Introduction

Coverity is used to accelerate development, increase security and quality. It is a fast, accurate, and highly scalable static analysis (SAST) solution that helps development and security teams address security and quality defects early in the software development life cycle (SDLC), track and manage risks across the application portfolio, and ensure compliance with security and coding standards. Coverity finds meaningful and actionable defects and it has a low false positive rate. The use of the tool encourages the team to write better, cleaner, more robust code.

For more informations, please take a look at this links:

• https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html \
• https://dwp.thalesdigital.io/docs/DOC-51809 \
• https://gitlab.thalesdigital.io/nextgen-cicd/catalog/step/coverity \
• https://gitlab.thalesdigital.io/platform-team-canada/k8saas-innersource/community/k8s-enabling/app-sample

How to

As you can see, on the picture below, the SAST job based on Coverity is already integrated in the K8S-Enabling pipeline :

The streams also are already created on the Coverity dashboard:

In order to integrate this job to your pipeline you have to :

1- Ask for access to Coverity

In order to access the Coverity dashboard you have to ask the support by sending an email to "support-platform@thalessdigital.io". Please provide the support with the following informations:

-Project name: k8s-enabling in this example. -Users list and roles. There is two type of roles, PO and User. The Po is able to view and edit the settings of the project and the streams.

Here after an example of a request:

2- Add the SAST job to your pipeline

The SAST job we added, is based on the NextGen CICD rpository. The NextGen CICD repository contains many reusable steps you can add based on your needs. Here after the SAST job we added in our example :

include:
  - project: 'nextgen-cicd/catalog/step/coverity'
    file: 'src/step.yml'
javas_analysis:
  stage: scan
  image: debian
  extends: .coverity-analysis
  variables:
    CICD_COVERITY_PROJECT: k8s-enabling
    CICD_COVERITY_STREAM: k8s-enabling-java-scan
    CICD_COVERITY_BUILD_COMMAND: --no-command
    CICD_COVERITY_BUILD_OPTS: --fs-capture-search ./
    CICD_COVERITY_LANG: java
    CICD_COVERITY_REPORT_FORMAT: json
  before_script:
    - |-
      apt-get update
      apt-get install --no-install-recommends -y curl ca-certificates tar
  artifacts:
    name: "Coverity_Results"
    paths:
      - coverity-report.json
    expire_in: 5 days
  allow_failure: true

3- Environment variables

In order to add this job on your own pipeline you have to configure these environment variables:

CICD_COVERITY_PROJECT: is the project name you provided to the support to get access.

CICD_COVERITY_STREAM: is the name of the stream that will be created on Coverity Dashboard.

CICD_COVERITY_ARTIFACTORY_TOKEN: is the token that will be used to access Artifactory. You can check this repository to see how to get one.

CICD_COVERITY_COMMIT_TOKEN: is the token that will be used by the pipeline to add the steams. Please do the following to get a token:

              1. After logging in to Coverity Connect, select <User> → Authentication Keys...
                 The "Manage My Authentication Keys" page displays.
              2. In the New Authentication Key field, enter a name for the key.
              3. Click Create and Download.
              4. Copy the raw content as variable.

COVERITY_URL: is the URL of Coverity. In this example : https://coverity.thalesdigital.io.