jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-11-06 09:09:19 +02:00
Code Issues Releases Activity

fix(codeqlExecuteScan): filter quality issues for SAST to pass/fail (#4703)

Browse Source 
* added filtering issues by tag

* added optional group of issues

* fixed tests

---------

Co-authored-by: sumeet patil <sumeet.patil@sap.com>
This commit is contained in:
Daria Kuznetsova
2023-12-13 08:43:04 +01:00
committed by GitHub
parent f39dec68a5
commit 405e42a1c3
2 changed files with 47 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
pkg/codeql/codeql.go
View File

@@ -49,6 +49,8 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
page := 1 page := 1
audited := 0 audited := 0
totalAlerts := 0 totalAlerts := 0
optionalAudited := 0
totalOptionalAlerts := 0
for page != 0 { for page != 0 {
alertOptions := github.AlertListOptions{ alertOptions := github.AlertListOptions{
@@ -72,13 +74,31 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
continue continue
} }
if *alert.State == auditStateDismissed { isSecurityIssue := false
audited += 1 for _, tag := range alert.Rule.Tags {
totalAlerts += 1 if tag == "security" {
isSecurityIssue = true
}
} }
if *alert.State == auditStateOpen { if isSecurityIssue {
totalAlerts += 1 if *alert.State == auditStateDismissed {
audited += 1
totalAlerts += 1
}
if *alert.State == auditStateOpen {
totalAlerts += 1
}
} else {
if *alert.State == auditStateDismissed {
optionalAudited += 1
totalOptionalAlerts += 1
}
if *alert.State == auditStateOpen {
totalOptionalAlerts += 1
}
} }
} }
} }
@@ -88,7 +108,12 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
Total: totalAlerts, Total: totalAlerts,
Audited: audited, Audited: audited,
} }
codeqlScanning := []CodeqlFindings{auditAll} optionalIssues := CodeqlFindings{
ClassificationName: "Optional",
Total: totalOptionalAlerts,
Audited: optionalAudited,
}
codeqlScanning := []CodeqlFindings{auditAll, optionalIssues}
return codeqlScanning, nil return codeqlScanning, nil
} }

26
pkg/codeql/codeql_test.go
View File

@@ -24,30 +24,36 @@ func (g *githubCodeqlScanningMock) ListAlertsForRepo(ctx context.Context, owner,
testToolName := "Test" testToolName := "Test"
if repo == "testRepo1" { if repo == "testRepo1" {
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}}) alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}}) alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
response.NextPage = 0 response.NextPage = 0
} }
if repo == "testRepo2" { if repo == "testRepo2" {
if opts.Page == 1 { if opts.Page == 1 {
for i := 0; i < 50; i++ { for i := 0; i < 50; i++ {
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
} }
for i := 0; i < 50; i++ { for i := 0; i < 50; i++ {
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}}) alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
} }
response.NextPage = 2 response.NextPage = 2
} }
if opts.Page == 2 { if opts.Page == 2 {
for i := 0; i < 10; i++ { for i := 0; i < 10; i++ {
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}}) alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
} }
for i := 0; i < 30; i++ { for i := 0; i < 30; i++ {
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}}) alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
} }
response.NextPage = 0 response.NextPage = 0
} }
@@ -72,7 +78,7 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) {
codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance) codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance)
assert.NoError(t, err) assert.NoError(t, err)
assert.NotEmpty(t, codeScanning) assert.NotEmpty(t, codeScanning)
assert.Equal(t, 1, len(codeScanning)) assert.Equal(t, 2, len(codeScanning))
assert.Equal(t, 3, codeScanning[0].Total) assert.Equal(t, 3, codeScanning[0].Total)
assert.Equal(t, 1, codeScanning[0].Audited) assert.Equal(t, 1, codeScanning[0].Audited)
}) })
@@ -83,7 +89,7 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) {
codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance) codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance)
assert.NoError(t, err) assert.NoError(t, err)
assert.NotEmpty(t, codeScanning) assert.NotEmpty(t, codeScanning)
assert.Equal(t, 1, len(codeScanning)) assert.Equal(t, 2, len(codeScanning))
assert.Equal(t, 140, codeScanning[0].Total) assert.Equal(t, 140, codeScanning[0].Total)
assert.Equal(t, 80, codeScanning[0].Audited) assert.Equal(t, 80, codeScanning[0].Audited)
}) })