sast-coverity-check: use the latest release of coverity

Related: https://issues.redhat.com/browse/OSH-750
Related: https://issues.redhat.com/browse/OSH-796
Closes: #1653

Author: kdudka

task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml

@@ -268,7 +268,7 @@ spec:
         - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: prepare
-      image: quay.io/redhat-services-prod/sast/coverity:202409.1
+      image: quay.io/redhat-services-prod/sast/coverity:202412.1
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /etc/secrets/cov
@@ -323,6 +323,11 @@ spec:
         # if current directory is "/", fallback to an empty temp directory
         [ / = "\$proj_dir" ] && proj_dir=\$(mktemp -d)
 
+        # /usr/bin/file needs to be available for cov-build to work in Coverity 2024.12
+        if ! [ -x /usr/bin/file ] && [ -w /usr/bin/ ] && [ -x /opt/cov-sa-2024.12/bin/file ]; then
+          install -vm0755 /opt/cov-sa-2024.12/bin/file /usr/bin/file
+        fi
+
         # wrap the RUN command with "coverity capture" and record exit code of the wrapped command
         /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" \
           -- /bin/bash -c 'PS4="@\\\${SECONDS}s: \\\${BASH_COMMAND} --> "; set -x; "\$@"; echo \$? >/tmp/idir/build-cmd-ec.txt' \
@@ -359,7 +364,7 @@ spec:
         # instrument all RUN lines in Dockerfile to be executed through cmd-wrap.sh
         cstrans-df-run --verbose /shared/cmd-wrap.sh <"$dockerfile_path" >/shared/Containerfile
     - name: build
-      image: quay.io/redhat-services-prod/sast/coverity:202409.1
+      image: quay.io/redhat-services-prod/sast/coverity:202412.1
       args:
         - --build-args
         - $(params.BUILD_ARGS[*])
@@ -688,7 +693,7 @@ spec:
           add:
             - SETFCAP
     - name: postprocess
-      image: quay.io/redhat-services-prod/sast/coverity:202409.1
+      image: quay.io/redhat-services-prod/sast/coverity:202412.1
       workingDir: /var/workdir
       volumeMounts:
         - mountPath: /mnt/trusted-ca

task/sast-coverity-check/0.2/patch.yaml

@@ -66,7 +66,7 @@
 - op: replace
   path: /spec/steps/0/image
   # New image shoould be based on quay.io/konflux-ci/buildah-task:latest or have all the tooling that the original image has.
-  value: quay.io/redhat-services-prod/sast/coverity:202409.1
+  value: quay.io/redhat-services-prod/sast/coverity:202412.1
 
 # Change build step resources
 - op: replace
@@ -153,7 +153,7 @@
   path: /spec/steps/0
   value:
     name: prepare
-    image: quay.io/redhat-services-prod/sast/coverity:202409.1
+    image: quay.io/redhat-services-prod/sast/coverity:202412.1
     workingDir: $(workspaces.source.path)
     env:
       - name: COV_ANALYZE_ARGS
@@ -208,6 +208,11 @@
       # if current directory is "/", fallback to an empty temp directory
       [ / = "\$proj_dir" ] && proj_dir=\$(mktemp -d)
 
+      # /usr/bin/file needs to be available for cov-build to work in Coverity 2024.12
+      if ! [ -x /usr/bin/file ] && [ -w /usr/bin/ ] && [ -x /opt/cov-sa-2024.12/bin/file ]; then
+        install -vm0755 /opt/cov-sa-2024.12/bin/file /usr/bin/file
+      fi
+
       # wrap the RUN command with "coverity capture" and record exit code of the wrapped command
       /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" \
         -- /bin/bash -c 'PS4="@\\\${SECONDS}s: \\\${BASH_COMMAND} --> "; set -x; "\$@"; echo \$? >/tmp/idir/build-cmd-ec.txt' \
@@ -260,7 +265,7 @@
   path: /spec/steps/2
   value:
     name: postprocess
-    image: quay.io/redhat-services-prod/sast/coverity:202409.1
+    image: quay.io/redhat-services-prod/sast/coverity:202412.1
     computeResources:
       limits:
         memory: 4Gi

task/sast-coverity-check/0.2/sast-coverity-check.yaml

@@ -221,7 +221,7 @@ spec:
       value: $(params.COV_ANALYZE_ARGS)
     - name: DOCKERFILE
       value: $(params.DOCKERFILE)
-    image: quay.io/redhat-services-prod/sast/coverity:202409.1
+    image: quay.io/redhat-services-prod/sast/coverity:202412.1
     name: prepare
     script: |
       #!/bin/bash
@@ -267,6 +267,11 @@ spec:
       # if current directory is "/", fallback to an empty temp directory
       [ / = "\$proj_dir" ] && proj_dir=\$(mktemp -d)
 
+      # /usr/bin/file needs to be available for cov-build to work in Coverity 2024.12
+      if ! [ -x /usr/bin/file ] && [ -w /usr/bin/ ] && [ -x /opt/cov-sa-2024.12/bin/file ]; then
+        install -vm0755 /opt/cov-sa-2024.12/bin/file /usr/bin/file
+      fi
+
       # wrap the RUN command with "coverity capture" and record exit code of the wrapped command
       /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" \
         -- /bin/bash -c 'PS4="@\\\${SECONDS}s: \\\${BASH_COMMAND} --> "; set -x; "\$@"; echo \$? >/tmp/idir/build-cmd-ec.txt' \
@@ -330,7 +335,7 @@ spec:
         /shared:/shared
         /shared/license.dat:/opt/coverity/bin/license.dat
         /usr/libexec/csgrep-static:/usr/libexec/csgrep-static
-    image: quay.io/redhat-services-prod/sast/coverity:202409.1
+    image: quay.io/redhat-services-prod/sast/coverity:202412.1
     name: build
     script: |
       #!/bin/bash
@@ -654,7 +659,7 @@ spec:
       valueFrom:
         fieldRef:
           fieldPath: metadata.labels['appstudio.openshift.io/component']
-    image: quay.io/redhat-services-prod/sast/coverity:202409.1
+    image: quay.io/redhat-services-prod/sast/coverity:202412.1
     name: postprocess
     script: |
       #!/bin/bash -e