scripts: update run-scan-build

* Do not build test target

  Building the test target breaks the whole build since the tests for
  libsepol require checkpolicy to be build already:

      make[2]: *** No rule to make target '../../checkpolicy/y.tab.o', needed by 'libsepol-tests'.  Stop.
      make[2]: *** Waiting for unfinished jobs....

  Since issues in the test suites are not critical do not build them.

* Update build status reporting

  Since the script sets the option -e scan-build will immediately exit
  on failure and the informative message "++ Build failed" is not
  printed.

* Bump to fortify level 3

* Fix typo

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2023-11-09 14:51:48 +01:00 committed by James Carter
parent a7a829530e
commit de491fda3d

View File

@ -1,7 +1,7 @@
#!/bin/sh
# Run clang's static analyzer (scan-build) and record its output in output-scan-build/
# Allow overriding binariy names, like clang-12
# Allow overriding binary names, like clang-12
export CC=${CC:-clang}
SCAN_BUILD=${SCAN_BUILD:-scan-build}
@ -32,15 +32,12 @@ fi
make -C .. clean distclean -j"$(nproc)"
$SCAN_BUILD -analyze-headers -o "$OUTPUTDIR" make -C .. \
DESTDIR="$DESTDIR" \
CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -D__CHECKER__ -I$DESTDIR/usr/include" \
CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=3 -D__CHECKER__ -I$DESTDIR/usr/include" \
-j"$(nproc)" \
install install-pywrap install-rubywrap all test
install install-pywrap install-rubywrap all \
|| { echo "++ Build failed!"; exit 1; }
if [ $? -eq 0 ]; then
echo "++ Build succeeded"
else
echo "++ Build failed"
fi
echo "++ Build succeeded"
# Reduce the verbosity in order to keep the message from scan-build saying
# "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports.