Bazel
|
status: draft
|
||||
Bazel Verification Report#
Introduction#
Scope and purpose#
Bazel is a fast, scalable, multi-language build system developed by Google. It is used to automate the build, integration and testing of software.
Inputs and outputs#
- Inputs:
- - BUILD files and MODULE configuration- Source code and dependencies- Bazel rules and macros
- Outputs:
- - Build log- Call tree- Call tools via Call tree- Built output via Call tools
Available information#
Bazel is open-source. Information about key features and functionality can be found in official documentation:
Official documentation: https://bazel.build
GitHub repository: bazelbuild/bazel
Version: 8.3.0 [1]
Usage constraints:
Requires specific directory structure and configuration files
Remote caching and execution require additional setup and infrastructure
Installation and integration#
Installation#
The preferred way to use Bazel in the S-CORE project is through Bazelisk and the .bazelversion file. The .bazelversion file is typically located in the project root directory. When you run any Bazel command, Bazelisk reads the Bazel version specified in .bazelversion and automatically uses that version for all calls.
Example eclipse-score/score
Integration#
Bazel acts as a high-level build orchestrator. When using caching mechanisms, additional configuration may be required.
Environment#
Linux
Windows
Safety evaluation#
This section outlines the safety evaluation of Bazel for its use within the S-CORE project.
Malfunction identification |
Use case Description |
Malfunctions |
Impact on safety? |
Impact safety measures available? |
Impact safety detection sufficient? |
Further additional safety measure required? |
Confidence (automatic calculation) |
|---|---|---|---|---|---|---|---|
1 |
Dependency management |
Bazel fails to fetch external dependencies
Bazel is unable to download or resolve required external dependencies during the build. This halts the build and prevents critical components from being compiled/integrated/tested/etc.
|
yes |
Check build output (implicit)
This causes build failure and missing output which is detected by Bazel itself.
|
yes |
no |
high |
2 |
Dependency management |
Bazel fetched redundant external dependencies
Bazel downloads unnecessary external dependencies that are not referenced by any target. This increases build time and resource usage without contributing to the final output.
|
no
This is a performance issue, not a safety issue.
|
no |
yes |
no |
high |
3 |
Dependency management |
Bazel fetched wrong external dependencies (wrong hit)
Bazel retrieves incorrect versions or mismatched external dependencies due to resolution errors. This can lead to inconsistent builds and potential incompatibility in safety-critical modules.
|
yes |
no |
no |
yes(qualification) |
low |
4 |
Dependency management |
Bazel corrupts external dependencies while fetching
During download or extraction, Bazel corrupts external dependency files, resulting in broken libraries or tools. This causes build failures.
|
yes |
Check build output (implicit)
This causes build failure and missing output which is detected by Bazel itself.
|
yes |
no |
high |
5 |
Call tree computation |
Bazel fails to build call tree
Bazel cannot construct the dependency graph (call tree) for the build, leading to incomplete or aborted build processes.
|
yes |
Check build output
This causes build failure and missing output which is detected by Bazel itself
|
yes |
no |
high |
6 |
Call tree computation |
Bazel skips relevant target in call tree (missing caching hit or dependency miscalculation)
Bazel omits a required target from the build graph due to incorrect cache hits or dependency resolution errors. This results in missing artifacts and incomplete builds.
|
yes |
no |
no |
yes(qualification) |
low |
7 |
Call tree computation |
Bazel adds redundant target in call tree (wrong caching hit or dependency miscalculation)
Bazel includes unnecessary targets in the build graph, causing redundant compilation steps. This increases build time and resource consumption without affecting the final output.
|
no
This is a performance issue, not a safety issue.
|
yes |
yes |
no |
high |
8 |
Call tools |
Bazel fails to call a tool
Bazel does not invoke a required tool during the build process, leading to incomplete or invalid artifacts. This disrupts the expected workflow and may block downstream steps.
|
yes |
Check build output
This causes build failure and missing output which is detected by Bazel itself.
|
yes |
no |
high |
9 |
Call tools |
Bazel calls wrong tool
Bazel invokes an incorrect tool instead of the intended one, producing invalid outputs or causing build errors. This can compromise consistency and reliability of the build.
|
yes |
no |
no |
yes(qualification) |
low |
10 |
Call tools |
Bazel fails to pass arguments to the tool
Bazel omits necessary arguments when invoking a tool, resulting in incorrect execution or failure of the tool. This impacts artifact generation and overall build correctness.
|
yes |
no |
no |
yes(qualification) |
low |
11 |
Call tools |
Bazel wrongly interprets return code from tool
Bazel misinterprets the return code from a tool, treating a failure as a success or vice versa. This can result in undetected build errors or invalid artifacts being accepted as correct.
|
yes |
no |
no |
yes(qualification) |
low |
12 |
Call tools |
Bazel passes wrong argument to the tool
Bazel provides incorrect arguments to a tool, causing misbehavior or invalid outputs. This can lead to corrupted artifacts or failed verification steps.
|
yes |
no |
no |
yes(qualification) |
low |
13 |
Save output |
Bazel corrupts final output artifact
Bazel produces a damaged or incomplete final artifact due to errors.
|
yes |
no |
no |
yes(qualification) |
low |
14 |
Save output |
Bazel saves in wrong place
Bazel stores the generated artifact in an incorrect location, breaking expected directory structures.
|
yes |
no |
no |
yes(qualification) |
low |
Security evaluation#
This section outlines the security evaluation of Bazel for its use within the S-CORE project.
Threat identification |
Use case description |
Threats |
Impact on security? |
Impact security measures available? |
Impact security detection sufficient? |
|---|---|---|---|---|---|
1 |
TBD |
TBD |
TBD |
TBD |
TBD |
Result#
Bazel requires qualification for use in safety-related software development according to ISO 26262.
Tool Qualification#
Based on method: validation of the software tool.
Requirements and testing aspects#
Tool requirements are derived from official documentation: https://bazel.build/
Bazel is an open-source tool and does not provide formal, vendor-defined requirements. Therefore, the tooling team is responsible for identifying the specific Bazel functionality used in the project. Based on this, requirements for the utilized features must be derived from the available documentation and Bazel validated against defined requirements.