MDBF-143: Add Infer builder

This preforms static analysis on the MariaDB codebase
by maintaining a git source repository as a shared volume.

Because static analysis takes time, a lot of time, there
is a shared cache volume to store build results from main
branches of the codebase so that as much incremental usage
can occur.

Infer runs in to phases, a capture and an analyze.

Infer output are in a result-dir this contains:
* report.json - what infer tools use
* report.txt - the human readable version of this
* capture.db - the sqlite3 version presentation of captured files and the
               relation to functions definitions.
* results.db - the analyze phase outputs

Of these, the report.json is desirable as the long term record of vulnerabilities.

Author: grooverdan

configuration/builders/sequences/helpers.py

@@ -5,6 +5,7 @@
 from configuration.steps.base import StepOptions
 from configuration.steps.commands.base import URL
 from configuration.steps.commands.mtr import MTRReporter, MTRTest
+from configuration.steps.commands.packages import SavePackages
 from configuration.steps.commands.util import (
     CreateS3Bucket,
     DeleteS3Bucket,
@@ -391,3 +392,23 @@ def mtr_junit_reporter(
             warn_on_fail=True,
         ),
     )
+
+
+def save_infer_logs(
+    step_wrapping_fn=lambda step: step,
+):
+    return step_wrapping_fn(
+        ShellStep(
+            command=SavePackages(
+                packages=["infer_results"],
+                destination="/packages/%(prop:tarbuildnum)s/logs/%(prop:buildername)s",
+            ),
+            url=URL(
+                url=f"{os.environ['ARTIFACTS_URL']}/%(prop:tarbuildnum)s/logs/%(prop:buildername)s",
+                url_text="Infer artifacts/logs",
+            ),
+            options=StepOptions(
+                alwaysRun=True,
+            ),
+        ),
+    )

configuration/builders/sequences/sast.py

@@ -0,0 +1,70 @@
+from pathlib import PurePath
+
+from configuration.builders.infra.runtime import (
+    BuildSequence,
+    DockerConfig,
+    InContainer,
+)
+from configuration.builders.sequences.helpers import save_infer_logs
+from configuration.steps.base import StepOptions
+from configuration.steps.commands.base import BashCommand
+from configuration.steps.commands.compile import CompileCMakeCommand
+from configuration.steps.commands.configure import ConfigureMariaDBCMake
+from configuration.steps.commands.util import InferScript, PrintEnvironmentDetails
+from configuration.steps.generators.cmake.compilers import ClangCompiler
+from configuration.steps.generators.cmake.generator import CMakeGenerator
+from configuration.steps.generators.cmake.options import (
+    CMAKE,
+    WITH,
+    BuildType,
+    CMakeOption,
+)
+from configuration.steps.remote import ShellStep
+
+
+def infer(
+    config: DockerConfig,
+    jobs: int,
+):
+    sequence = BuildSequence()
+
+    sequence.add_step(ShellStep(command=PrintEnvironmentDetails()))
+    # infer --version
+
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=BashCommand(
+                    cmd="git clean -df", workdir=PurePath("/mnt", "src")
+                ),
+                options=StepOptions(
+                    haltOnFailure=False,
+                    descriptionDone="git cleaned",
+                ),
+            ),
+        )
+    )
+
+    env_vars = [("JOBS", str(jobs))]
+    sequence.add_step(
+        InContainer(
+            docker_environment=config,
+            step=ShellStep(
+                command=InferScript("%(prop:branch)s"),
+                options=StepOptions(
+                    descriptionDone="infer analysis complete",
+                ),
+                env_vars=env_vars,
+            ),
+        )
+    )
+
+    sequence.add_step(
+        save_infer_logs(
+            step_wrapping_fn=lambda step: InContainer(
+                docker_environment=config, step=step
+            ),
+        )
+    )
+    return sequence

configuration/steps/commands/base.py

@@ -62,8 +62,14 @@ def as_cmd_arg(self) -> list[str]:
 
 
 class BashCommand(Command):
-    def __init__(self, cmd: str, name: str = "Run command", user: str = "buildbot"):
-        super().__init__(name=name, workdir=PurePath("."), user=user)
+    def __init__(
+        self,
+        cmd: str,
+        name: str = "Run command",
+        user: str = "buildbot",
+        workdir: PurePath = PurePath("."),
+    ):
+        super().__init__(name=name, workdir=workdir, user=user)
         self.cmd = cmd
 
     def as_cmd_arg(self) -> list[str]:

configuration/steps/commands/scripts/infer.sh

@@ -0,0 +1,227 @@
+#!/bin/bash
+
+# Infer script for performing
+# static analysis on the MariaDB codebase
+
+set -x -e
+
+if [ $# -lt 1 ]; then
+	echo insufficient args >&2
+	exit 1
+fi
+
+# Testing this version
+branch=$1
+
+if [ -z "$branch" ]; then
+  echo "usage $0 {branch/commit}" >&2
+  exit 1
+fi
+
+: "${JOBS:=4}"
+
+base=$PWD
+result_dir=$PWD/infer_results
+
+rm -rf "${result_dir}" index.txt report.json
+
+## Fetch
+
+pushd /mnt/src
+git fetch origin "$branch"
+git checkout -f FETCH_HEAD
+git submodule update --init --recursive
+git clean -df
+commit=$(git rev-parse FETCH_HEAD)
+
+if [ -d "/mnt/infer/$commit" ]; then
+  echo "Already scanned $commit"
+  exit 0
+fi
+
+# What can we use as a reference
+
+populate_differences()
+# input $merge_base
+{
+  # Find something closer - e.g. we've appended to a branch
+  # we've already tested
+  mapfile -t commits < <(git rev-list "${merge_base}..FETCH_HEAD")
+  for common_commit in "${commits[@]}"; do
+    if [ -d /mnt/infer/"$common_commit" ]; then
+      break;
+    fi
+  done
+  if [ ! -d "/mnt/infer/$common_commit" ]; then
+    return 1
+  fi
+  merge_base=$common_commit
+  # The file changes we from last results
+  git diff --name-only FETCH_HEAD.."${merge_base}" | tee "$base"/index.txt
+
+  if [ ! -s "$base"/index.txt ]; then
+    echo "Empty changes - nothing necessary"
+    rm "$base"/index.txt
+    exit 0
+  fi
+
+  limit=50
+  if [ "$(wc -l < "${base}"/index.txt)" -gt $limit ]; then
+    echo "More than $limit changes, just do a full generation"
+    rm "$base/index.txt"
+    return 1
+  fi
+
+  # use previous results as a base
+  cp -a "/mnt/infer/$merge_base" "$result_dir"
+
+  # Using as a recently used maker
+  touch "/mnt/infer/$merge_base"
+  return 0
+}
+
+# Just assume we diverged from main at some point
+# Using $commit because merge-base didn't process
+# pull request references.
+merge_base=$(git merge-base "$commit" origin/main)
+
+if populate_differences; then
+  echo "No common commit ancestor with analysis" >&2
+
+  echo "This is going to take a while for a full scan"
+fi
+
+# back from /mnt/src
+popd
+
+# Build
+
+build()
+{
+  cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
+        -DCMAKE_C_COMPILER=clang \
+        -DCMAKE_CXX_COMPILER=clang++ \
+        -S /mnt/src -B bld
+  cmake --build bld \
+        --target GenError GenServerSource GenUnicodeDataSource GenFixPrivs \
+        --parallel "$JOBS"
+}
+
+if [ ! -d bld ]; then
+  mkdir bld
+  build
+fi
+
+#
+capture()
+{
+  infer capture --compilation-database compile_commands.json --project-root /mnt/src --results-dir "${result_dir}" "$@"
+}
+
+analyze()
+{
+  infer analyze --project-root /mnt/src --results-dir "${result_dir}" --max-jobs "${JOBS}" "$@"
+}
+# Capture and analyze the feature of the files changes in index
+#
+cd bld
+
+if [ ! -f ../index.txt ]; then
+  echo "full run, this could take a while"
+  capture
+  analyze
+  mv "$result_dir" /mnt/infer/"$commit"
+  cd ..
+  rm -rf bld
+  exit
+fi
+
+# We've copied over a result dir, so we're continuing
+# https://fbinfer.com/docs/infer-workflow/#differential-workflow
+# using 'infer capture" instead infer run
+capture --reactive
+
+# some form of incremental
+analyze --changed-files-index ../index.txt
+
+# Preserve result
+cp "${result_dir}"/report.json ../report.json
+
+cp -a "${result_dir}" "${result_dir}_preserved"
+
+pushd /mnt/src
+#?git checkout "$merge_base"
+popd
+
+# just in case these have changed, including generated files
+cd ..
+#?build
+cd bld
+
+# TODO Can we use the previous captured /mnt/infer/$merge_base
+capture --merge-capture "/mnt/infer/$merge_base" --reactive --mark-unchanged-procs
+
+analyze --incremental-analysis  --changed-files-index ../index.txt
+
+# It may be merged next, or a commit pushed on top of it.
+infer reportdiff --report-current ../report.json --report-previous "${result_dir}"/report.json  --project-root /mnt/src --results-dir "${result_dir}"
+cd ..
+rm -rf bld index.txt
+# report.json
+
+## At this point we have infer_results/differential/{fixed,introduced}.json
+pushd "${result_dir}"
+
+# To have a useful reference we apply these differences
+#TODO jq: error: function compiled to 176940 bytes which is too long
+#jq --slurpfile excl differential/fixed.json -f /mnt/infer/"${merge_base}"/report.json > report.json <<'EOF'
+#  map(select(
+#    ($excl | any(
+#      .key == .key and .node_key == .node_key and .hash == .hash
+#    )) | not
+#  ))
+#EOF
+
+jq -s 'add' report.json differential/introduced.json > report1.json
+mv report1.json report.json
+
+infer report -o "${result_dir}" --report-json report.json --report-text report.txt
+
+# Useful enough to save as /mnt/infer/
+# Its unknown if this is on main branch or now, but just save.
+# If its merged next, then a commit exists, if a user appends
+# a commit, we've got a smaller delta.
+mv "${result_dir}" /mnt/infer/"${commit}"
+
+
+# TODO, we should walkfrom the main branch 11.x
+# and take the main branch report.json
+# remove fixed, add introduced, and then walk
+# though other commits, if they exist, and apply the
+# same again up until, and including the last commit
+# merge_base=$(git merge-base --reverse "$MAIN" "$commit")
+
+result_dir=/mnt/infer/"${commit}"
+
+check()
+{
+  file=$1
+  msg=$2
+  if [ -f "${file}" ]; then
+    filesize=$(stat -c%s "$file")
+    # 2 is the size of an empty json array '[]'
+    if [ "$filesize" -gt 2 ]; then
+      echo "$msg"
+      echo
+      jq . "${file}"
+      return 1
+    fi
+  fi
+  return 0
+}
+
+check "${result_dir}"/differential/fixed.json "Good human! Thanks for fixing the bad things"
+
+if check "${result_dir}"/differential/introduced.json "Bad human! Don't introduce bad things" >&2; then
+  exit 1
+fi

configuration/steps/commands/util.py

@@ -173,3 +173,12 @@ def __init__(
     ):
         args = [f"{binary}:{','.join(libs)}" for binary, libs in binary_checks.items()]
         super().__init__(script_name="ldd_check.sh", args=args)
+
+
+class InferScript(BashScriptCommand):
+    """
+    A command to run the Infer analysis on the MariaDB codebase.
+    """
+
+    def __init__(self, branch: str):
+        super().__init__(script_name="infer.sh", args=[branch])