diff --git a/task/sast-coverity-check/0.2/patch.yaml b/task/sast-coverity-check/0.2/patch.yaml index af24f17939..91cc60871f 100644 --- a/task/sast-coverity-check/0.2/patch.yaml +++ b/task/sast-coverity-check/0.2/patch.yaml @@ -184,13 +184,19 @@ /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@" EC=\$? + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt" + # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS # export scan results and embed source code context into the scan results /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ - > \$(mktemp /shared/sast-results/\$\$-XXXX.json) + > "\${json_file}" exit \$EC EOF chmod 0755 /shared/cmd-wrap.sh @@ -265,6 +271,8 @@ # shellcheck disable=SC2086 env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)" + /opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt" + # install Coverity license file install -vm0644 /{shared,opt/coverity/bin}/license.dat @@ -277,6 +285,22 @@ > /shared/sast-results/coverity-buildless.json ) fi + # collect capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments IMP_LEVEL=1 if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then @@ -284,7 +308,11 @@ fi # collect scan results - csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \ + csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \ | tee coverity-results-raw.json \ | csgrep --mode=evtstat diff --git a/task/sast-coverity-check/0.2/sast-coverity-check.yaml b/task/sast-coverity-check/0.2/sast-coverity-check.yaml index 24c1abdf30..2e8bbe08f5 100644 --- a/task/sast-coverity-check/0.2/sast-coverity-check.yaml +++ b/task/sast-coverity-check/0.2/sast-coverity-check.yaml @@ -244,13 +244,19 @@ spec: /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@" EC=\$? + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt" + # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS # export scan results and embed source code context into the scan results /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ - > \$(mktemp /shared/sast-results/\$\$-XXXX.json) + > "\${json_file}" exit \$EC EOF chmod 0755 /shared/cmd-wrap.sh @@ -637,6 +643,8 @@ spec: # shellcheck disable=SC2086 env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)" + /opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt" + # install Coverity license file install -vm0644 /{shared,opt/coverity/bin}/license.dat @@ -649,6 +657,22 @@ spec: > /shared/sast-results/coverity-buildless.json ) fi + # collect capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments IMP_LEVEL=1 if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then @@ -656,7 +680,11 @@ spec: fi # collect scan results - csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \ + csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \ | tee coverity-results-raw.json \ | csgrep --mode=evtstat