зеркало из https://github.com/github/ruby.git
41 строка
1.4 KiB
Bash
Executable File
41 строка
1.4 KiB
Bash
Executable File
#!/bin/sh -eu
|
|
# Run the `tool/test-annocheck.sh [binary files]` to check security issues
|
|
# by annocheck <https://sourceware.org/annobin/>.
|
|
#
|
|
# E.g. `tool/test-annocheck.sh ruby libruby.so.3.2.0`.
|
|
#
|
|
# Note that as the annocheck binary package is not available on Ubuntu, and it
|
|
# is working in progress in Debian, this script uses Fedora container for now.
|
|
# It requires docker or podman.
|
|
# https://www.debian.org/devel/wnpp/itp.en.html
|
|
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
|
|
|
|
set -x
|
|
|
|
DOCKER="$(command -v docker || command -v podman)"
|
|
TAG=ruby-fedora-annocheck
|
|
TOOL_DIR="$(dirname "${0}")"
|
|
TMP_DIR="tmp/annocheck"
|
|
DOCKER_RUN_VOLUME_OPTS=
|
|
|
|
if [ -z "${CI-}" ]; then
|
|
# Use a volume option on local (non-CI).
|
|
DOCKER_RUN_VOLUME_OPTS="-v $(pwd):/work"
|
|
"${DOCKER}" build --rm -t "${TAG}" ${TOOL_DIR}/annocheck/
|
|
else
|
|
# TODO: A temporary workaround on CI to build by copying binary files from
|
|
# host to container without volume option, as I couldn't find a way to use
|
|
# volume in container in container on GitHub Actions
|
|
# <.github/workflows/compilers.yml>.
|
|
TAG="${TAG}-copy"
|
|
rm -rf "${TMP_DIR}"
|
|
mkdir -p "${TMP_DIR}"
|
|
for file in "${@}"; do
|
|
cp -p "${file}" "${TMP_DIR}"
|
|
done
|
|
"${DOCKER}" build --rm -t "${TAG}" --build-arg=IN_DIR="${TMP_DIR}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
|
|
rm -rf "${TMP_DIR}"
|
|
fi
|
|
|
|
"${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}"
|