sast: initial task for Coverity Buildless #1411
Conversation
task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml
Outdated
Show resolved
Hide resolved
jperezdealgaba
force-pushed
the
coverity-buildless
branch
2 times, most recently
from
48b9d8c to
06b8305
Compare
|
Results are parsed and shown in the UI: 
Here we have an example pipeline: https://konflux.apps.stone-prod-p02.hjvn.p1.openshiftapps.com/application-pipeline/workspaces/jperezde/applications/test-coverity/pipelineruns/ec-cli-on-pull-request-292mf |
jperezdealgaba
force-pushed
the
coverity-buildless
branch
5 times, most recently
from
7d6c4fb to
e833b16
Compare
task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml
Outdated
Show resolved
Hide resolved
task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml
Outdated
Show resolved
Hide resolved
task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml
Outdated
Show resolved
Hide resolved
task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml
Outdated
Show resolved
Hide resolved
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
e833b16 to
beaaf79
Compare
|
Thanks for the thorough review @kdudka ! |
There was a problem hiding this comment.
@jperezdealgaba Please close the review threads that have been resolved. I do not have sufficient permission to do it myself.
task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml
Outdated
Show resolved
Hide resolved
task/sast-coverity-buildless-check/0.1/sast-coverity-buildless-check.yaml
Outdated
Show resolved
Hide resolved
jperezdealgaba
force-pushed
the
coverity-buildless
branch
2 times, most recently
from
97be5ae to
e52f763
Compare
|
Solved all comments and added new changes. I will also apply the changes (the record excluded and update the |
jperezdealgaba
force-pushed
the
coverity-buildless
branch
3 times, most recently
from
f65c313 to
ffff308
Compare
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
ffff308 to
dc50185
Compare
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
72ee032 to
5973915
Compare
|
Hey! @kdudka I just did a new MR with all the discussed changes:
The relationship between the two tasks are defined in the following file: pipelines/template-build/template-build.yaml |
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
a053118 to
1cf84a4
Compare
|
@tnevrlka Would you mind retriggering the tests? This was just merged: release-engineering/rhtap-ec-policy#85 (comment) |
|
/ok-to-test |
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
1cf84a4 to
378ff5d
Compare
|
/ok-to-test |
|
/retest |
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
378ff5d to
9ae6fef
Compare
|
/retest |
|
The The README says |
I think we also need a fix tor the Task Tests workflow then, tests should really be optional at the moment |
I have skipped task tests workflow with this PR till it is fixed. |
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
9ae6fef to
c682c64
Compare
Solves: https://issues.redhat.com/browse/OSH-740 Initial version of the Coverity Buildless task. In introduces two different tasks: A task checking the availability of Coverity license and authentication token, and a task for scanning the code. The code will be scanned using coverity buildless mode, then the results are processing using csgrep and the results are later filtered using csfilter-kfp.
jperezdealgaba
force-pushed
the
coverity-buildless
branch
from
c682c64 to
ac3c8d5
Compare
|
/ok-to-test |
| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | | ||
| |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | | ||
| |image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| | ||
| |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| |
There was a problem hiding this comment.
@jperezdealgaba for multi-arch I think this should be build-image-index
There was a problem hiding this comment.
@pierDipi Sorry! We weren't aware of this. Would you mind adding more information about how this is used in this tracker: https://issues.redhat.com/browse/OSH-790 ?
... and coverity-availability-check to make the template work with multiarch builds. Fixes: konflux-ci#1411 Resolves: https://issues.redhat.com/browse/OSH-790 Resolves: https://issues.redhat.com/browse/KFLUXSPRT-847
... and coverity-availability-check to make the template work with multiarch builds. Fixes: konflux-ci#1411 Resolves: https://issues.redhat.com/browse/OSH-790 Resolves: https://issues.redhat.com/browse/KFLUXSPRT-847
... and coverity-availability-check to make the template work with multiarch builds. Fixes: #1411 Resolves: https://issues.redhat.com/browse/OSH-790 Resolves: https://issues.redhat.com/browse/KFLUXSPRT-847
Initial version of the Coverity Buildless task. The code will be scanned using coverity buildless mode, then the results are processuing using csgrep and the results are later filtered using csfilter-kfp.
This is a draft request and this can not be merged in this repository. It will be merged in a newly created repository.
Things pending to do:
csdiffpackage once the container image is updatedApart from that, the MR can be reviewed as the funcionality will remain the same