selinux/scripts/run-scan-build

#!/bin/sh
# Run clang's static analyzer (scan-build) and record its output in output-scan-build/

# Allow overriding binary names, like clang-12
export CC=${CC:-clang}
SCAN_BUILD=${SCAN_BUILD:-scan-build}

# Ensure the current directory is where this script is
cd "$(dirname -- "$0")" || exit $?

OUTPUTDIR="$(pwd)/output-scan-build"

# Display the commands which are run, and make sure they succeed
set -x -e

# Use a temporary directory as an installation directory, if $DESTDIR is not set
if [ -z "$DESTDIR" ] ; then
    DESTDIR="$(mktemp --tmpdir -d scan-build-destdir-XXXXXXXXXX)"
fi

# Make sure to use the newly-installed libraries when running tests
export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib"
export PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH"
export PYTHONPATH="$DESTDIR$(${PYTHON:-python3} -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '/usr', 'base': '/usr'}))")"
export RUBYLIB="$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorarchdir"]')"

if [ -f /etc/debian_version ] && [ -z "${IS_CIRCLE_CI:-}" ] ; then
    export DEB_PYTHON_INSTALL_LAYOUT='deb'
fi

# Build and analyze
make -C .. clean distclean -j"$(nproc)"
$SCAN_BUILD -analyze-headers -o "$OUTPUTDIR" make -C .. \
    DESTDIR="$DESTDIR" \
    CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=3 -D__CHECKER__ -I$DESTDIR/usr/include" \
    -j"$(nproc)" \
    install install-pywrap install-rubywrap all \
    || { echo "++ Build failed!"; exit 1; }

echo "++ Build succeeded"

# Reduce the verbosity in order to keep the message from scan-build saying
# "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports.
set +x

# Remove the destination directory without using "rm -rf"
chmod u+w "$DESTDIR/usr/bin/newrole"
rm -r "$DESTDIR"