ruby/tool/test-annocheck.sh

41 строка
1.4 KiB
Bash
Executable File

#!/bin/sh -eu
# Run the `tool/test-annocheck.sh [binary files]` to check security issues
# by annocheck <https://sourceware.org/annobin/>.
#
# E.g. `tool/test-annocheck.sh ruby libruby.so.3.2.0`.
#
# Note that as the annocheck binary package is not available on Ubuntu, and it
# is working in progress in Debian, this script uses Fedora container for now.
# It requires docker or podman.
# https://www.debian.org/devel/wnpp/itp.en.html
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926470
set -x
DOCKER="$(command -v docker || command -v podman)"
TAG=ruby-fedora-annocheck
TOOL_DIR="$(dirname "${0}")"
TMP_DIR="tmp/annocheck"
DOCKER_RUN_VOLUME_OPTS=
if [ -z "${CI-}" ]; then
# Use a volume option on local (non-CI).
DOCKER_RUN_VOLUME_OPTS="-v $(pwd):/work"
"${DOCKER}" build --rm -t "${TAG}" ${TOOL_DIR}/annocheck/
else
# TODO: A temporary workaround on CI to build by copying binary files from
# host to container without volume option, as I couldn't find a way to use
# volume in container in container on GitHub Actions
# <.github/workflows/compilers.yml>.
TAG="${TAG}-copy"
rm -rf "${TMP_DIR}"
mkdir -p "${TMP_DIR}"
for file in "${@}"; do
cp -p "${file}" "${TMP_DIR}"
done
"${DOCKER}" build --rm -t "${TAG}" --build-arg=IN_DIR="${TMP_DIR}" -f ${TOOL_DIR}/annocheck/Dockerfile-copy .
rm -rf "${TMP_DIR}"
fi
"${DOCKER}" run --rm -t ${DOCKER_RUN_VOLUME_OPTS} "${TAG}" annocheck --verbose ${TEST_ANNOCHECK_OPTS-} "${@}"