From 8bc0672bc04a2f192c827af7e32f2cfe3e5fde40 Mon Sep 17 00:00:00 2001 From: jperezde Date: Fri, 6 Dec 2024 16:14:03 +0100 Subject: [PATCH] sast-coverity-check: added stats for Coverity scans Solves: https://issues.redhat.com/browse/OSH-769 Adding the stats to Coverity scans in the result's SARIF file of successful scans. --- .../0.1/sast-coverity-check-oci-ta.yaml | 29 +++++++++++++++++-- task/sast-coverity-check/0.1/README.md | 1 + .../0.1/sast-coverity-check.yaml | 27 ++++++++++++++++- 3 files changed, 54 insertions(+), 3 deletions(-) diff --git a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml index ccbcd85a6f..b1884a209a 100644 --- a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml +++ b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml @@ -95,7 +95,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source @@ -241,7 +241,32 @@ spec: (set -x && csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json) fi - csgrep --mode=sarif filtered_sast_coverity_buildless_check_all_findings.json >"/var/workdir"/coverity-results.sarif + # Generation of stats + /opt/coverity/bin/coverity list --dir "$COVERITY_DIR" >coverity_list_command.txt + + # Parse the summary statistics using grep + SUCCEEDED=$(grep "SUCCEEDED:" "coverity_list_command.txt" | grep -oE '[0-9]+') + INCOMPLETE=$(grep "INCOMPLETE:" "coverity_list_command.txt" | grep -oE '[0-9]+') + FAILED=$(grep "FAILED:" "coverity_list_command.txt" | grep -oE '[0-9]+') + IGNORED=$(grep "IGNORED:" "coverity_list_command.txt" | grep -oE '[0-9]+') + LINES_OF_CODE=$(grep "LINES OF CODE:" "coverity_list_command.txt" | grep -oE '[0-9]+') + + # Calculate the total number of files + TOTAL_FILES=$((SUCCEEDED + INCOMPLETE + FAILED + IGNORED)) + + # Calculate the ratio of successful files to total files + if [ "$TOTAL_FILES" -ne 0 ]; then + COVERAGE_RATIO=$((SUCCEEDED * 100 / TOTAL_FILES)) + else + COVERAGE_RATIO="0" + fi + + csgrep --mode=sarif --set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" + filtered_sast_coverity_buildless_check_all_findings.json \ + >"/var/workdir"/coverity-results.sarif if [[ -z "$(csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json)" ]]; then note="Task $(context.task.name) success: No finding was detected" diff --git a/task/sast-coverity-check/0.1/README.md b/task/sast-coverity-check/0.1/README.md index 3c1ac089da..64e033bf81 100644 --- a/task/sast-coverity-check/0.1/README.md +++ b/task/sast-coverity-check/0.1/README.md @@ -13,6 +13,7 @@ The characteristics of these tasks are: - Only important findings are reported by default. A parameter ( `IMP_FINDINGS_ONLY`) is provided to override this configuration. - The csdiff/v1 SARIF fingerprints are provided for all findings - A parameter ( `KFP_GIT_URL`) is provided to remove false positives providing a known false positives repository. By default, no repository is provided. +- The stats of the scan are embedded into the result's SARIF file > NOTE: This task is executed only if there is a Coverity license set up in the environment. Please check coverity-availability-check task for more information. diff --git a/task/sast-coverity-check/0.1/sast-coverity-check.yaml b/task/sast-coverity-check/0.1/sast-coverity-check.yaml index 368ead8ad1..b30d3dbadc 100644 --- a/task/sast-coverity-check/0.1/sast-coverity-check.yaml +++ b/task/sast-coverity-check/0.1/sast-coverity-check.yaml @@ -224,7 +224,32 @@ spec: (set -x && csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json) fi - csgrep --mode=sarif filtered_sast_coverity_buildless_check_all_findings.json > "$(workspaces.workspace.path)"/coverity-results.sarif + # Generation of stats + /opt/coverity/bin/coverity list --dir "$COVERITY_DIR" > coverity_list_command.txt + + # Parse the summary statistics using grep + SUCCEEDED=$(grep "SUCCEEDED:" "coverity_list_command.txt" | grep -oE '[0-9]+') + INCOMPLETE=$(grep "INCOMPLETE:" "coverity_list_command.txt" | grep -oE '[0-9]+') + FAILED=$(grep "FAILED:" "coverity_list_command.txt" | grep -oE '[0-9]+') + IGNORED=$(grep "IGNORED:" "coverity_list_command.txt" | grep -oE '[0-9]+') + LINES_OF_CODE=$(grep "LINES OF CODE:" "coverity_list_command.txt" | grep -oE '[0-9]+') + + # Calculate the total number of files + TOTAL_FILES=$((SUCCEEDED + INCOMPLETE + FAILED + IGNORED)) + + # Calculate the ratio of successful files to total files + if [ "$TOTAL_FILES" -ne 0 ]; then + COVERAGE_RATIO=$((SUCCEEDED * 100 / TOTAL_FILES)) + else + COVERAGE_RATIO="0" + fi + + csgrep --mode=sarif --set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" + filtered_sast_coverity_buildless_check_all_findings.json \ + > "$(workspaces.workspace.path)"/coverity-results.sarif if [[ -z "$(csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json)" ]]; then note="Task $(context.task.name) success: No finding was detected"