Merge pull request #13 from bradleysmith23/main

Add CHANGELOG.md, SECURITY.md, and README.md for coverity

Author: bradleysmith23

.github/workflows/ci.yml

@@ -111,6 +111,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         uses: FreeRTOS/CI-CD-Github-Actions/link-verifier@main
+        with:
+          exclude-urls: https://github.com/aws/aws-iot-core-mqtt-file-streams-embedded-c/blob/main/tools/coverity/misra.config
 
   verify-manifest:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -0,0 +1,139 @@
+name: Release automation
+
+on:
+  workflow_dispatch:
+    inputs:
+      commit_id:
+        description: 'Commit ID to tag and create a release for'
+        required: true
+      version_number:
+        description: 'Release Version Number (Eg, v1.0.0)'
+        required: true
+
+jobs:
+  tag-commit:
+    name: Tag commit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.inputs.commit_id }}
+      - name: Configure git identity
+        run: |
+          git config --global user.name ${{ github.actor }}
+          git config --global user.email ${{ github.actor }}@users.noreply.github.com
+      - name: create a new branch that references commit id
+        run: git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }}
+      - name: Generate SBOM
+        uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
+        with:
+          repo_path: ./
+          source_path: ./source
+      - name: commit SBOM file
+        run: |
+          git add .
+          git commit -m 'Update SBOM'
+          git push -u origin ${{ github.event.inputs.version_number }}
+      - name: Tag Commit and Push to remote
+        run: |
+          git tag ${{ github.event.inputs.version_number }} -a -m "AWS IoT Core MQTT File Streams ${{ github.event.inputs.version_number }}"
+          git push origin --tags
+      - name: Verify tag on remote
+        run: |
+          git tag -d ${{ github.event.inputs.version_number }}
+          git remote update
+          git checkout tags/${{ github.event.inputs.version_number }}
+          git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }}
+  create-zip:
+    needs: tag-commit
+    name: Create ZIP and verify package for release asset.
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install ZIP tools
+        run: sudo apt-get install zip unzip
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.inputs.commit_id }}
+          path: aws-iot-core-mqtt-file-streams-embedded-c
+          submodules: recursive
+      - name: Checkout disabled submodules
+        run: |
+          cd aws-iot-core-mqtt-file-streams-embedded-c
+          git submodule update --init --checkout --recursive
+      - name: Create ZIP
+        run: |
+          zip -r aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip aws-iot-core-mqtt-file-streams-embedded-c -x "*.git*"
+          ls ./
+      - name: Validate created ZIP
+        run: |
+          mkdir zip-check
+          mv aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip zip-check
+          cd zip-check
+          unzip aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip -d aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}
+          ls aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}
+          diff -r -x "*.git*" aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}/aws-iot-core-mqtt-file-streams-embedded-c/ ../aws-iot-core-mqtt-file-streams-embedded-c/
+          cd ../
+      - name: Build
+        run: |
+          cd zip-check/aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}/aws-iot-core-mqtt-file-streams-embedded-c
+          sudo apt-get install -y lcov
+          cmake -S test -B build/ \
+          -G "Unix Makefiles" \
+          -DCMAKE_BUILD_TYPE=Debug \
+          -DBUILD_CLONE_SUBMODULES=ON \
+          -DCMAKE_C_FLAGS='--coverage -Wall -Wextra -Werror'
+          make -C build/ all
+      - name: Test
+        run: |
+          cd zip-check/aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}/aws-iot-core-mqtt-file-streams-embedded-c/build/
+          ctest -E system --output-on-failure
+          cd ..
+      - name: Create artifact of ZIP
+        uses: actions/upload-artifact@v2
+        with:
+          name: aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip
+          path: zip-check/aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip
+  deploy-doxygen:
+    needs: tag-commit
+    name: Deploy doxygen documentation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Doxygen generation
+        uses: FreeRTOS/CI-CD-Github-Actions/doxygen-generation@main
+        with:
+          ref: ${{ github.event.inputs.version_number }}
+          add_release: "true"
+  create-release:
+    needs:
+      - create-zip
+      - deploy-doxygen
+    name: Create Release and Upload Release Asset
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.event.inputs.version_number }}
+          release_name: ${{ github.event.inputs.version_number }}
+          body: Release ${{ github.event.inputs.version_number }} of AWS IoT Core MQTT File Streams Embedded C.
+          draft: false
+          prerelease: false
+      - name: Download ZIP artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip
+      - name: Upload Release Asset
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip
+          asset_name: aws-iot-core-mqtt-file-streams-embedded-c-${{ github.event.inputs.version_number }}.zip
+          asset_content_type: application/zip

CHANGELOG.md

@@ -0,0 +1,4 @@
+## v1.0.0 (November 2023)
+
+This is the first release of the AWS IoT MQTT File Streaming Embedded C Library in this
+repository.

SECURITY.md

@@ -0,0 +1,5 @@
+## Reporting a Vulnerability
+
+If you discover a potential security issue in this project, we ask that you notify AWS/Amazon Security
+via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [email protected].
+Please do **not** create a public github issue.

tools/coverity/README.md

@@ -0,0 +1,75 @@
+# Static code analysis for AWS-IoT-Core-MQTT-File-Streams-Embedded-C library
+This directory is made for the purpose of statically testing the MISRA C:2012 compliance of AWS-IoT-Core-MQTT-File-Streams-Embedded-C library using
+[Synopsys Coverity](https://www.synopsys.com/software-integrity/security-testing/static-analysis-sast.html) static analysis tool.
+To that end, this directory provides a [configuration file](https://github.com/aws/aws-iot-core-mqtt-file-streams-embedded-c/blob/main/tools/coverity/misra.config) to use when
+building a binary for the tool to analyze.
+
+> **Note**
+For generating the report as outlined below, we have used Coverity version 2018.09.
+
+## Getting Started
+### Prerequisites
+You can run this on a platform supported by Coverity. The list and other details can be found [here](https://sig-docs.synopsys.com/polaris/topics/c_coverity-compatible-platforms.html).
+To compile and run the Coverity target successfully, you must have the following:
+
+1. CMake version >= 3.16.0 (You can check whether you have this by typing `cmake --version`)
+2. GCC compiler
+    - You can see the downloading and installation instructions [here](https://gcc.gnu.org/install/).
+3. Download the repo using the following commands.
+    - `git clone [email protected]:aws/aws-iot-core-mqtt-file-streams-embedded-c.git ./aws-iot-core-mqtt-file-streams-embedded-c`
+    - `cd ./aws-iot-core-mqtt-file-streams-embedded-c`
+
+### To build and run coverity:
+Go to the root directory of the library and run the following commands in terminal:
+1. Update the compiler configuration in Coverity
+  ~~~
+  cov-configure --force --compiler cc --comptype gcc
+  ~~~
+2. Create the build files using CMake in a `build` directory
+  ~~~
+  cmake -B build -S test
+  ~~~
+3. Go to the build directory and copy the coverity configuration file
+  ~~~
+  cd build/
+  ~~~
+4. Build the static analysis target
+  ~~~
+  cov-build --emit-complementary-info --dir cov-out make coverity_analysis
+  ~~~
+5. Go to the Coverity output directory (`cov-out`) and begin Coverity static analysis
+  ~~~
+  cd cov-out/
+  cov-analyze --dir . --coding-standard-config ../../tools/coverity/misra.config --tu-pattern "file('.*/source/.*')"
+  ~~~
+6. Format the errors in HTML format so that it is more readable while removing the test and build directory from the report
+  ~~~
+  cov-format-errors --dir . --file "source" --exclude-files '(/build/|/test/)' --html-output html-out;
+  ~~~
+7. Format the errors in JSON format to perform a jq query to get a simplified list of any exceptions.
+  NOTE: A blank output means there are no defects that aren't being suppressed by the config or inline comments.
+  ~~~
+  cov-format-errors --dir . --file "source" --exclude-files '(/build/|/test/)' --json-output-v2 defects.json;
+  echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Below-------------------------\n";
+  jq '.issues[] | .events[] | .eventTag ' defects.json | sort | uniq -c | sort -nr;
+   echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Above-------------------------\n";
+  ~~~
+
+For your convenience the commands above are below to be copy/pasted into a UNIX command friendly terminal.
+ ~~~
+ cov-configure --force --compiler cc --comptype gcc;
+ cmake -B build -S test;
+ cd build/;
+ cov-build --emit-complementary-info --dir cov-out make coverity_analysis;
+ cd cov-out/
+ cov-analyze --dir . --coding-standard-config ../../tools/coverity/misra.config;
+ cov-format-errors --dir . --file "source" --exclude-files '(/build/|/test/)' --html-output html-out;
+ cov-format-errors --dir . --file "source" --exclude-files '(/build/|/test/)' --json-output-v2 defects.json;
+ echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Below-------------------------\n";
+ jq '.issues[] | .events[] | .eventTag ' defects.json | sort | uniq -c | sort -nr;
+ echo -e "\n-------------------------Non-Suppresed Deviations, if any, Listed Above-------------------------\n";
+ cd ../../;
+ ~~~
+
+You should now have the HTML formatted violations list in a directory named `build/cov-out/html-output`.
+With the current configuration and the provided project, you should not see any deviations.