Various hardening, fixes, and testing #250
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Code Coverage | |
| on: | |
| push: | |
| branches: [ 'main', 'release/**' ] | |
| pull_request: | |
| branches: [ '*' ] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| coverage: | |
| name: Line Coverage | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y autoconf automake libtool lcov | |
| - name: Resolve wolfSSL master commit | |
| id: wolfssl-rev | |
| run: echo "sha=$(git ls-remote https://github.com/wolfSSL/wolfssl.git HEAD | cut -f1)" >> "$GITHUB_OUTPUT" | |
| - name: Cache wolfSSL | |
| id: cache-wolfssl | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/wolfssl-install | |
| key: wolfssl-ubuntu-latest-v3-${{ steps.wolfssl-rev.outputs.sha }} | |
| - name: Build wolfSSL | |
| if: steps.cache-wolfssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd ~ | |
| git clone --depth 1 https://github.com/wolfSSL/wolfssl.git | |
| cd wolfssl | |
| ./autogen.sh | |
| # Coverage thresholds (99%/100%) require the ML-DSA paths compiled in, | |
| # so build against master with the PQC/experimental wc_MlDsaKey API. | |
| ./configure --enable-ecc --enable-ed25519 --enable-ed448 \ | |
| --enable-curve25519 --enable-aesgcm --enable-aesccm \ | |
| --enable-sha384 --enable-sha512 --enable-keygen \ | |
| --enable-rsapss --enable-chacha --enable-poly1305 \ | |
| --enable-mldsa \ | |
| --enable-hkdf --enable-aeskeywrap \ | |
| --enable-aescbc \ | |
| --prefix=$HOME/wolfssl-install | |
| make -j$(nproc) | |
| make install | |
| - name: Run coverage with failure injection | |
| run: | | |
| export WOLFSSL_DIR=$HOME/wolfssl-install | |
| export LD_LIBRARY_PATH=$WOLFSSL_DIR/lib | |
| make coverage-force-failure CC=gcc \ | |
| CFLAGS="-std=c99 -DHAVE_ANONYMOUS_INLINE_AGGREGATES=1 -Os -Wall -Wextra -Wpedantic -Wshadow -Wconversion -I./include -isystem $WOLFSSL_DIR/include" \ | |
| LDFLAGS="-L$WOLFSSL_DIR/lib -lwolfssl" | |
| - name: Check coverage thresholds | |
| run: | | |
| echo "==============================================" | |
| echo " wolfCOSE Coverage Report" | |
| echo "==============================================" | |
| echo "" | |
| # Coverage thresholds: | |
| # wolfcose.c: 99% minimum | |
| # wolfcose_cbor.c: 100% minimum | |
| FAILED=0 | |
| # Run gcov and capture output | |
| GCOV_OUTPUT=$(gcov src/*.c 2>&1) | |
| echo "$GCOV_OUTPUT" | |
| echo "" | |
| # Parse wolfcose.c coverage from gcov output | |
| COSE_PCT=$(echo "$GCOV_OUTPUT" | grep -A1 "wolfcose.c'" | grep "Lines executed" | sed "s/.*:\([0-9.]*\)%.*/\1/") | |
| COSE_UNCOV=$(grep -c "#####" wolfcose.c.gcov 2>/dev/null || echo "0") | |
| if [ -n "$COSE_PCT" ]; then | |
| echo "wolfcose.c:" | |
| echo " Coverage: ${COSE_PCT}%" | |
| echo " Threshold: 99%" | |
| echo " Uncovered lines: ${COSE_UNCOV}" | |
| echo "" | |
| # Compare using awk (handles decimals) | |
| if awk "BEGIN {exit !($COSE_PCT < 99)}"; then | |
| FAILED=1 | |
| echo ">>> FAILED: wolfcose.c coverage is below 99%! <<<" | |
| echo "" | |
| echo "Uncovered lines in wolfcose.c:" | |
| echo "------------------------------" | |
| grep -n "#####" wolfcose.c.gcov | head -50 | |
| echo "" | |
| else | |
| echo ">>> PASSED: wolfcose.c meets 99% threshold <<<" | |
| fi | |
| echo "" | |
| fi | |
| # Parse wolfcose_cbor.c coverage from gcov output | |
| CBOR_PCT=$(echo "$GCOV_OUTPUT" | grep -A1 "wolfcose_cbor.c'" | grep "Lines executed" | sed "s/.*:\([0-9.]*\)%.*/\1/") | |
| CBOR_UNCOV=$(grep -c "#####" wolfcose_cbor.c.gcov 2>/dev/null || echo "0") | |
| if [ -n "$CBOR_PCT" ]; then | |
| echo "wolfcose_cbor.c:" | |
| echo " Coverage: ${CBOR_PCT}%" | |
| echo " Threshold: 100%" | |
| echo " Uncovered lines: ${CBOR_UNCOV}" | |
| echo "" | |
| # Compare using awk (handles decimals) | |
| if awk "BEGIN {exit !($CBOR_PCT < 100)}"; then | |
| FAILED=1 | |
| echo ">>> FAILED: wolfcose_cbor.c coverage is below 100%! <<<" | |
| echo "" | |
| echo "Uncovered lines in wolfcose_cbor.c:" | |
| echo "-----------------------------------" | |
| grep -n "#####" wolfcose_cbor.c.gcov | |
| echo "" | |
| else | |
| echo ">>> PASSED: wolfcose_cbor.c meets 100% threshold <<<" | |
| fi | |
| echo "" | |
| fi | |
| echo "==============================================" | |
| if [ "$FAILED" -eq 1 ]; then | |
| echo "" | |
| echo " Looks like you need more tests!" | |
| echo "" | |
| echo " Add tests to tests/test_cose.c to cover the" | |
| echo " uncovered lines shown above." | |
| echo "" | |
| echo "==============================================" | |
| exit 1 | |
| fi | |
| echo " All coverage thresholds passed!" | |
| echo "==============================================" |