.gitlab-ci.yml

@@ -17,6 +17,8 @@
 stages:
   - compliance
   - build
+  - build-gcc
+  - build-clang
   - update
   - test
   - report
@@ -108,7 +110,7 @@ bundle-qemu-x86:
   extends: .build-rauc-bundle
   stage: update
   # Depend on the build job to prevent repeating build failures.
-  needs: [linux-qemu-x86]
+  needs: [linux-qemu-x86-gcc]
   variables:
     MACHINE: qemux86
     CI_ONIRO_BUILD_FLAVOUR: linux
@@ -119,7 +121,7 @@ bundle-qemu-x86_64:
   extends: .build-rauc-bundle
   stage: update
   # Depend on the build job to prevent repeating build failures.
-  needs: [linux-qemu-x86_64]
+  needs: [linux-qemu-x86_64-gcc]
   variables:
     MACHINE: qemux86-64
     CI_ONIRO_BUILD_FLAVOUR: linux
@@ -130,7 +132,7 @@ bundle-raspberrypi4-64:
   extends: .build-rauc-bundle
   stage: update
   # Depend on the build job to prevent repeating build failures.
-  needs: [linux-raspberrypi4-64]
+  needs: [linux-raspberrypi4-64-gcc]
   variables:
     MACHINE: raspberrypi4-64
     CI_ONIRO_BUILD_FLAVOUR: linux
@@ -141,7 +143,7 @@ bundle-seco-intel-b68:
   extends: .build-rauc-bundle
   stage: update
   # Depend on the build job to prevent repeating build failures.
-  needs: [linux-seco-intel-b68]
+  needs: [linux-seco-intel-b68-gcc]
   variables:
     MACHINE: seco-intel-b68
     CI_ONIRO_BUILD_FLAVOUR: linux
@@ -196,258 +198,235 @@ publish-seco-intel-b68:
     # Run the build for scheduled pipelines.
     - if: '$CI_PIPELINE_SOURCE == "schedule"'
 
-# Mimic the updated rules for lava-test from the bitbake-workspace.
-.lava-test:
-  rules:
-    - if: '$CI_LAVA_TOKEN == null'
-      when: never
-    - if: '$CI_PIPELINE_SOURCE == "schedule"'
-
-# Mimic the updated rules for lava-report from the bitbake-workspace.
-.lava-report:
+.lava-test-scheduled:
+  extends: .lava-test
+  variables:
+    CI_SQUAD_PROJECT_NAME: "oniro"
   rules:
-    - if: '$CI_LAVA_TOKEN == null'
+    - if: '$CI_SQUAD_TOKEN == null'
       when: never
     - if: '$CI_PIPELINE_SOURCE == "schedule"'
-      when: manual
 
 ##
 ## Submit jobs to LAVA
 ##
 lava-qemu-x86:
-  needs: [linux-qemu-x86]
+  needs: [linux-qemu-x86-gcc]
   stage: test
   extends: .lava-test
   variables:
     MACHINE: qemux86
-    CI_BUILD_JOB_NAME: linux-qemu-x86
+    CI_BUILD_JOB_NAME: linux-qemu-x86-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-x86.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-qemu-x86_64:
-  needs: [linux-qemu-x86_64]
+  needs: [linux-qemu-x86_64-gcc]
   stage: test
   extends: .lava-test
   variables:
     MACHINE: qemux86-64
-    CI_BUILD_JOB_NAME: linux-qemu-x86_64
+    CI_BUILD_JOB_NAME: linux-qemu-x86_64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-x86_64.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-raspberrypi4-64:
-  needs: [linux-raspberrypi4-64]
+  needs: [linux-raspberrypi4-64-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: raspberrypi4-64
-    CI_BUILD_JOB_NAME: linux-raspberrypi4-64
+    CI_BUILD_JOB_NAME: linux-raspberrypi4-64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/raspberrypi4-64.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-seco-intel-b68:
-  needs: [linux-seco-intel-b68]
+  needs: [linux-seco-intel-b68-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: seco-intel-b68
-    CI_BUILD_JOB_NAME: linux-seco-intel-b68
+    CI_BUILD_JOB_NAME: linux-seco-intel-b68-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/seco-intel-b68.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-seco-c61:
-  needs: [linux-seco-imx8mm-c61-4gb]
+  needs: [linux-seco-imx8mm-c61-4gb-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: seco-imx8mm-c61-4gb
-    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb
+    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/seco-c61.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-qemu-x86-ltp:
-  needs: [linux-qemu-x86]
+  needs: [linux-qemu-x86-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: qemux86
-    CI_BUILD_JOB_NAME: linux-qemu-x86
+    CI_BUILD_JOB_NAME: linux-qemu-x86-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-x86-ltp.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-qemu-x86_64-ltp:
-  needs: [linux-qemu-x86_64]
+  needs: [linux-qemu-x86_64-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: qemux86-64
-    CI_BUILD_JOB_NAME: linux-qemu-x86_64
+    CI_BUILD_JOB_NAME: linux-qemu-x86_64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-x86_64-ltp.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-raspberrypi4-64-ltp:
-  needs: [linux-raspberrypi4-64]
+  needs: [linux-raspberrypi4-64-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: raspberrypi4-64
-    CI_BUILD_JOB_NAME: linux-raspberrypi4-64
+    CI_BUILD_JOB_NAME: linux-raspberrypi4-64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/raspberrypi4-64-ltp.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-seco-intel-b68-ltp:
-  needs: [linux-seco-intel-b68]
+  needs: [linux-seco-intel-b68-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: seco-intel-b68
-    CI_BUILD_JOB_NAME: linux-seco-intel-b68
+    CI_BUILD_JOB_NAME: linux-seco-intel-b68-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/seco-intel-b68-ltp.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-seco-c61-ltp:
-  needs: [linux-seco-imx8mm-c61-4gb]
+  needs: [linux-seco-imx8mm-c61-4gb-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: seco-imx8mm-c61-4gb
-    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb
+    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/seco-c61-ltp.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-qemu-x86_64-kselftest:
-  needs: [linux-qemu-x86_64]
+  needs: [linux-qemu-x86_64-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: qemux86-64
-    CI_BUILD_JOB_NAME: linux-qemu-x86_64
+    CI_BUILD_JOB_NAME: linux-qemu-x86_64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-x86_64-kselftest.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-raspberrypi4-64-kselftest:
-  needs: [linux-raspberrypi4-64]
+  needs: [linux-raspberrypi4-64-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: raspberrypi4-64
-    CI_BUILD_JOB_NAME: linux-raspberrypi4-64
+    CI_BUILD_JOB_NAME: linux-raspberrypi4-64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/raspberrypi4-64-kselftest.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-seco-c61-kselftest:
-  needs: [linux-seco-imx8mm-c61-4gb]
+  needs: [linux-seco-imx8mm-c61-4gb-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: seco-imx8mm-c61-4gb
-    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb
+    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/seco-c61-kselftest.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-zephyr-96b-nitrogen-twister:
-  needs: [zephyr-96b-nitrogen-twister]
+  needs: [zephyr-96b-nitrogen-twister-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: 96b-nitrogen
-    CI_BUILD_JOB_NAME: zephyr-96b-nitrogen-twister
+    CI_BUILD_JOB_NAME: zephyr-96b-nitrogen-twister-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/nitrogen-twister.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-qemu-x86-perf:
-  needs: [linux-qemu-x86]
+  needs: [linux-qemu-x86-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: qemux86
-    CI_BUILD_JOB_NAME: linux-qemu-x86
+    CI_BUILD_JOB_NAME: linux-qemu-x86-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-x86-perf.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-qemu-x86_64-perf:
-  needs: [linux-qemu-x86_64]
+  needs: [linux-qemu-x86_64-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: qemux86-64
-    CI_BUILD_JOB_NAME: linux-qemu-x86_64
+    CI_BUILD_JOB_NAME: linux-qemu-x86_64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-x86_64-perf.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-raspberrypi4-64-perf:
-  needs: [linux-raspberrypi4-64]
+  needs: [linux-raspberrypi4-64-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: raspberrypi4-64
-    CI_BUILD_JOB_NAME: linux-raspberrypi4-64
+    CI_BUILD_JOB_NAME: linux-raspberrypi4-64-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/raspberrypi4-64-perf.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-seco-intel-b68-perf:
-  needs: [linux-seco-intel-b68]
+  needs: [linux-seco-intel-b68-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: seco-intel-b68
-    CI_BUILD_JOB_NAME: linux-seco-intel-b68
+    CI_BUILD_JOB_NAME: linux-seco-intel-b68-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/seco-intel-b68-perf.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-seco-c61-perf:
-  needs: [linux-seco-imx8mm-c61-4gb]
+  needs: [linux-seco-imx8mm-c61-4gb-gcc]
   stage: test
-  extends: .lava-test
+  extends: .lava-test-scheduled
   variables:
     MACHINE: seco-imx8mm-c61-4gb
-    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb
+    CI_BUILD_JOB_NAME: linux-seco-imx8mm-c61-4gb-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/seco-c61-perf.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-zephyr-qemu-cortex-m3:
-  needs: [zephyr-qemu-cortex-m3]
+  needs: [zephyr-qemu-cortex-m3-gcc]
   stage: test
   extends: .lava-test
   variables:
     MACHINE: qemu-cortex-m3
-    CI_BUILD_JOB_NAME: zephyr-qemu-cortex-m3
+    CI_BUILD_JOB_NAME: zephyr-qemu-cortex-m3-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-zephyr-cortex-m3.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-zephyr-qemu-x86:
-  needs: [zephyr-qemu-x86]
+  needs: [zephyr-qemu-x86-gcc]
   stage: test
   extends: .lava-test
   variables:
     MACHINE: qemu-x86
-    CI_BUILD_JOB_NAME: zephyr-qemu-x86
+    CI_BUILD_JOB_NAME: zephyr-qemu-x86-gcc
     CI_LAVA_JOB_DEFINITION: "https://git.ostc-eu.org/OSTC/infrastructure/lava/lava-config/-/raw/master/lava.ostc-eu.org/job-definitions/ci/qemu-zephyr-x86.yaml"
     CI_REPORT_JOB_NAME: lava-report
 
 lava-report:
+  extends: .lava-report
   needs:
     - lava-qemu-x86
     - lava-qemu-x86_64
-    - lava-raspberrypi4-64
-    - lava-seco-intel-b68
-    - lava-seco-c61
-    - lava-qemu-x86-ltp
-    - lava-qemu-x86_64-ltp
-    - lava-raspberrypi4-64-ltp
-    - lava-seco-intel-b68-ltp
-    - lava-seco-c61-ltp
-    - lava-qemu-x86-perf
-    - lava-qemu-x86_64-perf
-    - lava-raspberrypi4-64-perf
-    - lava-seco-intel-b68-perf
-    - lava-seco-c61-perf
-    - lava-zephyr-96b-nitrogen-twister
     - lava-zephyr-qemu-cortex-m3
     - lava-zephyr-qemu-x86
-    - lava-qemu-x86_64-kselftest
-    - lava-raspberrypi4-64-kselftest
-    - lava-seco-c61-kselftest
-  extends: .lava-report
 
 lava-badge:
   needs: [lava-report]

.oniro-ci/machines-and-flavours.yaml

@@ -6,7 +6,32 @@
 
 # The following jobs are documented in docs/ci/machines-and-flavours.rst
 
-linux-qemu-x86:
+.toolchain-gcc:
+  stage: build-gcc
+  dependencies: []
+  needs: []
+  variables:
+    CI_ONIRO_BB_LOCAL_CONF_TOOLCHAIN: "gcc"
+    CI_ONIRO_BB_LOCAL_CONF_RUNTIME: "gnu"
+
+.toolchain-clang:
+  stage: build-clang
+  dependencies: []
+  needs: []
+  variables:
+    CI_ONIRO_BB_LOCAL_CONF_TOOLCHAIN: "clang"
+    CI_ONIRO_BB_LOCAL_CONF_RUNTIME: "llvm"
+
+.broken:
+  rules:
+    # Some builds fail, so allow them to fail until the situation improves
+    # dramatically so that the policy can be re-visited.  Clang builds are also
+    # expensive, so only present the user with an option to start the build,
+    # but do not commence the build automatically.
+    - when: manual
+      allow_failure: true
+
+.linux-qemu-x86:
   extends: .build-wic-image
   variables:
     MACHINE: qemux86
@@ -20,8 +45,12 @@ linux-qemu-x86:
     # tainted build intermediate files, downloads or published artifacts.
     CI_ONIRO_BB_LOCAL_CONF_BB_GENERATE_MIRROR_TARBALLS: 1
     CI_ONIRO_JOB_ARTIFACTS: "*.wic.* *.bmap ovmf.qcow2"
+linux-qemu-x86-gcc:
+ extends: [.linux-qemu-x86, .toolchain-gcc]
+linux-qemu-x86-clang:
+ extends: [.linux-qemu-x86, .toolchain-clang]
 
-linux-qemu-x86_64:
+.linux-qemu-x86_64:
   extends: .build-wic-image
   variables:
     MACHINE: qemux86-64
@@ -31,30 +60,46 @@ linux-qemu-x86_64:
     CI_ONIRO_BUILD_CACHE: "pub"
     CI_ONIRO_BB_LOCAL_CONF_BB_GENERATE_MIRROR_TARBALLS: 1
     CI_ONIRO_JOB_ARTIFACTS: "*.wic.* *.bmap ovmf.qcow2"
+linux-qemu-x86_64-gcc:
+  extends: [.linux-qemu-x86_64, .toolchain-gcc]
+linux-qemu-x86_64-clang:
+  extends: [.linux-qemu-x86_64, .toolchain-clang]
 
-linux-seco-intel-b68:
+.linux-seco-intel-b68:
   extends: .build-wic-image
   variables:
     CI_ONIRO_BUILD_FLAVOUR: linux
     CI_ONIRO_RECIPE_NAME: oniro-image-base-tests
     MACHINE: seco-intel-b68
+linux-seco-intel-b68-gcc:
+  extends: [.linux-seco-intel-b68, .toolchain-gcc]
+linux-seco-intel-b68-clang:
+  extends: [.linux-seco-intel-b68, .toolchain-clang]
 
-linux-seco-intel-b68-extra:
+.linux-seco-intel-b68-extra:
   extends: .build-linux
   variables:
     CI_ONIRO_BUILD_FLAVOUR: linux
     CI_ONIRO_BITBAKE_TARGETS: oniro-image-extra-tests
     MACHINE: seco-intel-b68
+linux-seco-intel-b68-extra-gcc:
+  extends: [.linux-seco-intel-b68-extra, .toolchain-gcc]
+linux-seco-intel-b68-extra-clang:
+  extends: [.linux-seco-intel-b68-extra, .toolchain-clang]
 
-linux-seco-imx8mm-c61-2gb:
+.linux-seco-imx8mm-c61-2gb:
   extends: .build-linux-matrix
   variables:
     MACHINE: seco-imx8mm-c61-2gb
     # This platform requires proprietary resources to boot.
     # See build-generic.yaml for explanation of CI_ONIRO_BB_LOCAL_CONF_ variables.
     CI_ONIRO_BB_LOCAL_CONF_ACCEPT_FSL_EULA: 1
+linux-seco-imx8mm-c61-2gb-gcc:
+  extends: [.linux-seco-imx8mm-c61-2gb, .toolchain-gcc]
+linux-seco-imx8mm-c61-2gb-clang:
+  extends: [.linux-seco-imx8mm-c61-2gb, .toolchain-clang, .broken]
 
-linux-seco-imx8mm-c61-4gb:
+.linux-seco-imx8mm-c61-4gb:
   extends: .build-wic-image
   variables:
     CI_ONIRO_BUILD_FLAVOUR: linux
@@ -64,8 +109,12 @@ linux-seco-imx8mm-c61-4gb:
     # See build-generic.yaml for explanation of CI_ONIRO_BB_LOCAL_CONF_ variables.
     CI_ONIRO_BB_LOCAL_CONF_ACCEPT_FSL_EULA: 1
     CI_ONIRO_JOB_ARTIFACTS: "*.wic.* *.bmap flash.bin-seco-imx8mm-c61*"
+linux-seco-imx8mm-c61-4gb-gcc:
+  extends: [.linux-seco-imx8mm-c61-4gb, .toolchain-gcc]
+linux-seco-imx8mm-c61-4gb-clang:
+  extends: [.linux-seco-imx8mm-c61-4gb, .toolchain-clang, .broken]
 
-linux-seco-imx8mm-c61-4gb-extra:
+.linux-seco-imx8mm-c61-4gb-extra:
   extends: .build-linux
   variables:
     CI_ONIRO_BUILD_FLAVOUR: linux
@@ -74,15 +123,23 @@ linux-seco-imx8mm-c61-4gb-extra:
     # This platform requires proprietary resources to boot.
     # See build-generic.yaml for explanation of CI_ONIRO_BB_LOCAL_CONF_ variables.
     CI_ONIRO_BB_LOCAL_CONF_ACCEPT_FSL_EULA: 1
+linux-seco-imx8mm-c61-4gb-extra-gcc:
+  extends: [.linux-seco-imx8mm-c61-4gb-extra, .toolchain-gcc]
+linux-seco-imx8mm-c61-4gb-extra-clang:
+  extends: [.linux-seco-imx8mm-c61-4gb-extra, .toolchain-clang, .broken]
 
-linux-raspberrypi4-64:
+.linux-raspberrypi4-64:
   extends: .build-wic-image
   variables:
     MACHINE: raspberrypi4-64
     CI_ONIRO_BUILD_FLAVOUR: linux
     CI_ONIRO_RECIPE_NAME: oniro-image-base-tests
+linux-raspberrypi4-64-gcc:
+  extends: [.linux-raspberrypi4-64, .toolchain-gcc]
+linux-raspberrypi4-64-clang:
+  extends: [.linux-raspberrypi4-64, .toolchain-clang]
 
-zephyr-qemu-x86:
+.zephyr-qemu-x86:
   extends: .build-zephyr-image
   variables:
     MACHINE: qemu-x86
@@ -92,8 +149,12 @@ zephyr-qemu-x86:
     CI_ONIRO_RECIPE_NAME: zephyr-philosophers
     CI_ONIRO_BUILD_FLAVOUR: zephyr
     CI_ONIRO_INSTANCE_SIZE: s3.large.2
+zephyr-qemu-x86-gcc:
+  extends: [.zephyr-qemu-x86, .toolchain-gcc]
+zephyr-qemu-x86-clang:
+  extends: [.zephyr-qemu-x86, .toolchain-clang, .broken]
 
-zephyr-qemu-cortex-m3:
+.zephyr-qemu-cortex-m3:
   extends: .build-zephyr-image
   variables:
     MACHINE: qemu-cortex-m3
@@ -103,24 +164,36 @@ zephyr-qemu-cortex-m3:
     CI_ONIRO_RECIPE_NAME: zephyr-philosophers
     CI_ONIRO_BUILD_FLAVOUR: zephyr
     CI_ONIRO_INSTANCE_SIZE: s3.large.2
+zephyr-qemu-cortex-m3-gcc:
+  extends: [.zephyr-qemu-cortex-m3, .toolchain-gcc]
+zephyr-qemu-cortex-m3-clang:
+  extends: [.zephyr-qemu-cortex-m3, .toolchain-clang, .broken]
 
-zephyr-96b-nitrogen:
+.zephyr-96b-nitrogen:
   extends: .build-zephyr-image
   variables:
     MACHINE: 96b-nitrogen
     CI_ONIRO_RECIPE_NAME: zephyr-philosophers
     CI_ONIRO_BUILD_FLAVOUR: zephyr
     CI_ONIRO_INSTANCE_SIZE: s3.large.2
+zephyr-96b-nitrogen-gcc:
+  extends: [.zephyr-96b-nitrogen, .toolchain-gcc]
+zephyr-96b-nitrogen-clang:
+  extends: [.zephyr-96b-nitrogen, .toolchain-clang, .broken]
 
-zephyr-96b-nitrogen-tests:
+.zephyr-96b-nitrogen-tests:
   extends: .build-zephyr-image
   variables:
     MACHINE: 96b-nitrogen
     CI_ONIRO_RECIPE_NAME: zephyr-kernel-test-all
     CI_ONIRO_BUILD_FLAVOUR: zephyr
     CI_ONIRO_INSTANCE_SIZE: s3.large.2
+zephyr-96b-nitrogen-tests-gcc:
+  extends: [.zephyr-96b-nitrogen-tests, .toolchain-gcc]
+zephyr-96b-nitrogen-tests-clang:
+  extends: [.zephyr-96b-nitrogen-tests, .toolchain-clang, .broken]
 
-zephyr-96b-nitrogen-twister:
+.zephyr-96b-nitrogen-twister:
   extends: .build-image
   variables:
     MACHINE: 96b-nitrogen
@@ -128,26 +201,46 @@ zephyr-96b-nitrogen-twister:
     CI_ONIRO_BUILD_FLAVOUR: zephyr
     CI_ONIRO_INSTANCE_SIZE: s3.large.2
     CI_ONIRO_JOB_ARTIFACTS: "twister*.tar.bz2"
+zephyr-96b-nitrogen-twister-gcc:
+  extends: [.zephyr-96b-nitrogen-twister, .toolchain-gcc]
+zephyr-96b-nitrogen-twister-clang:
+  extends: [.zephyr-96b-nitrogen-twister, .toolchain-clang, .broken]
 
-zephyr-96b-avenger:
+.zephyr-96b-avenger:
   extends: .build-zephyr
   variables:
     MACHINE: 96b-avenger96
+zephyr-96b-avenger-gcc:
+  extends: [.zephyr-96b-avenger, .toolchain-gcc]
+zephyr-96b-avenger-clang:
+  extends: [.zephyr-96b-avenger, .toolchain-clang, .broken]
 
-zephyr-nrf52840dk-nrf52840:
+.zephyr-nrf52840dk-nrf52840:
   extends: .build-zephyr
   variables:
     MACHINE: nrf52840dk-nrf52840
+zephyr-nrf52840dk-nrf52840-gcc:
+  extends: [.zephyr-nrf52840dk-nrf52840, .toolchain-gcc]
+zephyr-nrf52840dk-nrf52840-clang:
+  extends: [.zephyr-nrf52840dk-nrf52840, .toolchain-clang, .broken]
 
-zephyr-arduino-nano-33-ble:
+.zephyr-arduino-nano-33-ble:
   extends: .build-zephyr
   variables:
     MACHINE: arduino-nano-33-ble
+zephyr-arduino-nano-33-ble-gcc:
+  extends: [.zephyr-arduino-nano-33-ble, .toolchain-gcc]
+zephyr-arduino-nano-33-ble-clang:
+  extends: [.zephyr-arduino-nano-33-ble, .toolchain-clang, .broken]
 
-freertos-armv5:
+.freertos-armv5:
   extends: .build-freertos
   variables:
     MACHINE: qemuarmv5
     # See the note on linux-qemu-x86.
     CI_ONIRO_BUILD_CACHE: "pub"
     CI_ONIRO_BB_LOCAL_CONF_BB_GENERATE_MIRROR_TARBALLS: 1
+freertos-armv5-gcc:
+  extends: [.freertos-armv5, .toolchain-gcc]
+freertos-armv5-clang:
+  extends: [.freertos-armv5, .toolchain-clang, .broken]

.oniro-ci/test-generic.yaml

@@ -12,6 +12,7 @@
     GIT_STRATEGY: none
     CI_LAVA_INSTANCE: "https://lava.ostc-eu.org/"
     CI_SQUAD_INSTANCE: "https://squadp.svc.ostc-eu.dev"
+    CI_SQUAD_PROJECT_NAME: "oniro-test-mr"
     # Run the same ltp test suites that using by LKFT project.
     # Reference: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.10.y/build/v5.10.98-75-g9f5cb871ceb9/testjobs/
     LTP_TST_CMDFILES: "cap_bounds cpuhotplug crypto nptl pty securebits fs controllers hugetlb mm tracing containers io dio syscalls math commands ipc fcntl-locktests filecaps fs_bind fs_perms_simple fsx sched cve"
@@ -71,16 +72,22 @@
     # Submit the jobs to SQUAD.
     - |
       for job_def in $(find lava_jobs/ -name "*.yaml"); do
-        echo $CI_SQUAD_INSTANCE/api/submitjob/oniro-core/$CI_PROJECT_NAME/$CI_PIPELINE_ID/$MACHINE --header "Auth-Token: $CI_SQUAD_TOKEN"  --form "backend=oniro_lava" --form "definition=@${job_def}"
-        curl $CI_SQUAD_INSTANCE/api/submitjob/oniro-core/$CI_PROJECT_NAME/$CI_PIPELINE_ID/$MACHINE --header "Auth-Token: $CI_SQUAD_TOKEN"  --form "backend=oniro_lava" --form "definition=@${job_def}"
+        echo $CI_SQUAD_INSTANCE/api/submitjob/oniro-core/$CI_SQUAD_PROJECT_NAME/$CI_PIPELINE_ID/$MACHINE --header "Auth-Token: $CI_SQUAD_TOKEN"  --form "backend=oniro_lava" --form "definition=@${job_def}"
+        curl $CI_SQUAD_INSTANCE/api/submitjob/oniro-core/$CI_SQUAD_PROJECT_NAME/$CI_PIPELINE_ID/$MACHINE --header "Auth-Token: $CI_SQUAD_TOKEN"  --form "backend=oniro_lava" --form "definition=@${job_def}"
       done
       # Attach a callback to this build to trigger the lava-report job
       squad_build_id="$(curl --silent "$CI_SQUAD_INSTANCE/api/builds/?version=$CI_PIPELINE_ID" | jq -r '.results[0].id')"
-      curl -X POST $CI_SQUAD_INSTANCE/api/builds/$squad_build_id/callbacks/ --header "Authorization: Token $CI_SQUAD_TOKEN" -F "callback_url=$CALLBACK_URL"
+      curl --silent \
+        -X POST "$CI_SQUAD_INSTANCE/api/builds/$squad_build_id/callbacks/" \
+        -H "Authorization: Token $CI_SQUAD_TOKEN" \
+        -F "callback_url=$CALLBACK_URL" \
+        -F "callback_record_response=true"
   artifacts:
     paths:
       - lava_jobs/*.yaml
   rules:
+    - if: '$CI_SQUAD_TOKEN == null'
+      when: never
     # Run the build when it is scheduled.
     - if: $CI_PIPELINE_SOURCE == "schedule"
     # Do not run pipelines for draft merge requests unless manually triggered.
@@ -101,18 +108,22 @@
   variables:
     GIT_STRATEGY: none
     CI_LAVA_INSTANCE: "https://lava.ostc-eu.org/"
+    CI_SQUAD_INSTANCE: "https://squadp.svc.ostc-eu.dev"
   script:
     - |
       # Get the test_runs_incomplete value from build status. That will tell
       # us if any of the LAVA jobs failed and we can determine whether the
       # report job is successful or not.
-      incomplete="$(curl --silent $CI_SQUAD_INSTANCE/api/builds/$CI_PIPELINE_ID/status/ | jq -r '.test_runs_incomplete')"
-      if [ "$incomplete" != "0" ]; then
+      squad_build_id="$(curl --silent "$CI_SQUAD_INSTANCE/api/builds/?version=$CI_PIPELINE_ID" | jq -r '.results[0].id')"
+      curl --silent "$CI_SQUAD_INSTANCE/api/builds/$squad_build_id/testjobs/" > test_jobs.json
+      jq -r '.results | .[] | .external_url, .job_status' test_jobs.json | tee job_status.txt
+      if grep -qi "incomplete" job_status.txt; then
         echo "ERROR: Incomplete test job reported: exit code 1"
         exit 1
       fi
-
   rules:
+    - if: '$CI_SQUAD_TOKEN == null'
+      when: never
     # Run the build when it is scheduled.
     - if: $CI_PIPELINE_SOURCE == "schedule"
       when: manual

docs/build-flavours/zephyr-flavour.rst

@@ -38,7 +38,7 @@ You can test the image built for the qemu-x86 target by issuing:
 
 .. code-block:: console
 
-    $ runqemu qemu-x86
+    $ runqemu qemu-x86 nographic
 
 After successful bootup, the output of the application will be similar to:
 

manifests/default.xml

@@ -24,19 +24,20 @@ SPDX-FileCopyrightText: Huawei Inc.
 	<remote name="openembedded" fetch="git://git.openembedded.org" />
 	<remote name="seco" fetch="https://git.seco.com" />
 
-	<project name="bitbake" remote="openembedded" revision="494fcfcb7c4469915c67f544997104d81c417266" path="bitbake" />
-	<project name="openembedded-core" remote="openembedded" revision="b2d10487f80deb04a0893325a1ae79c8629a7655" path="oe-core" />
+	<project name="bitbake" remote="openembedded" revision="b8fd6f5d9959d27176ea016c249cf6d35ac8ba03" path="bitbake" />
+	<project name="openembedded-core" remote="openembedded" revision="a5919cb8bcb8f3fe66519c80aa8730b16cf987ac" path="oe-core" />
 	<project name="meta-openembedded" remote="openembedded" revision="fcc7d7eae82be4c180f2e8fa3db90a8ab3be07b7" path="meta-openembedded" />
 	<project name="aehs29/meta-freertos" remote="github" revision="98a6838261d36b8f79c5fbae1736492169727a1e" path="meta-freertos" />
 	<project name="meta-intel" remote="yocto" revision="8e472da759cd5a5bf2ece041d2796db56b1d5482" path="meta-intel" />
 	<project name="pub/intel/yocto/meta-seco-intel" remote="seco" revision="65a673560211b11986db5785c70254fad190785f" path="meta-seco-intel" />
 	<project name="meta-freescale" remote="yocto" revision="92df6b76f38397b75ea76d588935b5b91b63c58c" path="meta-freescale" />
-	<project name="pub/i.mx/yocto/5.x/meta-seco-imx" remote="seco" revision="4b338aa40990226b599779f91f7f03dbb0d12747" path="meta-seco-imx" />
+	<project name="pub/i.mx/yocto/5.x/meta-seco-imx" remote="seco" revision="b6976d806dad5cff6e071cfdb59ab45c4210604b" path="meta-seco-imx" />
 	<project name="meta-raspberrypi" remote="yocto" revision="0135a02ea577bd39dd552236ead2c5894d89da1d" path="meta-raspberrypi" />
 	<project name="meta-security" remote="yocto" revision="d3d8e62bf1caa3870a504c0addcfd200b33c189f" path="meta-security" />
-	<project name="rauc/meta-rauc" remote="github" revision="4429bd1f29677c9a7de032d53240fb4791a41e1f" path="meta-rauc" />
+	<project name="rauc/meta-rauc" remote="github" revision="c66cdf995818a4425ad32b0ef76063e762dbf922" path="meta-rauc" />
 	<project name="riscv/meta-riscv" remote="github" revision="70e099d7ceca52a1dde2c978713012f6b20a9891" path="meta-riscv" />
-	<project name="meta-arm" remote="yocto" revision="a8cb33d5139e30b4a643da9a277487299c0e658f" path="meta-arm" />
+	<project name="meta-arm" remote="yocto" revision="741509023867aa629f35289bba12485d4b6e3dcf" path="meta-arm" />
+	<project name="jiazhang0/meta-secure-core" remote="github" revision="2ccf4aa4e352a1b990d0f59bf28de8639ca529d9" path="meta-secure-core" />
 
 	<!--
 		All entries above are pinned to a specific revision and updated manually.

scripts/cve-diff.py

+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Create a diff of two JSON CVE statuses
+
+import sys
+import getopt
+import re
+from deepdiff import DeepDiff
+from pprint import pprint
+
+verbose_level = 0
+
+
+def show_syntax_and_exit(code):
+    """
+    Show the program syntax and exit with an errror
+    Arguments:
+        code: the error code to return
+    """
+    print("Syntax: %s [-h] [-v] file1 file2" % __name__)
+    sys.exit(code)
+
+
+def exit_error(code, message):
+    """
+    Show the error message and exit with an errror
+    Arguments:
+        code: the error code to return
+        message: the message to show
+    """
+    print("Error: %s" % message)
+    sys.exit(code)
+
+
+def vprint(*args, **kwargs):
+    """
+    Printing with verbosity levels
+    Arguments:
+        args: as for print
+        kwargs: as for print
+    """
+    global verbose_level
+
+    if verbose_level:
+        print(*args, **kwargs)
+
+
+def parse_args(argv):
+    """
+    Parse the program arguments, put options in global variables
+    Arguments:
+        argv: program arguments
+    Returns:
+        Two mandatory file arguments
+    """
+    global verbose_level
+    try:
+        opts, args = getopt.getopt(argv, "hv", ["help", "verbose"])
+    except getopt.GetoptError:
+        show_syntax_and_exit(1)
+    for opt, arg in opts:
+        if opt in ("-h", "--help"):
+            show_syntax_and_exit(0)
+        elif opt in ("-v", "--verbose"):
+            verbose_level = 1
+        else:
+            show_syntax_and_exit(1)
+
+    if len(args) < 2:
+        exit_error(1, "Need at least two files to compare")
+    return (args[0], args[1])
+
+
+def validate_cve_json(data):
+    """
+    Check correctness of the loaded JSON data
+    Arguments:
+        data: loaded data
+    Returns:
+        Bool: True if file is correct, False otherwise
+        Error message: if the file has errors
+    """
+    if not "version" in data or data["version"] != "1":
+        return False, "Unrecognized format version number"
+    if not "package" in data:
+        return False, "Mandatory 'package' key not found"
+    for package in data["package"]:
+        keys_in_package = {"name", "layer", "version", "issue"}
+        if keys_in_package - package.keys():
+            return False, "Missing a mandatory key in package: %s" % (
+                keys_in_package - package.keys()
+            )
+
+        for issue in package["issue"]:
+            keys_in_issue = {"id", "scorev2", "scorev3", "vector", "status"}
+            if keys_in_issue - issue.keys():
+                return (
+                    False,
+                    "Missing mandatory keys %s in 'issue' for the package '%s'"
+                    % (keys_in_issue - issue.keys(), package_name),
+                )
+    return True, ""
+
+
+def get_name(value):
+    """
+    Function used for sorting, return the sorting key to use
+    Argument:
+        value: raw value
+    Return:
+        Package name to use for sorting
+    """
+    return value["name"]
+
+
+def load_cve_json(filename):
+    """
+    Load the JSON file, return the resulting dictionary
+    Arguments:
+        filename: the file to open
+    Returns:
+        Parsed file as a dictionary
+    """
+    import json
+
+    out = {}
+    try:
+        with open(filename, "r") as f:
+            out = json.load(f)
+    except FileNotFoundError:
+        exit_error(1, "Input file (%s) not found" % (filename))
+    except json.decoder.JSONDecodeError as error:
+        exit_error(1, "Malformed JSON file: %s" % str(error))
+
+    # Validate file
+    validated, error = validate_cve_json(out)
+    if not validated:
+        exit_error(1, error)
+
+    out_sorted = sorted(out["package"], key=get_name)
+    return out_sorted
+
+
+def calculate_diff(data1, data2):
+    """
+    Calculate a deep diff between two JSON data sets
+    Arguments:
+        data1: source data to compare (current)
+        data2: destination data to compare (upstream)
+    Returns:
+        Diff in the DeepDiff tree format
+    """
+    ddiff = DeepDiff(data1, data2, ignore_order=True, view="tree")
+    return ddiff
+
+
+def calculate_package_diff(diff):
+    """
+    Parse a difference in packages from the deep diff
+    Arguments:
+        diff: the deep diff, tree format
+    Returns:
+        removed set: added packages list
+        added_set: removed packages list
+    """
+    removed_set = []
+    added_set = []
+    vprint("Package status:")
+    if "iterable_item_added" in diff.keys():
+        for p in diff["iterable_item_added"]:
+            # Only p.t2 exists
+            # Assure only "root[XXXX]" items
+            if not re.search("^root\[[0-9]+\]$", p.path()):
+                # If we have a new issue
+                # if re.search("^root\[[0-9]+\]\['issue'\]\[[0-9]+\]$", p):
+                #    print("New issue")
+                continue
+            vprint("Added package: %s %s" % (p.t2["name"], p.t2["version"]))
+            added_set.append(p.t2)
+    if "iterable_item_removed" in diff.keys():
+        for p in diff["iterable_item_removed"]:
+            # Only p.t1 exists
+            # Assure only "root[XXXX]" items
+            if not re.search("^root\[[0-9]+\]$", p.path()):
+                # print("removed: Not found in %s" % (p.t1))
+                continue
+            vprint("Removed package: %s %s" % (p.t1["name"], p.t1["version"]))
+            removed_set.append(p.t1)
+    if "values_changed" in diff.keys():
+        # print("Some values changed")
+        for p in diff["values_changed"]:
+            # Filter out name changes, this is addition/removal - removal of t1
+            if re.search("^root\[[0-9]+\]\['name'\]$", p.path()):
+                vprint("Removed package: %s %s" % (p.up.t1["name"], p.up.t1["version"]))
+                vprint("Added package: %s %s" % (p.up.t2["name"], p.up.t2["version"]))
+                removed_set.append(p.up.t1)
+                added_set.append(p.up.t2)
+                # TODO: Handle the special case of linux
+            else:
+                # If a high level property root[XXX]['somename'] of the item that was changed
+                if re.search("^root\[[0-9]+\]\['[a-z,A-Z,0-9]+'\]$", p.path()):
+                    # If the parent has been removed, this item is to be ignored
+                    # We take it into account only if paren't hasn't been removed
+                    if not p.up.t1 in removed_set:
+                        vprint("Found changed items for: %s" % (p.up.t1["name"]))
+                # product table varies when the high level has changed
+                # Format: [root][XX]['products'][XX]['product']
+                elif re.search(
+                    "^root\[[0-9]+\]\['products'\]\[[0-9]+\]\['product'\]$", p.path()
+                ):
+                    if p.up.up.up.t1 not in removed_set:
+                        vprint(
+                            "Change of product names for package: %s %s"
+                            % (p.up.up.up.t1["name"], p.up.up.up.t2["name"])
+                        )
+                # TODO: product table varies when the high level has changed
+                # TODO: issue table version when the high level has changed
+                # else:
+                #    print(p)
+    vprint("")
+    return (removed_set, added_set)
+
+
+def calculate_cve_diff(diff):
+    """
+    Parse a difference in CVEs from the deep diff
+    Arguments:
+        diff: the deep diff, tree format
+    Returns:
+        removed_cves: removed CVEs
+        added_cves: added CVEs
+    """
+    added_cves = []
+    removed_cves = []
+    vprint("CVE status:")
+    # Look for added/removed CVEs
+    if "values_changed" in diff.keys():
+        # Differences like <root[42]['issue'][2562]['status'] t1:'Patched', t2:'Unpatched'>
+        for p in diff["values_changed"]:
+            if re.search("^root\[[0-9]+\]\['issue'\]\[[0-9]+\]\['status'\]$", p.path()):
+                if (p.t1 == "Patched" or p.t1 == "Ignored") and p.t2 == "Unpatched":
+                    # New CVE
+                    vprint(
+                        "Unpatched CVE: %s (%s %s)"
+                        % (
+                            p.up.t2["id"],
+                            p.up.up.up.t2["name"],
+                            p.up.up.up.t2["version"],
+                        )
+                    )
+                    added_cves.append(p.up.t2["id"])
+                elif p.t1 == "Unpatched" and (p.t2 == "Patched" or p.t2 == "Ignored"):
+                    # Fixed CVE
+                    vprint(
+                        "Fixed CVE: %s (%s %s)"
+                        % (
+                            p.up.t2["id"],
+                            p.up.up.up.t2["name"],
+                            p.up.up.up.t2["version"],
+                        )
+                    )
+                    removed_cves.append(p.up.t2["id"])
+                else:
+                    vprint(
+                        "Unknown status of CVE: %s (%s %s)"
+                        % (
+                            p.up.t2["id"],
+                            p.up.up.up.t2["name"],
+                            p.up.up.up.t2["version"],
+                        )
+                    )
+            # Other changes in the issue table
+            elif re.search("^root\[[0-9]+\]\['issue'\].*$", p.path()):
+                # The whole issue element has changed
+                if re.search("^root\[[0-9]+\]\['issue'\]\[[0-9]+\]$", p.path()):
+                    if p.up.up.t1["name"] == p.up.up.t2["name"]:
+                        vprint(
+                            "Changed CVE for package %s %s"
+                            % (p.up.up.t2["name"], p.up.up.t2["version"])
+                        )
+                else:
+                    # Some fields of the issue changed
+                    if re.search(
+                        "^root\[[0-9]+\]\['issue'\]\[[0-9]+\]\['[a-z,A-Z]+'\]$",
+                        p.path(),
+                    ):
+                        # If package names are different, this is a spurious diff
+                        if p.up.up.up.t1["name"] == p.up.up.up.t2["name"]:
+                            vprint(
+                                "Changed CVE for package %s %s"
+                                % (p.up.up.up.t2["name"], p.up.up.up.t2["version"])
+                            )
+    vprint("")
+    return (removed_cves, added_cves)
+
+
+def main(argv):
+    file1, file2 = parse_args(argv)
+
+    data1 = load_cve_json(file1)
+    data2 = load_cve_json(file2)
+    diff = calculate_diff(data1, data2)
+
+    removed_set, added_set = calculate_package_diff(diff)
+
+    removed_cves, added_cves = calculate_cve_diff(diff)
+
+    print("Summary:")
+    print(
+        "Package report: the new version adds %s packages and removes %d packages"
+        % (len(added_set), len(removed_set))
+    )
+    print(
+        "CVE report: the new version removes %s CVEs and adds %s CVEs"
+        % (len(removed_cves), len(added_cves))
+    )
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])

scripts/cve-json-to-csv.py → scripts/cve-report.py

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # CVE-check example script
-# Convert the cve-check JSON output to a CSV file
+# Reporting based on the cve-check JSON format: conversion to CSV and summary
 
 import sys
 import getopt
@@ -11,6 +11,8 @@ import getopt
 infile = "in.json"
 outfile = "out.csv"
 show_all = False
+show_summary = False
+to_csv = False
 
 
 def show_syntax_and_exit(code):
@@ -19,9 +21,13 @@ def show_syntax_and_exit(code):
     Arguments:
         code: the error code to return
     """
-    print("Syntax: %s [-h][-i inputfile][-o outputfile] [-a]" % __name__)
+    print("Syntax: %s [-h] [-a] [-s] [-c] [-i inputfile][-o outputfile]" % sys.argv[0])
     print("Default files: in.json and out.csv")
-    print("Use -a or -all to list all issues, otherwise we filter only unpatched ones")
+    print(
+        "Use -c or --to-csv to generate a CSV report, output file is then needed, out.csv by default"
+    )
+    print("Use -a or --all to list all issues, otherwise we filter only unpatched ones")
+    print("Use -s or --summary to show a summary of the issues")
     sys.exit(code)
 
 
@@ -42,20 +48,26 @@ def parse_args(argv):
     Arguments:
         argv: program arguments
     """
-    global infile, outfile, show_all
+    global infile, outfile, show_all, show_summary, to_csv
     try:
-        opts, args = getopt.getopt(argv, "hi:o:a", ["input", "output"])
+        opts, args = getopt.getopt(
+            argv, "hi:o:asc", ["help", "input", "output", "summary", "to-csv"]
+        )
     except getopt.GetoptError:
         show_syntax_and_exit(1)
     for opt, arg in opts:
-        if opt == "-h":
+        if opt in ("-h", "--help"):
             show_syntax_and_exit(0)
+        elif opt in ("-a", "--all"):
+            show_all = True
         elif opt in ("-i", "--input"):
             infile = arg
+        elif opt in ("-c", "--to-csv"):
+            to_csv = True
         elif opt in ("-o", "--output"):
             outfile = arg
-        elif opt in ("-a", "--all"):
-            show_all = True
+        elif opt in ("-s", "--summary"):
+            show_summary = True
 
 
 def load_json(filename):
@@ -79,7 +91,7 @@ def load_json(filename):
     return out
 
 
-def write_csv(filename, data, unpatched_only):
+def process_data(filename, data, unpatched_only, do_summary, do_csv):
     """
     Write the resulting CSV with one line for each package
     Arguments:
@@ -95,6 +107,7 @@ def write_csv(filename, data, unpatched_only):
         exit_error(1, "Mandatory 'package' key not found")
 
     lines = ""
+    total_issue_count = 0
     for package in data["package"]:
         keys_in_package = {"name", "layer", "version", "issue"}
         if keys_in_package - package.keys():
@@ -107,6 +120,11 @@ def write_csv(filename, data, unpatched_only):
         package_name = package["name"]
         layer = package["layer"]
         package_version = package["version"]
+        package_summary = "Issues for package %s (version %s):\n\t" % (
+            package_name,
+            package_version,
+        )
+        issue_count = 0
 
         for issue in package["issue"]:
             keys_in_issue = {"id", "scorev2", "scorev3", "vector", "status"}
@@ -132,15 +150,27 @@ def write_csv(filename, data, unpatched_only):
                     scorev3,
                     vector,
                 )
+                package_summary += "%s " % (cve_id)
+                issue_count += 1
+
+        if do_summary and issue_count > 0:
+            package_summary += "\n\tCount: %d\n" % (issue_count)
+            print(package_summary)
+
+        total_issue_count += issue_count
+
+    if do_csv:
+        with open(filename, "w") as f:
+            f.write(lines)
 
-    with open(filename, "w") as f:
-        f.write(lines)
+    if do_summary:
+        print("Global issue count: %d" % (total_issue_count))
 
 
 def main(argv):
     parse_args(argv)
     data = load_json(infile)
-    write_csv(outfile, data, not show_all)
+    process_data(outfile, data, not show_all, show_summary, to_csv)
 
 
 if __name__ == "__main__":