jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-11-06 09:09:19 +02:00
Code Issues Releases Activity

fix(codeqlExecuteScan): filter quality issues for SAST to pass/fail (#4703)

Browse Source 
* added filtering issues by tag

* added optional group of issues

* fixed tests

---------

Co-authored-by: sumeet patil <sumeet.patil@sap.com>
This commit is contained in:
Daria Kuznetsova
2023-12-13 08:43:04 +01:00
committed by GitHub
parent f39dec68a5
commit 405e42a1c3
2 changed files with 47 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
pkg/codeql/codeql.go
View File

@@ -49,6 +49,8 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
page := 1
audited := 0
totalAlerts := 0
optionalAudited := 0
totalOptionalAlerts := 0
for page != 0 {
alertOptions := github.AlertListOptions{
@@ -72,6 +74,14 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
continue
}
isSecurityIssue := false
for _, tag := range alert.Rule.Tags {
if tag == "security" {
isSecurityIssue = true
}
}
if isSecurityIssue {
if *alert.State == auditStateDismissed {
audited += 1
totalAlerts += 1
@@ -80,6 +90,16 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
if *alert.State == auditStateOpen {
totalAlerts += 1
}
} else {
if *alert.State == auditStateDismissed {
optionalAudited += 1
totalOptionalAlerts += 1
}
if *alert.State == auditStateOpen {
totalOptionalAlerts += 1
}
}
}
}
@@ -88,7 +108,12 @@ func getVulnerabilitiesFromClient(ctx context.Context, codeScanning githubCodeql
Total: totalAlerts,
Audited: audited,
}
codeqlScanning := []CodeqlFindings{auditAll}
optionalIssues := CodeqlFindings{
ClassificationName: "Optional",
Total: totalOptionalAlerts,
Audited: optionalAudited,
}
codeqlScanning := []CodeqlFindings{auditAll, optionalIssues}
return codeqlScanning, nil
}

26
pkg/codeql/codeql_test.go
View File

@@ -24,30 +24,36 @@ func (g *githubCodeqlScanningMock) ListAlertsForRepo(ctx context.Context, owner,
testToolName := "Test"
if repo == "testRepo1" {
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}})
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}})
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
response.NextPage = 0
}
if repo == "testRepo2" {
if opts.Page == 1 {
for i := 0; i < 50; i++ {
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}})
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
}
for i := 0; i < 50; i++ {
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
}
response.NextPage = 2
}
if opts.Page == 2 {
for i := 0; i < 10; i++ {
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}})
alerts = append(alerts, &github.Alert{State: &openState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
}
for i := 0; i < 30; i++ {
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &codeqlToolName}, Rule: &github.Rule{Tags: []string{"security"}}})
alerts = append(alerts, &github.Alert{State: &dismissedState, Tool: &github.Tool{Name: &testToolName}, Rule: &github.Rule{Tags: []string{"useless_code"}}})
}
response.NextPage = 0
}
@@ -72,7 +78,7 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) {
codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance)
assert.NoError(t, err)
assert.NotEmpty(t, codeScanning)
assert.Equal(t, 1, len(codeScanning))
assert.Equal(t, 2, len(codeScanning))
assert.Equal(t, 3, codeScanning[0].Total)
assert.Equal(t, 1, codeScanning[0].Audited)
})
@@ -83,7 +89,7 @@ func TestGetVulnerabilitiesFromClient(t *testing.T) {
codeScanning, err := getVulnerabilitiesFromClient(ctx, &ghCodeqlScanningMock, "ref", &codeqlScanAuditInstance)
assert.NoError(t, err)
assert.NotEmpty(t, codeScanning)
assert.Equal(t, 1, len(codeScanning))
assert.Equal(t, 2, len(codeScanning))
assert.Equal(t, 140, codeScanning[0].Total)
assert.Equal(t, 80, codeScanning[0].Audited)
})