MDBF-143: Add Infer builder

This preforms static analysis on the MariaDB codebase
by maintaining a git source repository as a shared volume.

Because static analysis takes time, a lot of time, there
is a shared cache volume to store build results from main
branches of the codebase so that as much incremental usage
can occur.

Infer runs in to phases, a capture and an analyze.

Infer output are in a result-dir this contains:
* report.json - what infer tools use
* report.txt - the human readable version of this
* capture.db - the sqlite3 version presentation of captured files and the
               relation to functions definitions.
* results.db - the analyze phase outputs

Of these, the report.json is desirable as the long term record of vulnerabilities.

Author: grooverdan

configuration/builders/sequences/helpers.py

@@ -391,3 +391,26 @@ def mtr_junit_reporter(
             warn_on_fail=True,
         ),
     )
+
+
+def save_infer_logs(
+    logs_path: PurePath = PurePath("infer_results"),
+    step_wrapping_fn=lambda step: step,
+):
+    return step_wrapping_fn(
+        ShellStep(
+            command=SaveCompressedTar(
+                name="Save Infer artifacts/logs",
+                workdir=logs_path,
+                archive_name="logs",
+                destination="/packages/%(prop:tarbuildnum)s/logs/%(prop:buildername)s",
+            ),
+            url=URL(
+                url=f"{os.environ['ARTIFACTS_URL']}/%(prop:tarbuildnum)s/logs/%(prop:buildername)s",
+                url_text="Infer artifacts/logs",
+            ),
+            options=StepOptions(
+                alwaysRun=True,
+            ),
+        ),
+    )

configuration/builders/sequences/sast.py

@@ -0,0 +1,149 @@
+from pathlib import PurePath
+
+from configuration.builders.infra.runtime import (
+    BuildSequence,
+    DockerConfig,
+    InContainer,
+)
+from configuration.builders.sequences.helpers import save_infer_logs
+from configuration.steps.base import StepOptions
+from configuration.steps.command.base import BashCommand
+from configuration.steps.commands.compile import CompileCMakeCommand
+from configuration.steps.commands.configure import ConfigureMariaDBCMake
+from configuration.steps.commands.download import GitFetch, GitInitFromCommit
+from configuration.steps.commands.util import InferScript, PrintEnvironmentDetails
+from configuration.steps.generators.cmake.compilers import ClangCompiler
+from configuration.steps.generators.cmake.generator import CMakeGenerator
+from configuration.steps.generators.cmake.options import (
+    CMAKE,
+    WITH,
+    BuildType,
+    CMakeOption,
+)
+from configuration.steps.remote import ShellStep
+
+
+def infer(
+    config: DockerConfig,
+    jobs: int,
+):
+    sequence = BuildSequence()
+
+    sequence.add_step(ShellStep(command=PrintEnvironmentDetails()))
+    # infer --version
+
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=BashCommand(
+                    cmd="git clean -df", workdir=PurePath("/mnt", "src")
+                ),
+                options=StepOptions(
+                    haltOnFailure=False,
+                    descriptionDone="git cleaned",
+                ),
+            ),
+        )
+    )
+
+    sequence.add_step(
+        InContainer(
+            ShellStep(
+                command=GitInitFromCommit(
+                    repo_url="%(prop:repository)s",
+                    commit="%(prop:revision)s",
+                    jobs=jobs,
+                    depth=0,
+                    workdir=PurePath("/mnt", "src"),
+                )
+            ),
+            docker_environment=config,
+        ),
+    )
+
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=BashCommand(
+                    cmd="git diff --name-only FETCH_HEAD..%(prop:master_branch)s | tee $OLD_PWD/index.txt",
+                    workdir=PurePath("/mnt", "src"),
+                ),
+                options=StepOptions(
+                    haltOnFailure=False,
+                    descriptionDone="names of changed files",
+                ),
+            ),
+        )
+    )
+
+    flags = [
+        # UBSAN is the only prevention of UNINIT_VAR(X) x= x
+        # that generated lots of uninit read/write errors.
+        CMakeOption(WITH.UBSAN, True),
+        CMakeOption(CMAKE.EXPORT_COMPILE_COMMANDS, True),
+    ]
+
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=ConfigureMariaDBCMake(
+                    name="configure",
+                    cmake_generator=CMakeGenerator(
+                        use_ccache=True,
+                        flags=flags,
+                        source_path="/mnt/src",
+                        builddir="bld",
+                        compiler=ClangCompiler(),
+                    ),
+                ),
+                options=StepOptions(descriptionDone="Configure"),
+            ),
+        )
+    )
+
+    # Some server code is generated, so these need to be generated to test
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=CompileCMakeCommand(
+                    builddir="bld",
+                    jobs=jobs,
+                    verbose=True,
+                    targets=[
+                        "GenError",
+                        "GenServerSource",
+                        "GenUnicodeDataSource",
+                        "GenFixPrivs",
+                    ],
+                ),
+                options=StepOptions(descriptionDone="compile"),
+            ),
+        )
+    )
+
+    env_vars = [("JOBS", str(jobs))]
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=InferScript("%(prop:branch)s", "%(prop:master_branch)s"),
+                options=StepOptions(
+                    descriptionDone="infer analysis complete",
+                ),
+                env_vars=env_vars,
+            ),
+        )
+    )
+
+    sequence.add_step(
+        save_infer_logs(
+            step_wrapping_fn=lambda step: InContainer(
+                docker_environment=config, step=step
+            ),
+        )
+    )
+    return sequence

configuration/steps/commands/scripts/infer.sh

@@ -0,0 +1,213 @@
+#!/bin/bash
+
+# Infer script for performing
+# static analysis on the MariaDB codebase
+
+set -x -e
+
+if [ $# -lt 2 ]; then
+	echo insufficient args >&2
+	exit 1
+fi
+
+# Testing this version
+branch=$1
+
+shift
+# Which is against the master_branch
+master_branch=$1
+
+if [ -z "$branch" ] || [ -z "$master_branch" ]; then
+  echo "usage $0 branch master_branch" >&2
+  exit 1
+fi
+
+: "${JOBS:=4}"
+
+base=$PWD
+result_dir=$PWD/infer_results
+
+## Fetch
+
+pushd /mnt/src
+git fetch origin "$branch"
+git checkout -f FETCH_HEAD
+git submodule update --init --recursive
+commit=$(git rev-parse FETCH_HEAD)
+
+if [ -d "/mnt/infer/$commit" ]; then
+  echo "Already scanned $commit"
+  exit 0
+fi
+
+# What can we use as a reference
+
+#if  [ ! -L /mnt/infer/"$master_branch" ] && [ -L /mnt/infer/main ]; then
+#  # Attempting to use main to find/create a base $master_branch
+#  merge_base=$(git merge-base "$master_branch" main)
+#  if [ -n "$merge_base" ]; then
+#    if [ -d /mnt/infer/"$merge_base" ]; then
+#      echo "Creating $master_branch based of $merge_base"
+#      ln -s "$merge_base" /mnt/infer/"$master_branch" 
+#    else
+#      echo "Creating $master_branch based of main"
+#      # could be a bit inaccurate as main as moved on from $master_branch
+#      ln -s "$(readlink /mnt/infer/main)" /mnt/infer/"$master_branch" 
+#    fi
+#  fi
+#fi
+
+populate_differences()
+# input $merge_base
+{
+  # Find something closer - e.g. we've appended to a branch
+  # we've already tested
+  mapfile -t commits < <(git rev-list "${merge_base}..FETCH_HEAD")
+  for common_commit in "${commits[@]}"; do
+    if [ -d /mnt/infer/"$common_commit" ]; then
+      break;
+    fi
+  done
+  if [ ! -d "/mnt/infer/$common_commit" ]; then
+    echo "From $branch to master branch $master_branch last analysis $common_commit or later is missing" >&2
+    exit 1
+  fi
+  merge_base=$common_commit
+  # The file changes we from last results
+  git diff --name-only FETCH_HEAD.."${merge_base}" | tee "$base"/index.txt
+
+  if [ ! -s "$base"/index.txt ]; then
+    echo "Empty changes - nothing necessary"
+    rm "$base"/index.txt
+    exit 0
+  fi
+
+  # use previous results as a base
+  cp -a "/mnt/infer/$merge_base" "$result_dir"
+}
+
+if [ "$branch" = "$master_branch" ]; then
+  # compare against the last record we have for the master_branch
+  # as this is a push on the master branch
+  #last_master_branch_ref=$(readlink /mnt/infer/"$master_branch")
+  #merge_base=$(git merge-base "$branch" "$last_master_branch_ref")
+
+  # Just assume we diverged from main at some point
+  merge_base=$(git merge-base "$branch" origin/main)
+else
+  merge_base=$(git merge-base "$branch" "$master_branch")
+fi
+
+if [ -z "$merge_base" ]; then
+  echo "No common commit ancestor between $branch and $master_branch" >&2
+  # We don't have a master symlink yet
+  # lack of index.txt is the key
+  echo "This is going to take a while for a full scan"
+else
+  populate_differences
+fi
+
+# back from /mnt/src
+popd
+
+# Build
+
+build()
+{
+  cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
+        -DCMAKE_C_COMPILER=clang \
+        -DCMAKE_CXX_COMPILER=clang++ \
+        -S /mnt/src -B bld
+  cmake --build bld \
+        --target GenError GenServerSource GenUnicodeDataSource GenFixPrivs \
+        --parallel "$JOBS"
+}
+
+if [ ! -d bld ]; then
+  mkdir bld
+  build
+fi
+
+#
+capture()
+{
+  infer capture --compilation-database compile_commands.json --project-root /mnt/src --results-dir "${result_dir}" "$@"
+}
+
+analyze()
+{
+  infer analyze --project-root /mnt/src --results-dir "${result_dir}" --max-jobs "${JOBS}" "$@"
+}
+# Capture and analyze the feature of the files changes in index
+#
+cd bld
+
+if [ ! -f ../index.txt ]; then
+  echo "full run, this could take a while"
+  capture
+  analyze
+  mv "$result_dir" /mnt/infer/"$commit"
+  if [ "$branch" = "$master_branch" ];then
+    ln -fs "$commit" /mnt/infer/"$master_branch"
+  fi
+  cd ..
+  rm -rf bld
+  exit
+fi
+
+# We've copied over a result dir, so we're continuing
+# https://fbinfer.com/docs/infer-workflow/#differential-workflow
+# using 'infer capture" instead infer run
+capture --reactive
+
+# some form of incremental
+analyze --changed-files-index ../index.txt
+
+# Preserve result
+cp "${result_dir}"/report.json ../report.json
+
+cp -a "${result_dir}" "${result_dir}_preserved"
+
+pushd /mnt/src
+git checkout "$merge_base"
+popd
+
+# TODO
+# How can we use the previous captured /mnt/infer/$merge_base
+
+# just in case these have changed, including generated files
+cd ..
+build
+cd bld
+
+capture --reactive --mark-unchanged-procs
+analyze --incremental-analysis  --changed-files-index ../index.txt
+
+# TODO useful enough to save as /mnt/infer/$commit
+# it may be merged next, or a commit pushed on top of it.
+infer reportdiff --report-current ../report.json --report-previous "${result_dir}"/report.json  --project-root /mnt/src --results-dir "${result_dir}"
+cd ..
+rm -rf bld index.txt
+# report.json
+
+check()
+{
+ file=$1
+ msg=$2
+ if [ -f "${file}" ]; then
+   filesize=$(stat -c%s "$file")
+   # 2 is the size of an empty json array '[]'
+   if [ "$filesize" -gt 2 ]; then
+     echo "$msg"
+     return 1
+   fi
+ fi
+ return 0
+}
+
+check "${result_dir}"/differential/introduced.json "bad human! Don't introduce bad things"
+check "${result_dir}"/differential/fixed.json "good human! Thanks for fixing the bad things"
+
+
+
+