CXX-2793 Add scan-build tasks to EVG config

.evergreen/compile-scan-build.sh

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o pipefail
+
+: "${BSONCXX_POLYFILL:?}"
+: "${CXX_STANDARD:?}"
+
+mongoc_prefix="$(pwd)/../mongoc"
+
+# shellcheck source=/dev/null
+. "${mongoc_prefix:?}/.evergreen/scripts/find-cmake-latest.sh"
+export cmake_binary
+cmake_binary="$(find_cmake_latest)"
+command -v "$cmake_binary"
+
+# scan-build binary is available in different locations depending on the distro.
+# Search for a match in order of preference as listed.
+declare -a scan_build_directories
+
+scan_build_directories+=(
+  # Prefer toolchain scan-build if available.
+  "/opt/mongodbtoolchain/v4/bin"
+  "/opt/mongodbtoolchain/v3/bin"
+)
+
+# Use system scan-build otherwise.
+IFS=: read -ra sys_dirs <<< "${PATH:-}"
+scan_build_directories+=("${sys_dirs[@]:-}")
+
+declare scan_build_binary
+for dir in "${scan_build_directories[@]}"; do
+  if command -v "${dir}/scan-build" && command -v "${dir}/clang" && command -v "${dir}/clang++"; then
+    # Ensure compilers are consistent with scan-build binary. All three binaries
+    # should be present in the same directory.
+    scan_build_binary="${dir}/scan-build"
+    CC="${dir}/clang"
+    CXX="${dir}/clang++"
+    break
+  fi
+done
+: "${scan_build_binary:?"could not find a scan-build binary!"}"
+export CC
+export CXX
+
+if [[ "${OSTYPE}" == darwin* ]]; then
+  # MacOS does not have nproc.
+  nproc() {
+    sysctl -n hw.logicalcpu
+  }
+fi
+CMAKE_BUILD_PARALLEL_LEVEL="$(nproc)"
+export CMAKE_BUILD_PARALLEL_LEVEL
+
+cmake_flags=(
+  -D CMAKE_BUILD_TYPE=Debug
+  -D "CMAKE_CXX_STANDARD=${CXX_STANDARD:?}"
+  -D CMAKE_CXX_STANDARD_REQUIRED=ON
+  -D ENABLE_TESTS=OFF
+)
+
+scan_build_flags=(
+  --use-cc "${CC:?}"
+  --use-c++ "${CXX:?}"
+  -analyze-headers
+  --exclude "$(pwd)/build/src/bsoncxx/third_party/_deps" # mnmlstc
+  --exclude "$(pwd)/build/_deps"                         # mongoc
+)
+
+case "${BSONCXX_POLYFILL:?}" in
+mnmlstc) cmake_flags+=(-D "BSONCXX_POLY_USE_MNMLSTC=ON") ;;
+boost) cmake_flags+=(-D "BSONCXX_POLY_USE_BOOST=ON") ;;
+impls) cmake_flags+=(-D "BSONCXX_POLY_USE_IMPLS=ON") ;;
+std) cmake_flags+=(-D "BSONCXX_POLY_USE_STD=ON") ;;
+esac
+
+echo "Configuring with CMake flags: ${cmake_flags[*]}"
+
+# Configure via scan-build for consistency.
+CCCACHE_DISABLE=1 "${scan_build_binary}" "${scan_build_flags[@]}" "${cmake_binary:?}" -S . -B build "${cmake_flags[@]}"
+
+# If scan-build emits warnings, continue the task and upload scan results before marking task as a failure.
+declare -r continue_command='{"status":"failed", "type":"test", "should_continue":true, "desc":"scan-build emitted one or more warnings or errors"}'
+
+# Put clang static analyzer results in scan/ and fail build if warnings found.
+"${scan_build_binary}" "${scan_build_flags[@]}" -o scan --status-bugs "${cmake_binary:?}" --build build ||
+  curl -sS -d "${continue_command}" -H "Content-Type: application/json" -X POST localhost:2285/task_status

.mci.yml

@@ -335,14 +335,16 @@ functions:
 
 
     "stop_mongod":
-        command: shell.exec
+        command: subprocess.exec
         params:
-            shell: bash
+            binary: bash
             working_dir: "."
-            script: |
+            args:
+              - -c
+              - |
                 set -o errexit
                 set -o pipefail
-                if cd drivers-evergreen-tools/.evergreen/orchestration; then
+                if cd drivers-evergreen-tools/.evergreen/orchestration 2>/dev/null; then
                   . ../venv-utils.sh
                   if venvactivate venv; then
                     mongo-orchestration stop
@@ -579,13 +581,23 @@ functions:
             display_name: "working-dir.tar.gz"
 
     "upload mongo orchestration artifacts":
-        - command: shell.exec
+        - command: subprocess.exec
           params:
             working_dir: "."
-            script: |
-              find . -name \*.log | xargs tar czf mongodb-logs.tar.gz
+            binary: bash
+            args:
+              - -c
+              - |
+                set -o errexit
+                for log in $(find . -name '*.log'); do
+                  tar rf mongodb-logs.tar "$log"
+                done
+                if [[ -f mongodb-logs.tar ]]; then
+                  gzip mongodb-logs.tar
+                fi
         - command: s3.put
           params:
+            optional: true
             aws_key: ${aws_key}
             aws_secret: ${aws_secret}
             local_file: mongodb-logs.tar.gz
@@ -637,6 +649,55 @@ functions:
           name: perf
           file: mongo-cxx-driver/results.json
 
+    "run scan build":
+      - command: subprocess.exec
+        type: test
+        params:
+          binary: bash
+          working_dir: "mongo-cxx-driver"
+          add_expansions_to_env: true
+          redirect_standard_error_to_output: true
+          args:
+            - -c
+            - .evergreen/compile-scan-build.sh
+
+    "upload scan artifacts":
+      - command: subprocess.exec
+        type: test
+        params:
+          working_dir: "mongo-cxx-driver"
+          binary: bash
+          args:
+            - -c
+            - |
+              set -o errexit
+              if find scan -name \*.html | grep -q html; then
+                (cd scan && find . -name index.html -exec echo "<li><a href='{}'>{}</a></li>" \;) >> scan.html
+              else
+                echo "No issues found" > scan.html
+              fi
+      - command: subprocess.exec
+        params:
+          silent: true
+          working_dir: mongo-cxx-driver
+          binary: bash
+          env:
+            AWS_ACCESS_KEY_ID: ${aws_key}
+            AWS_SECRET_ACCESS_KEY: ${aws_secret}
+          args:
+            - -c
+            - aws s3 cp scan s3://mciuploads/${project}/${build_variant}/${revision}/${version_id}/${build_id}/scan/ --recursive --acl public-read --region us-east-1
+      - command: s3.put
+        params:
+          aws_key: ${aws_key}
+          aws_secret: ${aws_secret}
+          remote_file: ${project}/${build_variant}/${revision}/${version_id}/${build_id}/scan/index.html
+          bucket: mciuploads
+          permissions: public-read
+          local_file: mongo-cxx-driver/scan.html
+          content_type: text/html
+          display_name: Scan Build Report
+
 #######################################
 #              Post Task              #
 #######################################
@@ -1107,6 +1168,66 @@ tasks:
 
               ./build/src/mongocxx/test/test_driver "atlas search indexes prose tests"
 
+    - name: scan-build-ubuntu2204-std11-mnmlstc
+      run_on: ubuntu2204-large
+      tags: [scan-build-matrix]
+      commands:
+        - func: "setup"
+        - func: "fetch_c_driver_source"
+        - func: "run scan build"
+          vars:
+            CXX_STANDARD: 11
+            BSONCXX_POLYFILL: mnmlstc
+        - func: "upload scan artifacts"
+
+    - name: scan-build-ubuntu2204-std11-boost
+      run_on: ubuntu2204-large
+      tags: [scan-build-matrix]
+      commands:
+        - func: "setup"
+        - func: "fetch_c_driver_source"
+        - func: "run scan build"
+          vars:
+            CXX_STANDARD: 11
+            BSONCXX_POLYFILL: boost
+        - func: "upload scan artifacts"
+
+    - name: scan-build-ubuntu2204-std11-impls
+      run_on: ubuntu2204-large
+      tags: [scan-build-matrix]
+      commands:
+        - func: "setup"
+        - func: "fetch_c_driver_source"
+        - func: "run scan build"
+          vars:
+            CXX_STANDARD: 11
+            BSONCXX_POLYFILL: impls
+        - func: "upload scan artifacts"
+
+    - name: scan-build-ubuntu2204-std14-impls
+      run_on: ubuntu2204-large
+      tags: [scan-build-matrix]
+      commands:
+        - func: "setup"
+        - func: "fetch_c_driver_source"
+        - func: "run scan build"
+          vars:
+            CXX_STANDARD: 14
+            BSONCXX_POLYFILL: impls
+        - func: "upload scan artifacts"
+
+    - name: scan-build-ubuntu2204-std17
+      run_on: ubuntu2204-large
+      tags: [scan-build-matrix]
+      commands:
+        - func: "setup"
+        - func: "fetch_c_driver_source"
+        - func: "run scan build"
+          vars:
+            CXX_STANDARD: 17
+            BSONCXX_POLYFILL: std
+        - func: "upload scan artifacts"
+
 task_groups:
   - name: tg-abi-stability
     max_hosts: -1
@@ -2043,3 +2164,8 @@ buildvariants:
     - name: lint
       display_name: Lint
       tasks: [lint]
+
+    - name: scan-build-matrix
+      display_name: scan-build-matrix
+      tasks:
+        - name: .scan-build-matrix

etc/releasing.md

@@ -19,6 +19,10 @@ releasing 1.2.3, then refer to the the waterfall tracking
 If there are test failures, ensure they are at least expected or not introduced
 by changes in the new release.
 
+## Check Coverity
+
+Ensure there are no new, unexpected, or high severity issues on Coverity.
+
 ## Check fixVersions in Jira
 
 Ensure that all tickets under the