAD_HASHCODE
    IDENTICAL_BRANCHES
    INDIRECT_GUARDED_BY_VIOLATION
    INFINITE_LOOP
    JAVA_CODE_INJECTION
    JCR_INJECTION
    JSP_DYNAMIC_INCLUDE
    JSP_SQL_INJECTION
    LDAP_INJECTION
    LOCK_EVASION
    LOCK_INVERSION
    LOCK_ORDERING
    MISSING_BREAK
    MISSING_RESTORE
    MISSING_THROW
    MIXED_ENUMS
    NESTING_INDENT_MISMATCH
    NON_STATIC_GUARDING_STATIC
    NOSQL_QUERY_INJECTION
    OGNL_INJECTION
    ORM_LOAD_NULL_CHECK
    ORM_LOST_UPDATE
    ORM_UNNECESSARY_GET
    OS_CMD_INJECTION
    OVERFLOW_BEFORE_WIDEN
    PATH_MANIPULATION
    REGEX_CONFUSION
    REGEX_INJECTION
    RISKY_CRYPTO
    SCRIPT_CODE_INJECTION
    SENSITIVE_DATA_LEAK
    SERVLET_ATOMICITY
    SESSION_FIXATION
    SINGLETON_RACE
    SQLI
    STRAY_SEMICOLON
    SWAPPED_ARGUMENTS
    TAINT_ASSERT
    UNEXPECTED_SYNC
    UNINTENDED_INTEGER_DIVISION
    UNKNOWN_LANGUAGE_INJECTION
    UNREACHABLE
    UNRESTRICTED_DISPATCH
    UNSAFE_DESERIALIZATION
    UNSAFE_JNI
    UNSAFE_LAZY_INIT
    UNSAFE_REFLECTION
    UNUSED_VALUE
    USELESS_CALL
    WEAK_PASSWORD_HASH
    WRONG_METHOD
    XPATH_INJECTION
    XSS
  • New C# Checkers
    ALLOC_FREE_MISMATCH
    ARRAY_VS_SINGLETON
    ASSERT_SIDE_EFFECT
    ASSIGN_NOT_RETURNING_STAR_THIS
    BAD_ALLOC_ARITHMETIC
    BAD_ALLOC_STRLEN
    BAD_COMPARE
    BAD_FREE
    BAD_LOCK_OBJECT
    BAD_OVERRIDE
    BAD_SHIFT
    BAD_SIZEOF
    BUFFER_SIZE
    CALL_SUPER
    CHAR_IO
    CHECKED_RETURN
    CHROOT
    COM.ADDROF_LEAK
    COM.BAD_FREE
    COM.BSTR.ALLOC
    COM.BSTR.BAD_COMPARE
    COM.BSTR.CONV
    COM.BSTR.NE_NON_BSTR
    CONSTANT_EXPRESSION_RESULT
    COPY_PASTE_ERROR
    COPY_WITHOUT_ASSIGN
    CTOR_DTOR_LEAK
    DC.STREAM_BUFFER
    DC.STRING_BUFFER
    DC.WEAK_CRYPTO
    DEADCODE
    DELETE_ARRAY
    DELETE_VOID
    DIVIDE_BY_ZERO
    ENUM_AS_BOOLEAN
    EVALUATION_ORDER
    FORWARD_CLASSCAST
    FORWARD_NULL
    IDENTICAL_BRANCHES
    INCOMPATIBLE_CAST
    INFINITE_LOOP
    INTEGER_OVERFLOW
    INVALIDATE_ITERATOR
    LOCK
    LOCK_EVASION
    MISMATCHED_ITERATOR
    MISRA_CAST
    MISSING_BREAK
    MISSING_COMMA
    MISSING_COPY_OR_ASSIGN
    MISSING_LOCK
    MISSING_RESTORE
    MISSING_RETURN
    MISSING_THROW
    MIXED_ENUMS
    NEGATIVE_RETURNS
    NESTING_INDENT_MISMATCH
    NO_EFFECT
    NULL_RETURNS
    OPEN_ARGS
    ORDER_REVERSAL
    OVERFLOW_BEFORE_WIDEN
    OVERRUN
    OVERRUN_DYNAMIC
    OVERRUN_STATIC
    PARSE_ERROR
    PASS_BY_VALUE
    READLINK
    RESOURCE_LEAK
    RETURN_LOCAL
    REVERSE_INULL
    REVERSE_NEGATIVE
    RISKY_CRYPTO
    SECURE_CODING
    SECURE_TEMP
    SELF_ASSIGN
    SIGN_EXTENSION
    SIZECHECK
    SIZEOF_MISMATCH
    SLEEP
    STACK_USE
    STRAY_SEMICOLON
    STREAM_FORMAT_STATE
    STRING_NULL
    STRING_OVERFLOW
    STRING_SIZE
    SWAPPED_ARGUMENTS
    SYMBIAN.CLEANUP_STACK
    SYMBIAN.NAMING
    TAINTED_SCALAR
    TAINTED_STRING
    TOCTOU
    UNCAUGHT_EXCEPT
    UNINIT
    UNINIT_CTOR
    UNINTENDED_INTEGER_DIVISION
    UNREACHABLE
    UNUSED_VALUE
    USELESS_CALL
    USER_POINTER
    USE_AFTER_FREE
    VARARGS
    VIRTUAL_DTOR
    VOLATILE_ATOMICITY
    WRAPPER_ESCAPE
  •  Fixed SSL issue with cov-manage-history  
  •  Fixed issue where cov-build was ran when "Perform Coverity build, analysis and commit" was not selected
  •  Fixed graphs breaking when a build has more than one CIM instances. 
  •  Added Impact into defect filters. Checkers can now be filtered by impact
    • (Note) After upgrade, the build configuration might need to be reconfigured so that impact filtering can be added. Initial build after upgrade might return zero defects. 
  •  Builds can now be marked as 'Unstable' if defects are found
  •  Fixed issue where defect totals was being printed as total defects instead of matched defects

Version 1.4.1 (July 25, 2014)

  • Fixed issues with receiving ERROR text within Defect Filters
  • Fixed issue where checking configuration in Views gave back an ERROR text
  • Commit to SSL now works properly 
  • Plugin now connects correctly with Coverity Connect 6.5.0

Version 1.4.0 (June 30, 2014)

  • Added Coverity Test Advisor tools to be ran during build
  • Added cov-history command and source control functionality to Coverity Test Advisor tools. 

Version 1.3.1 (March 31, 2014)

  • Changed method for determining Static Analysis version (BZ 61464)
  • Allowed Coverity Plugin to accept similar version of Coverity Connect and Analysis , but different patches  (BZ 62013)
  • Increased maximum number of defects shown in job page to 3000 (BZ 60322)
  • Allowed older versions of Static Analysis work with new versions of Coverity Connect (BZ 62196)

Version 1.3.0 (December 19, 2013)

  • Improve documentation
  • Increase maximum number of defects shown in job page to 1000 (BZ 55368)
  • Add support for 'Mixed Domain' (any language) streams (BZ 57461)
  • Add support for Coverity Analysis 7.0.0 (BZ 55618)
  • Don't fail the build if analysis and defect checking are both disabled (BZ 49096)

Version 1.2.7 (August 12, 2013)

  • Improve compatibility with older versions of Connect/CIM. (BZ 54854)

Version 1.2.6 (July 24, 2013)

  • Allow overrides for analysis/commit settings for an individual job (BZ 47499, BZ 45728)
  • Add support for cov-emit-java --webapp-archive
  • Add support for FxCop/MSVSCA results (BZ 50247)
  • Add automatic searching for C# assemblies
  • Fix a bug where builds would hang when JDKs were automatically installed (BZ 50669)
  • Fix a bug that caused linux/solaris executables to called as if they were on windows (BZ 55117)
  • Improve error message when a configured stream is absent in CIM/Connect (BZ 54068, BZ 51304)

Version 1.2.5 (June 28, 2013)

  • Upgrade Coverity web services code to v5. (BZ 51322)

Version 1.2.4 (May 20, 2013)

  • Redo the previous fix from 1.2.3, as it broke some workflows. (BZ 52107)

Version 1.2.3 (May 10, 2013)

  • Fix a NullPointerException that occurred when the build/analyze/commit checkbox was unchecked. (BZ 52034)

Version 1.2.2 (April 29, 2013)

  • Add an option for specifying the commit port of a CIM instace manually, as a workaround for an issue with committing defects. (BZ 51458)

Version 1.2.1 (April 29, 2013)

  • Fix a NullPointerException during C# builds. (BZ 50321)

Version 1.2.0 (March 25, 2013)

  • Allow configuration of multiple streams and languages for each job. The appropriate analysis and commit steps will be run for each. (BZ 47499)

Version 1.1.5 (February 4, 2013)

  • Fix a bug where normally hidden streams would be available for selection in configuration (BZ 49226)
  • Add a field for blacklisting executables from being wrapped by cov-build (BZ 38025, BZ 47534, BZ 48921, JIRA JENKINS-14834)
  • Add an option to hide the defects chart (BZ 47524)
  • Update checkers list to match 6.5.0 checker documentation (BZ 48917)

Version 1.1.4 (January 14, 2013)

  • Add an option to not fetch defects after commit (BZ 47226)
  • Allow static analysis binaries to be specified on a per-job basis (BZ 47224)

Labels

Edit
plugin-buildwrapper plugin-buildwrapper Delete
plugin-report plugin-report Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Add Comment