Skip to content

Commit

Permalink
sast-coverity-check: embed capture stats into scan results
Browse files Browse the repository at this point in the history 
Related: https://issues.redhat.com/browse/OSH-769
  • Loading branch information
@kdudka
kdudka committed Dec 12, 2024
1 parent 441a8ac commit fea0da1
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 4 deletions.
32 changes: 30 additions & 2 deletions task/sast-coverity-check/0.2/patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,13 +182,19 @@
/opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@"
EC=\$?
# assign a unique file name for scan results
json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)"
# obtain capture stats to process them later on
/opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt"
# use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS
/opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS
# export scan results and embed source code context into the scan results
/opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \
| /usr/libexec/csgrep-static --mode=json --embed-context=3 \
> \$(mktemp /shared/sast-results/\$\$-XXXX.json)
> "\${json_file}"
exit \$EC
EOF
chmod 0755 /shared/cmd-wrap.sh
Expand Down Expand Up @@ -263,6 +269,8 @@
# shellcheck disable=SC2086
env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)"
/opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt"
# install Coverity license file
install -vm0644 /{shared,opt/coverity/bin}/license.dat
Expand All @@ -275,14 +283,34 @@
> /shared/sast-results/coverity-buildless.json
) fi
# summary capture stats (FIXME: this doe not take findings deduplication into account)
set +e
for file in /shared/sast-results/*-summary.txt; do
((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
done
# Calculate the total number of files
((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED))
# Calculate the ratio of successful files to total files
((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES)))
set -e
# reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments
IMP_LEVEL=1
if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
IMP_LEVEL=0
fi
# collect scan results
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \
--set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \
--set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \
--set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \
--set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \
| tee coverity-results-raw.json \
| csgrep --mode=evtstat
Expand Down
32 changes: 30 additions & 2 deletions task/sast-coverity-check/0.2/sast-coverity-check.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,13 +242,19 @@ spec:
/opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@"
EC=\$?
# assign a unique file name for scan results
json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)"
# obtain capture stats to process them later on
/opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt"
# use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS
/opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS
# export scan results and embed source code context into the scan results
/opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \
| /usr/libexec/csgrep-static --mode=json --embed-context=3 \
> \$(mktemp /shared/sast-results/\$\$-XXXX.json)
> "\${json_file}"
exit \$EC
EOF
chmod 0755 /shared/cmd-wrap.sh
Expand Down Expand Up @@ -637,6 +643,8 @@ spec:
# shellcheck disable=SC2086
env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)"
/opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt"
# install Coverity license file
install -vm0644 /{shared,opt/coverity/bin}/license.dat
Expand All @@ -649,14 +657,34 @@ spec:
> /shared/sast-results/coverity-buildless.json
) fi
# summary capture stats (FIXME: this doe not take findings deduplication into account)
set +e
for file in /shared/sast-results/*-summary.txt; do
((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
done
# Calculate the total number of files
((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED))
# Calculate the ratio of successful files to total files
((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES)))
set -e
# reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments
IMP_LEVEL=1
if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
IMP_LEVEL=0
fi
# collect scan results
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \
csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \
--set-scan-prop cov-scanned-files-coverage:"${COVERAGE_RATIO}" \
--set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \
--set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \
--set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \
| tee coverity-results-raw.json \
| csgrep --mode=evtstat
Expand Down

0 comments on commit fea0da1

Please sign in to comment.