Add valgrind specific rpminspect configuration

gating.yaml

@@ -5,6 +5,7 @@ decision_context: bodhi_update_push_stable
 subject_type: koji_build
 rules:
   - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.rpminspect.static-analysis}
 --- !Policy
 product_versions:
   - rhel-8

rpminspect.yaml

@@ -0,0 +1,33 @@
+---
+inspections:
+  # xml files shipped are GDB register set descriptions which can only be
+  # verified with gdb/features/gdb-target.dtd, provided in GDB sources.
+  xml: off
+
+annocheck:
+  # Ignore files built specially without hardening flags
+  ignore:
+    # Valgrind tools themselves (memcheck, cachegrind, massif, etc) are
+    # statically linked and need to be built without PIE to be loaded at
+    # a fixed address in the program's address space.
+    # Also need to be built without stack protection so the generated
+    # code (valgrind VEX jit) interacts correctly with their own static code.
+    - /usr/libexec/valgrind/*-*-linux
+    # Wrappers for various string and mem functions such as memcpy, strlen, etc
+    # that valgrind uses to keep track of memory usage. Hardening settings such
+    # as optimizations need to be disabled so they don't interfere or break
+    # the checks that valgrind does internally.
+    - /usr/libexec/valgrind/vgpreload*so
+    # libmpiwrap is special since it is a LD_PRELOAD wrapper used by valgrind
+    # memcheck for MPI using programs, the wrapper is against a specific MPI
+    # implementation though, in our case openmpi. We don't want to have a hard
+    # dependency on openmpi however, so a user can use the wrapper without
+    # explicitly pulling in openmpi unless the program explicitly uses it.
+    - /usr/lib*/openmpi/valgrind/libmpiwrap-*-linux.so
+
+runpath:
+  allowed_paths:
+    # As described above, libmpiwrap is a wrapper against openmpi
+    # so we set DT_RUNPATH to openmpi libs path
+    - /usr/lib/openmpi/lib
+    - /usr/lib64/openmpi/lib