coverity: embed capture stats into scan results

Related: https://issues.redhat.com/browse/OSH-769
konflux-ci · Dec 12, 2024 · 31c6f24 · 31c6f24
1 parent 900aa21
commit 31c6f24
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 6 deletions.
diff --git a/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.2/sast-coverity-check-oci-ta.yaml
@@ -298,13 +298,19 @@ spec:
         /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@"
         EC=\$?
 
+        # assign a unique file name for scan results
+        json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)"
+
+        # obtain capture stats to process them later on
+        /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt"
+
         # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS
         /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS
 
         # export scan results and embed source code context into the scan results
         /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \
           | /usr/libexec/csgrep-static --mode=json --embed-context=3 \
-          > \$(mktemp /shared/sast-results/\$\$-XXXX.json)
+          > "\${json_file}"
         exit \$EC
         EOF
         chmod 0755 /shared/cmd-wrap.sh
@@ -689,6 +695,8 @@ spec:
           # shellcheck disable=SC2086
           env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "/var/workdir"
 
+          /opt/coverity/bin/coverity list --dir=/tmp/idir >"/shared/sast-results/coverity-buildless-summary.txt"
+
           # install Coverity license file
           install -vm0644 /{shared,opt/coverity/bin}/license.dat
 
@@ -701,14 +709,33 @@ spec:
               >/shared/sast-results/coverity-buildless.json
         ); fi
 
+        # summary capture stats (FIXME: this doe not take findings deduplication into account)
+        set +e
+        for file in /shared/sast-results/*-summary.txt; do
+          ((SUCCEEDED += $(grep "^ *SUCCEEDED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
+          ((INCOMPLETE += $(grep "^ *INCOMPLETE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
+          ((FAILED += $(grep "^ *FAILED:" "${file}" | grep -oE '[0-9]+' || echo 0)))
+          ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
+        done
+
+        # Calculate the total number of files
+        ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED))
+
+        # Calculate the ratio of successful files to total files
+        ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES)))
+        set -e
+
         # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments
         IMP_LEVEL=1
         if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
           IMP_LEVEL=0
         fi
 
         # collect scan results
-        csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' |
+        csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \
+          --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \
+          --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \
+          --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" |
           tee coverity-results-raw.json |
           csgrep --mode=evtstat
 

diff --git a/task/sast-coverity-check/0.2/patch.yaml b/task/sast-coverity-check/0.2/patch.yaml
@@ -182,13 +182,19 @@
       /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@"
       EC=\$?
 
+      # assign a unique file name for scan results
+      json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)"
+
+      # obtain capture stats to process them later on
+      /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt"
+
       # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS
       /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS
 
       # export scan results and embed source code context into the scan results
       /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \
         | /usr/libexec/csgrep-static --mode=json --embed-context=3 \
-        > \$(mktemp /shared/sast-results/\$\$-XXXX.json)
+        > "\${json_file}"
       exit \$EC
       EOF
       chmod 0755 /shared/cmd-wrap.sh
@@ -263,6 +269,8 @@
         # shellcheck disable=SC2086
         env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)"
 
+        /opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt"
+
         # install Coverity license file
         install -vm0644 /{shared,opt/coverity/bin}/license.dat
 
@@ -275,14 +283,33 @@
           > /shared/sast-results/coverity-buildless.json
       ) fi
 
+      # summary capture stats (FIXME: this doe not take findings deduplication into account)
+      set +e
+      for file in /shared/sast-results/*-summary.txt; do
+        ((SUCCEEDED     += $(grep "^ *SUCCEEDED:"     "${file}" | grep -oE '[0-9]+' || echo 0)))
+        ((INCOMPLETE    += $(grep "^ *INCOMPLETE:"    "${file}" | grep -oE '[0-9]+' || echo 0)))
+        ((FAILED        += $(grep "^ *FAILED:"        "${file}" | grep -oE '[0-9]+' || echo 0)))
+        ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
+      done
+
+      # Calculate the total number of files
+      ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED))
+
+      # Calculate the ratio of successful files to total files
+      ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES)))
+      set -e
+
       # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments
       IMP_LEVEL=1
       if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
         IMP_LEVEL=0
       fi
 
       # collect scan results
-      csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \
+      csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \
+        --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \
+        --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \
+        --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \
         | tee coverity-results-raw.json \
         | csgrep --mode=evtstat
 

diff --git a/task/sast-coverity-check/0.2/sast-coverity-check.yaml b/task/sast-coverity-check/0.2/sast-coverity-check.yaml
@@ -242,13 +242,19 @@ spec:
       /opt/coverity/bin/coverity --ticker-mode=no-spin capture --dir=/tmp/idir --project-dir="\$proj_dir" -- "\$@"
       EC=\$?
 
+      # assign a unique file name for scan results
+      json_file="\$(mktemp /shared/sast-results/\$\$-XXXX.json)"
+
+      # obtain capture stats to process them later on
+      /opt/coverity/bin/coverity list --dir=/tmp/idir > "\${json_file%.json}-summary.txt"
+
       # use cov-analyze instead of "coverity analyze" so that we can handle COV_ANALYZE_ARGS
       /opt/coverity/bin/cov-analyze --dir=/tmp/idir $COV_ANALYZE_ARGS
 
       # export scan results and embed source code context into the scan results
       /opt/coverity/bin/cov-format-errors --dir=/tmp/idir --json-output-v10 /dev/stdout \
         | /usr/libexec/csgrep-static --mode=json --embed-context=3 \
-        > \$(mktemp /shared/sast-results/\$\$-XXXX.json)
+        > "\${json_file}"
       exit \$EC
       EOF
       chmod 0755 /shared/cmd-wrap.sh
@@ -637,6 +643,8 @@ spec:
         # shellcheck disable=SC2086
         env HOME=/var/tmp/coverity/home /opt/coverity/bin/coverity capture --disable-build-command-inference --dir /tmp/idir --project-dir "$(workspaces.source.path)"
 
+        /opt/coverity/bin/coverity list --dir=/tmp/idir > "/shared/sast-results/coverity-buildless-summary.txt"
+
         # install Coverity license file
         install -vm0644 /{shared,opt/coverity/bin}/license.dat
 
@@ -649,14 +657,33 @@ spec:
           > /shared/sast-results/coverity-buildless.json
       ) fi
 
+      # summary capture stats (FIXME: this doe not take findings deduplication into account)
+      set +e
+      for file in /shared/sast-results/*-summary.txt; do
+        ((SUCCEEDED     += $(grep "^ *SUCCEEDED:"     "${file}" | grep -oE '[0-9]+' || echo 0)))
+        ((INCOMPLETE    += $(grep "^ *INCOMPLETE:"    "${file}" | grep -oE '[0-9]+' || echo 0)))
+        ((FAILED        += $(grep "^ *FAILED:"        "${file}" | grep -oE '[0-9]+' || echo 0)))
+        ((LINES_OF_CODE += $(grep "^ *LINES OF CODE:" "${file}" | grep -oE '[0-9]+' || echo 0)))
+      done
+
+      # Calculate the total number of files
+      ((TOTAL_FILES = SUCCEEDED + INCOMPLETE + FAILED))
+
+      # Calculate the ratio of successful files to total files
+      ((COVERAGE_RATIO = (TOTAL_FILES == 0) ? 0 : (SUCCEEDED * 100 / TOTAL_FILES)))
+      set -e
+
       # reflect the IMP_FINDINGS_ONLY parameter in csgrep arguments
       IMP_LEVEL=1
       if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
         IMP_LEVEL=0
       fi
 
       # collect scan results
-      csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*' \
+      csgrep --mode=json --imp-level="$IMP_LEVEL" --remove-duplicates --file-glob '/shared/sast-results/*.json' \
+        --set-scan-prop cov-scanned-files-success:"${SUCCEEDED}" \
+        --set-scan-prop cov-scanned-files-total:"${TOTAL_FILES}" \
+        --set-scan-prop cov-scanned-lines:"${LINES_OF_CODE}" \
         | tee coverity-results-raw.json \
         | csgrep --mode=evtstat