From 31c6f24ecf86d7fdfbb8847f3907cde68c531136 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 11 Dec 2024 16:25:48 +0100 Subject: [PATCH] coverity: embed capture stats into scan results Related: https://issues.redhat.com/browse/OSH-769 --- .../0.2/sast-coverity-check-oci-ta.yaml | 31 +++++++++++++++++-- task/sast-coverity-check/0.2/patch.yaml | 31 +++++++++++++++++-- .../0.2/sast-coverity-check.yaml | 31 +++++++++++++++++-- 3 files changed, 87 insertions(+), 6 deletions(-) diff --git a/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml index 6b1f396572..d58779f00e 100644 --- a/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml +++ b/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml @@ -298,13 +298,19 @@ spec: /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@" EC=\$? + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt" + # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS # export scan results and embed source code context into the scan results /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ - > \$(mktemp /shared/sast-results/\$\$-XXXX.json) + > "\${json_file}" exit \$EC EOF chmod 0755 /shared/cmd-wrap.sh @@ -689,6 +695,8 @@ spec: # shellcheck disable=SC2086 env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "/var/workdir" + /opt/coverity/bin/coverity list --dir=/tmp/idir >"/shared/sast-results/coverity-buildless-summary.txt" + # install Coverity license file install -vm0644 /{shared,opt/coverity/bin}/license.dat @@ -701,6 +709,22 @@ spec: >/shared/sast-results/coverity-buildless.json ); fi + # summary capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # Calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # Calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments IMP_LEVEL=1 if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then @@ -708,7 +732,10 @@ spec: fi # collect scan results - csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' | + csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" | tee coverity-results-raw.json | csgrep --mode=evtstat diff --git a/task/sast-coverity-check/0.2/patch.yaml b/task/sast-coverity-check/0.2/patch.yaml index 6ca817385f..a7be5046ac 100644 --- a/task/sast-coverity-check/0.2/patch.yaml +++ b/task/sast-coverity-check/0.2/patch.yaml @@ -182,13 +182,19 @@ /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@" EC=\$? + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt" + # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS # export scan results and embed source code context into the scan results /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ - > \$(mktemp /shared/sast-results/\$\$-XXXX.json) + > "\${json_file}" exit \$EC EOF chmod 0755 /shared/cmd-wrap.sh @@ -263,6 +269,8 @@ # shellcheck disable=SC2086 env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)" + /opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt" + # install Coverity license file install -vm0644 /{shared,opt/coverity/bin}/license.dat @@ -275,6 +283,22 @@ > /shared/sast-results/coverity-buildless.json ) fi + # summary capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # Calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # Calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments IMP_LEVEL=1 if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then @@ -282,7 +306,10 @@ fi # collect scan results - csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \ + csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \ | tee coverity-results-raw.json \ | csgrep --mode=evtstat diff --git a/task/sast-coverity-check/0.2/sast-coverity-check.yaml b/task/sast-coverity-check/0.2/sast-coverity-check.yaml index 6650199ad3..4f77a7feb0 100644 --- a/task/sast-coverity-check/0.2/sast-coverity-check.yaml +++ b/task/sast-coverity-check/0.2/sast-coverity-check.yaml @@ -242,13 +242,19 @@ spec: /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@" EC=\$? + # assign a unique file name for scan results + json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)" + + # obtain capture stats to process them later on + /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt" + # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS # export scan results and embed source code context into the scan results /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \ | /usr/libexec/csgrep-static --mode=json --embed-context=3 \ - > \$(mktemp /shared/sast-results/\$\$-XXXX.json) + > "\${json_file}" exit \$EC EOF chmod 0755 /shared/cmd-wrap.sh @@ -637,6 +643,8 @@ spec: # shellcheck disable=SC2086 env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)" + /opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt" + # install Coverity license file install -vm0644 /{shared,opt/coverity/bin}/license.dat @@ -649,6 +657,22 @@ spec: > /shared/sast-results/coverity-buildless.json ) fi + # summary capture stats (FIXME: this doe not take findings deduplication into account) + set +e + for file in /shared/sast-results/*-summary.txt; do + ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0))) + ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0))) + done + + # Calculate the total number of files + ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED)) + + # Calculate the ratio of successful files to total files + ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES))) + set -e + # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments IMP_LEVEL=1 if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then @@ -656,7 +680,10 @@ spec: fi # collect scan results - csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \ + csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \ + --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \ + --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \ + --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \ | tee coverity-results-raw.json \ | csgrep --mode=evtstat