Skip to content

Commit

Permalink
sast-coverity-check: embed capture stats into scan results
Browse files Browse the repository at this point in the history 
Related: https://issues.redhat.com/browse/OSH-769
  • Loading branch information
@kdudka
kdudka committed Dec 16, 2024
1 parent 148c6db commit db908b9
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 4 deletions.
32 changes: 30 additions & 2 deletions task/sast-coverity-check/0.2/patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,12 @@
/opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@"
EC=\$?
# assign a unique file name for scan results
json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)"
# obtain capture stats to process them later on
/opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt"
# serialize COV_ANALYZE_ARGS declaration into the wrapper script (to avoid shell injection)
$(declare -p COV_ANALYZE_ARGS)
Expand All @@ -193,7 +199,7 @@
# export scan results and embed source code context into the scan results
/opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \
| /usr/libexec/csgrep-static --mode=json --embed-context=3 \
> \$(mktemp /shared/sast-results/\$\$-XXXX.json)
> "\${json_file}"
exit \$EC
EOF
chmod 0755 /shared/cmd-wrap.sh
Expand Down Expand Up @@ -268,6 +274,8 @@
# shellcheck disable=SC2086
env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)"
/opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt"
# install Coverity license file
install -vm0644 /{shared,opt/coverity/bin}/license.dat
Expand All @@ -280,14 +288,34 @@
> /shared/sast-results/coverity-buildless.json
) fi
# collect capture stats (FIXME: this doe not take findings deduplication into account)
set +e
for file in /shared/sast-results/*-summary.txt; do
((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
done
# calculate the total number of files
((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED))
# calculate the ratio of successful files to total files
((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES)))
set -e
# reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments
IMP_LEVEL=1
if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
IMP_LEVEL=0
fi
# collect scan results
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \
--set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \
--set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \
--set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \
--set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \
| tee coverity-results-raw.json \
| csgrep --mode=evtstat
Expand Down
32 changes: 30 additions & 2 deletions task/sast-coverity-check/0.2/sast-coverity-check.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,12 @@ spec:
/opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@"
EC=\$?
# assign a unique file name for scan results
json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)"
# obtain capture stats to process them later on
/opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt"
# serialize COV_ANALYZE_ARGS declaration into the wrapper script (to avoid shell injection)
$(declare -p COV_ANALYZE_ARGS)
Expand All @@ -253,7 +259,7 @@ spec:
# export scan results and embed source code context into the scan results
/opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \
| /usr/libexec/csgrep-static --mode=json --embed-context=3 \
> \$(mktemp /shared/sast-results/\$\$-XXXX.json)
> "\${json_file}"
exit \$EC
EOF
chmod 0755 /shared/cmd-wrap.sh
Expand Down Expand Up @@ -640,6 +646,8 @@ spec:
# shellcheck disable=SC2086
env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)"
/opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt"
# install Coverity license file
install -vm0644 /{shared,opt/coverity/bin}/license.dat
Expand All @@ -652,14 +660,34 @@ spec:
> /shared/sast-results/coverity-buildless.json
) fi
# collect capture stats (FIXME: this doe not take findings deduplication into account)
set +e
for file in /shared/sast-results/*-summary.txt; do
((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
done
# calculate the total number of files
((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED))
# calculate the ratio of successful files to total files
((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES)))
set -e
# reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments
IMP_LEVEL=1
if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
IMP_LEVEL=0
fi
# collect scan results
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \
--set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \
--set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \
--set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \
--set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \
| tee coverity-results-raw.json \
| csgrep --mode=evtstat
Expand Down

0 comments on commit db908b9

Please sign in to comment.