• Overview
• Compatibility
• Features
• How to Use
  • Getting Started
  • Freestyle Job Setup
  • Build Results
  • Project Configuration Settings
    • Coverity Build Action Settings
    • Coverity Post-build Action Settings
  • Pipeline Setup
    • Using Coverity Static Analysis Tools
    • Publishing Coverity results
    • Example Script
• Troubleshooting
• Known Issues
  • Compatibility with other Jenkins plugins
• Upgrade Notes
• Support
• Changelog

This plugin is no longer maintained and will be deprecated by 11/30/2018. The functionality has been migrated onto the new Synopsys Coverity Jenkins Plugin. Please download the new plugin from GitHub or search for “Synopsys Coverity Jenkins" plugin under “Manage plugins” on your Jenkins system to install it directly. Please contact [email protected] for any issues. Official support for this implementation ends on 06/30/2019.

This plugin integrates Coverity Connect and Analysis with the Jenkins Continuous Integration Server. (Synopsys Static Analysis Tool (Coverity))

See https://wiki.jenkins-ci.org/display/JENKINS/Coverity+Plugin for more Jenkins Plugin specific information.

The following is the plugin version compatability with Coverity Connect server and Coverity Static Analysis Tools.

The Coverity plugin for Jenkins performs four functions:

• It can transparently invoke the Coverity Static Analysis tools during your build (optional)
• It can transparently invoke the Coverity Test Advisor tools during your build (optional)
• It can fail the build if defects are found matching certain criteria
• It reports found defects after the build

1. Install the plugin using the Plugin Manager, and restart Jenkins.
2. Configure Coverity tools (Manage Jenkins > Global Tool Configuration)
   • Add Coverity Static Analysis Tools:
     • Add one or more tools, configuring tools for multiple platforms can be managed here. The tools named 'default' will take priority, otherwise the tools path can be configured (or overwritten) per node and/or job configuration.
     • Note: In Jenkins prior to Jenkins 2, global tools are in Configure System
3. Configure Coverity global settins (Manage Jenkins > Configure System)
   • Add connection details for the Coverity Connect instance
     • Add Credential to store Coverity Connect username and password (managed through Credentials Plugin). Coverity plugin supports only the "Username with Password" credential kind.
     • Click Check to validate your settings and Coverity user account permissions
4. Configure Node specific tools (if necessary)
   • If preferred, the 'default' tools path can be overridden by setting a Tools Location in the Node configuration settings
     • The tools used can also be configured (or overwritten) per job configuration if this works better for your distributed build architecture

1. Create the job, by creating it from scratch or copying from an existing job.
2. Under Build, select Add build step and select Invoke Coverity Capture Build, if needed.
   • If no Invoke Coverity Capture Build is provided, the Coverity Plugin will transparently invoke the build capture for all build steps during your build.
3. Under Post-build Actions, select Add post-build action and select Coverity.
4. Select the Coverity Connect instance, project and stream relevant for this job.
5. If you want the plugin to invoke cov-build/cov-analyze/cov-commit-defects for you, check Perform Coverity build, analysis and commit. You can add additional arguments for each of these tools, and configure the intermediate directory used (all optional).
6. If your build already invokes Coverity, leave the checkbox unchecked.
7. If you want to fail the build when defects are found, check the corresponding checkbox. By default all defects are considered, but you can specify filters. Every filter should match for a defect to be included.
8. If you want the plugin to invoke test and Test Advisor functions for you, check Perform Coverity Test Advisor and Commit. You can add additional arguments and functionality to the build by entering your source control configurations (optional).

After a build has completed, a link to Coverity Defects will be available on the build page.

On the project page, a graph with historical defect counts will be visible (as soon as more than one build has been performed).

To access the Coverity Plugin Configuration dialog, first choose a project in your Jenkins server, and select Configure. Coverity-specific settings are available under the Build and Post-build Actions sections.

The Coverity build action has the following options:

The Coverity post-build action has the following options:

”’”a”’”   - >   [‘a’]
’”’a’”’   - >   [“a”]

If VAR1=ABC and VAR2=123
  $VAR1$VAR2   - >   [ABC123]

${VAR1}DEF -> [ABCDEF]

VAR1=Hello
VAR2=$VAR3
VAR3=$VAR4
VAR4=World
VAR5="$VAR1 $VAR2"
VAR6=$VAR1 $VAR2

VAR5  - > "Hello World"
VAR6  - > Hello World

VAR5  - > [Hello World]
VAR6  - > [Hello, World]

The Coverity plugin has basic support for some pipeline functionality. (https://jenkins.io/doc/pipeline/steps/coverity)

It provides a withCoverityEnv step to wrap tool invocations and a coverityResults step to retrieve issues from a Coverity Connect View. In order to use these steps you will be required to setup Coverity tools in global tool configuration and a Coverity Connect instance in global configuration (see Getting Started for details).

This step will use the specified Coverity Tool Installation and add the bin/ directory to PATH for any steps that are wrapped. This will allow the pipeline script to access Coverity tools (like cov-build, cov-analyze, and cov-commit-defects) directly from a script step (such as a Shell Script or Windows Batch Script). Also, this step provides users to bind the Coverity Connect Instance information, such as Host/Port/Credentials to environment variables.

• Recommended usage:

withCoverityEnv(coverityToolName: 'default', connectInstance: 'Coverity Connect Instance Name') {
  // execute any coverity commands with either `sh` or `bat` script step
  //  (all Coverity Tools in /bin available on PATH)
  // By default, Coverity Connect Instance information will be avaible in following environment variables
  //
  // HOST -> COVERITY_HOST
  // PORT -> COVERITY_PORT
  // USER -> COV_USER
  // PASSWORD -> COVERITY_PASSPHRASE
  //
  // Users can customize all the above default environment variables
}

• This will use the Coverity Static Analysis Tools installation named 'default' and add '/bin' directory to PATH within the scope of this Build Wrapper.
• Hint: Use the Pipeline Syntax Snippet Generator for the withCoverityEnv to ensure you've selected a configured tool installation and configured Coverity Connect Instance

• With a variable in the script to access coverity tools directory, example:

def covHome = tool name: 'default', type: 'coverity'
sh "${covHome}/bin/cov-build --dir idir <build-command>"
// followed by other coverity commands (using "${covHome}/bin")

• Manually update the env.PATH in script

env.COV_HOME = tool name: 'default', type: 'coverity'
env.PATH="${env.COV_HOME }:${env.PATH}" // on windows node use ;
sh "cov-build --dir idir <build-command>"
// followed by other coverity commands (all in /bin available on PATH)

• You may also combine withEnv with the tool step to set a Coverity tools directory to any environment variable
• The tools directory will be resolved for the Node which executes the pipeline (see Getting Started for details on tools installations and locations per node)
• Note that as with any Coverity tools execution the build/analyze/commit steps must share the same intermediate directory value (see the Coverity Analysis User and Administrator Guide for more details)

• The plugin offers a coverityResults step which will retrieve issues from a configured Coverity Connect Instance, Project, and View. By adding this step the pipeline will include any found issue results in the same manner as Build Results for a pipeline.
• Example Usage:

coverityResults connectInstance: 'cov-connect', connectView: 'JenkinsPipelineView', projectId: 'my project'

• Use the Pipeline Syntax Snippet Generator to get help choosing a Coverity Connect Instance and verifying the Project and View values
• Advanced options are available to abort the pipeline, fail the pipeline or mark the pipeline as unstable if any issues were found in the Coverity Connect View (use abortPipeline, failPipeline or unstable, default value for these options is false).
• abortPipeline takes precedence over failPipeline and failPipeline takes precedence over unstable.
• The View can be configured within the Coverity Connect User Interface (use the same user credentials which will connect during the pipeline run). See the Coverity Platform User and Administrator Guide for information on configuring views.
  • The View must be configured as an "Issues: By Snapshot" View Type. This can ensure the most recently committed issues are used, by keeping the default View "Snaphost Scope" of last().
  • The view should include the columns "CID", "Checker", "File", and "Function" in order to properly record issues per pipeline run (otherwise just a count may be shown).
  • The View Filters should be configured for the issues which the pipeline commits. An example would be filtering on "Classification" of "Unclassified"|"Pending"|"Bug" or on "Status" of "New"|"Triaged"
  • The View Group By setting must be set to "None" as retrieving issues with a group by view is not supported.
• Note that this pipeline step differs greatly from the freestyle job post-build step in two major ways:
  1. The results are retrieved per project, not per stream.
     • In cases where multiple pipelines (or jobs) commit to multiple streams in the same project, different Views must be configured to filter by the proper stream.
  2. The filtering is configured entirely on Coverity Connect, not in Jenkins configuration
     • This allows for filtering on columns which were not offered in the post-build step as well as much more dynamic date filtering capabilities.

• The following script uses a Coverity Static Analysis Tools installation named default, a configured "Username with Password" Credential with credentialId of jenkins-cov-user, and a configured Coverity Connect instance named cov-connect. On the Coverity Connect instance there is a project named my project(which contains a stream named 'my stream') and an "Issues: By Snapshot" view named my view.

node {
   stage('Preparation') {
      // checkout the source code
      git `<URL to Git Repository>`
   }
   stage('Run Coverity') {
      // use a variable for the shared intermediate directory
      iDir = 'cov-idir'
      
      withCoverityEnv(coverityToolName: 'default', connectInstance: 'Coverity Connect Instance Name') { 
        // run cov-build capture command
        sh "cov-build --dir ${iDir} <build-command>"
      
        // run cov-analyze command
        sh "cov-analyze --dir ${iDir}"

        // run cov-commit-defects command
        sh "cov-commit-defects --dir ${iDir} --host ${COVERITY_HOST} --port ${COVERITY_PORT} --stream my stream"
      }
      
      // cleanup intermediate directory after commit was made (optional space saving step)
      dir("${iDir}") {
        deleteDir()
      }
   }
   stage('Coverity Results') {
      coverityResults connectInstance: 'cov-connect', connectView: 'my view', projectId: 'my project'
   }
}

• In the example the Coverity execution is kept in a single Run Coverity stage, in order to break out Coverity commands into separate stages a shared Intermediate Directory will be needed. It is recommended to use the External Workspace Manager plugin if this is necessary (the Intermediate Directory is usually to large for the stash/unstash steps).

When you encounter problems while using the plugin, please provide the following information:

• What you were doing when the problem occurred.
• The error message
• The Jenkins server log file (the location is dependent on the container you use)
• The content of ‘Manage Jenkins > System Information’ (Jenkins root/systemInfo)
• The configuration file for the job (Jenkins root/jobs/job name/config.xml)
• The global configuration file for Jenkins (Jenkins root/config.xml)
• In case of problems while saving the job configuration, a screenshot before submitting, and the browser you are using.

To enable the Jenkins Coverity plugin to operate with a Coverity Connect instance that is configured to use SSL, do the following:

1. Set the environmental variable CATALINA_OPTS to this value: " -Djavax.net.ssl.trustStore=$keystore -Djavax.net.ssl.trustStorePassword=changeit";
2. Make sure that the environmental variable $keystore points to the Java truststore that contains the CA root and any intermediate certificate, or the self-signed certificate, that the Coverity Connect serves.
3. Restart the Tomcat server.

1. Flexible Publisher Plugin (Coverity Post-Build Actions fail to run)

• When upgrading, make sure that all jobs using the Coverity plugin are finished and not running during upgrade. For best results, restart your Jenkins after upgrade.

If you have any questions or issues with the Coverity plugin, contact [email protected]

• Added support for Nginx RP and HTTPS redirect (COVJP-624)

• Fixed an issue with SSL configuration for any communications with CIM (COVJP-620)

• Fixed an issue where "CoverityResults" step fetches the wrong number of defects from Coverity Connect (COVJP-580)
• Modified ""connectInstance", "connectView", and "projectId" parameters are not optional for CoverityViewResultsPublisher. (COVJP-610)
• The Jenkins plugin will now use "cov-build" executable for capturing test coverage with custom test command, instead of running "cov-capture" executable. (COVJP-607)

• Fixed "NullPointerException" thrown when the plugin is retrieving the defects from Coverity Connect. (BZ 116484)

• User and Password fields are removed from any global Coverity Connect Server settings. If these properties were configured, then these configurations will be migrated into credentials in the Credential Manager Plugin automatically. (BZ 108097, BZ 109522)
• Fixed an unhandled exceptions if configured user does not have WS access permission. (BZ 109223)
• Fixed an issue where coverityResults step report incorrect number of defects retrieved from Coverity Connect. (BZ 112041)
• New option, called AbortPipeline, has been added to abort the pipeline flow when Coverity issues are found. (BZ 113560)
• CoverityConnect information(host/port/credentails) can be accessed within "withCoverityEnv" builder in the pipeline. The users can override the default environment variable names. (BZ 113563)

• Added support for Jenkins Pipeline by adding the pipeline steps coverityResults and withCoverityEnv. (BZ 97113)
• Coverity plugin supports the usage of Credentials Manager in the global configuration. (BZ 107429)
• Added Coverity Static Analysis Tools as a tool installation, configured through Global Tools Configurations in Jenkins 2 and newer (also improves pipeline support).
• Deprecating the existing Coverity tools location and the location node property, users should instead configure tools using the Global Tool Configuration. These fields will be removed in an upcoming release. (BZ 108096)
• Added feature to override the Coverity Connect username and password for a Job using a Credentials value. (BZ 92651)
• Added feature to override the Coverity Static Analysis Tools for a Job using a global tool installation. (BZ 107178)
• Deprecating the existing Coverity Connect Username and Password fields, users should instead configure a Username with Password Credential (through the Credentials Plugin) to provide Coverity Connect with authentication information. These fields will be removed in an upcoming release. (BZ 108097)
• The minimum supported version of Coverity Connect and Coverity Analysis tools is 8.0.0. (BZ 106531)
• Fixed an issue where a blank Node property for Coverity Static Analysis Location would fail builds with the error "[Node] Jenkins : Could not Find Coverity Analysis Home Directory.". (BZ 101161)
• Added SCM drop-down entries for Team Foundation Server 2015 & 2017, Plastic & Plastic (fully distributed). These SCMs are supported in newer Coverity tool version 2017.07 (with the exception of TFS 2015 which was supported in prior versions) (BZ 105111)
• The Coverity plugin provides UI validation for "Post cov-build command" and "Post cov-analyze command". Also, if commands for either is not supplied, the "Post cov-build" and "Post cov-analyze" steps will be skipped with warnings on the console output. (BZ 107703)
• The "Dataport" field in the global Coverity Connect configuration has been removed. (BZ 108016)
• Some of the "DataBoundConstructor" arguments are moved to "DataBoundSetter" to make the JOB DSL configuration easier with Coverity plugin. (BZ 106600, BZ 84075)

• Added compatibility for 2017.07 Coverity Connect and Analysis tools. (Note: Older Coverity plugin versions will not work with the Coverity Connect 2017.07 and newer releases) (BZ 104760)
• Fixed an issue where special password characters caused an error establishing a connection with Coverity Connect. (BZ 104837)
• Fixed an issue where setting extra CA certificate was using the argument --cert, instead of --certs. (BZ 104659)
• Improved user permission checking which should reduce validation delays introduced in 1.9.1. (BZ 105657)

• Fixed issue where defects were not shown on the chart when the the "Fail the build if matching defects are found" option checked. (BZ 102658)
• Resolved issue where check for "commitToStream" and "viewDefects" permissions fails if they are inherited from groups. (BZ102421)

• Changed Required Core Jenkins version from 1.534 to 1.651.3. (BZ 101526)
• Fixed the error "command line parsing fails" when using the MSbuild, Gradle, or NAnt plugins to build with Coverity on Windows. (BZ 101359, 101799)
• The ability to filter on Checkers is deprecated, and this functionality will be removed in an upcoming release. (BZ 101225)
• Resolved an issue where links to view Coverity defects were broken if any of the instance, project, or streams names had spaces. Updated the graph key display name to "Coverity Defects (stream name)" and the defects page URL to "coverity_defects". (BZ 100794)
• The Coverity Jenkins plugin now provides a new "Invoke Coverity Capture Build" as part of build step for users to specify which build step they wish to capture build from. Other build steps will be performed normally without wrapping around with the Coverity cov-build. (BZ 52497, 88273, 93992, 98963, 100175, 100514)
• The Coverity plugin correctly sets up the intermediate directory when capturing builds of source files that only include scripting languages. (BZ 100126)
• The ability to specify multiple commit streams in a single Jenkins job was removed. Existing configurations with more than one commit stream will continue to use the first commit stream specified. Links to defects for additional streams on old build jobs will now only show the main stream defects. (BZ 99084)
• The custom intermediate directory (or default intermediate directory) is deleted whether the build was successful or a failure, unless the option to preserve the intermediate directory is checked. (BZ 99064)
• Removed support for v6 web services (Coverity Connect version 7.6.x and earlier) and older Coverity Analysis Tools (version 7.6.x and earlier). (BZ 98702)
• The Coverity Defects page displays CID/Checker/Function/File Location of defects. (BZ 97772)
• The Jenkins Coverity plugin does not work properly when it is configured inside the Flexible Publish plugin. This is not a supported way of using the Jenkins Coverity plugin. (BZ 97184)
• Resolved an issue with the Unstable status being incorrectly set. (BZ 82665, 88020, 92293, 96455)
• Resolved an issue with the Dismissed defects status being implicitly filtered (regardless of classification filters). (BZ 82665, 88020, 92293, 96455) Note: This may cause an increase in defects which were previously filtered automatically to be unfiltered (to match filtering de-select classifications "False Positive", "Intentional" "No Test Needed", "Tested Elsewhere"). (BZ 82665, 88020, 92293, 96455)
• Updated the default classification filters selected to match Coverity Connect Outstanding view filters. (BZ 82665, 88020, 92293, 96455)
• Removed "Microsoft Code Analysis results files" option (use "Search for Microsoft Code Analysis results" option instead). (BZ 94805)
• The Coverity plugin no longer provides a drop-down to select the "Language" in the configuration. (BZ 92811)
• Resolved an issue where Coverity publisher could not be configured by the Job DSL plugin. (BZ 91929)
• The configuration checking logic was improved. (BZ 84848)
• The "Check Configuration" button on the configuration page will validate the "Test Advisor" and "SCM" configurations as well as project and stream. (BZ 82064)
• Removed the 3000 defect limit when downloading defects from the Coverity Connect stream. (BZ 73634)
• Modified filtering to use built-in web service capabilities. This should reduce the total number of defects and amount of data retrieved from Coverity Connect. (BZ 73634)
• Updated the "Coverity Defects" page (BuildAction) so it includes all defect information. This will greatly improve the response time when viewing the Coverity Defects page. (BZ 73634)
• By clicking the "Check" button on the global configuration, the Coverity plugin will not only check the connection to the Coverity Connect instance, but will check the user's permission as well. The user is required to have "Commit to Stream", "Access web service", and "View Issues" in order to use the Coverity Jenkins plugin. (BZ 71109)
• The Coverity plugin will not fail the build when there is no snapshot in the stream, before running cov-manage-history and continuing its post-build actions. (BZ 67320)
• Users can now configure multiple strip paths for their Test Advisor configurations. (BZ 65793)
• Show a "loading projects" message when the Coverity Connect instance changes in the job configuration. (BZ 60138)
• The Coverity plugin will display the invalid project and error message to indicate that the select project cannot be found in Coverity Connect. (BZ 55377)
• Resolved a NullPointerException on the CoverityTempDir (idir) (BZ 101589)