From e3b522b82d7f07963a8b3844f8ba2b41e28eaeec Mon Sep 17 00:00:00 2001 From: Hannes Winkler Date: Sun, 15 Sep 2024 16:08:07 +0000 Subject: [PATCH] make sarif error scanning script support scan-build output scan-build output doesn't set the `level` field for the rules. Default to "warning" if unspecified, according to the SARIF schema. Rename `fail_on_error.py ==> fail_on_warning.py` and fail (unsurprisingly) on warning-level results. --- .github/workflows/codeql.yml | 8 ++++---- .../{fail_on_error.py => fail_on_warning.py} | 13 +++++++++---- 2 files changed, 13 insertions(+), 8 deletions(-) rename .github/workflows/{fail_on_error.py => fail_on_warning.py} (71%) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 13e6cf14..b52c647e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -89,9 +89,9 @@ jobs: path: ${{ steps.step1.outputs.sarif-output }} retention-days: 5 - - name: Fail if an error is found + - name: Fail if a warning is found run: | - ./.github/workflows/fail_on_error.py \ + ./.github/workflows/fail_on_warning.py \ ${{ steps.step1.outputs.sarif-output }}/cpp.sarif scan-build: @@ -125,6 +125,6 @@ jobs: category: "scan-build" sarif_file: build/sarif/merged.sarif - - name: Fail if an error is found + - name: Fail if a warning is found run: | - ./.github/workflows/fail_on_error.py build/sarif/merged.sarif \ No newline at end of file + ./.github/workflows/fail_on_warning.py build/sarif/merged.sarif \ No newline at end of file diff --git a/.github/workflows/fail_on_error.py b/.github/workflows/fail_on_warning.py similarity index 71% rename from .github/workflows/fail_on_error.py rename to .github/workflows/fail_on_warning.py index 29791742..99ccac78 100755 --- a/.github/workflows/fail_on_error.py +++ b/.github/workflows/fail_on_warning.py @@ -20,13 +20,18 @@ def codeql_sarif_contain_error(filename): rule_index = res['rule']['index'] else: continue + try: rule_level = rules_metadata[rule_index]['defaultConfiguration']['level'] except IndexError as e: - print(e, rule_index, len(rules_metadata)) - else: - if rule_level == 'error': - return True + # According to the SARIF schema (https://www.schemastore.org/schemas/json/sarif-2.1.0-rtm.6.json), + # the defalt level is "warning" if not specified. + rule_level = 'warning' + + if rule_level == 'error': + return True + elif rule_level == 'warning': + return True return False if __name__ == "__main__":