From 5637ccb001637cdbe535ff9f00a9c00e9963c682 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Dec 2024 16:25:48 +0100 Subject: [PATCH] sast-coverity-check: embed capture stats into scan results Related: https://issues.redhat.com/browse/OSH-769 --- task/sast-coverity-check/0.2/patch.yaml | 32 +++++++++++++++++-- .../0.2/sast-coverity-check.yaml | 32 +++++++++++++++++-- 2 files changed, 60 insertions(+), 4 deletions(-) diff --git a/task/sast-coverity-check/0.2/patch.yaml b/task/sast-coverity-check/0.2/patch.yaml index 496fdf18e7..5dc08e5772 100644 --- a/task/sast-coverity-check/0.2/patch.yaml +++ b/task/sast-coverity-check/0.2/patch.yaml @@ -188,6 +188,12 @@ # always remove Coverity's intermediate directory so that it can be recreated with different ownership trap 'rm -fr /tmp/idir' EXIT + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir --project-dir="\$proj_dir" > "\${json_file%.json}-summary.txt" + # serialize COV_ANALYZE_ARGS declaration into the wrapper script (to avoid shell injection) $(declare -p COV_ANALYZE_ARGS) @@ -197,7 +203,7 @@ # export scan results and embed source code context into the scan results /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ - > \$(mktemp /shared/sast-results/\$\$-XXXX.json) + > "\${json_file}" # propagate the original exit code of the wrapped command exit "\$( "/shared/sast-results/coverity-buildless-summary.txt" + # install Coverity license file install -vm0644 /{shared,opt/coverity/bin}/license.dat @@ -289,6 +297,22 @@ > /shared/sast-results/coverity-buildless.json ) fi + # collect capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments IMP_LEVEL=1 if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then @@ -297,7 +321,11 @@ # collect scan results set -x - csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \ + csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \ | tee coverity-results-raw.json \ | csgrep --mode=evtstat diff --git a/task/sast-coverity-check/0.2/sast-coverity-check.yaml b/task/sast-coverity-check/0.2/sast-coverity-check.yaml index 37607f55c4..a96b5a74bb 100644 --- a/task/sast-coverity-check/0.2/sast-coverity-check.yaml +++ b/task/sast-coverity-check/0.2/sast-coverity-check.yaml @@ -248,6 +248,12 @@ spec: # always remove Coverity's intermediate directory so that it can be recreated with different ownership trap 'rm -fr /tmp/idir' EXIT + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir --project-dir="\$proj_dir" > "\${json_file%.json}-summary.txt" + # serialize COV_ANALYZE_ARGS declaration into the wrapper script (to avoid shell injection) $(declare -p COV_ANALYZE_ARGS) @@ -257,7 +263,7 @@ spec: # export scan results and embed source code context into the scan results /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ - > \$(mktemp /shared/sast-results/\$\$-XXXX.json) + > "\${json_file}" # propagate the original exit code of the wrapped command exit "\$( "/shared/sast-results/coverity-buildless-summary.txt" + # install Coverity license file install -vm0644 /{shared,opt/coverity/bin}/license.dat @@ -661,6 +669,22 @@ spec: > /shared/sast-results/coverity-buildless.json ) fi + # collect capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments IMP_LEVEL=1 if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then @@ -669,7 +693,11 @@ spec: # collect scan results set -x - csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \ + csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \ | tee coverity-results-raw.json \ | csgrep --mode=evtstat