From 1b25541a997cc96c84845423ec51de109982c279 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Fri, 14 Jun 2024 15:00:16 +0200 Subject: [PATCH 1/4] categorize sarif files --- .github/workflows/spotbugs-scan.yml | 86 +++++++++++++++++++---------- 1 file changed, 56 insertions(+), 30 deletions(-) diff --git a/.github/workflows/spotbugs-scan.yml b/.github/workflows/spotbugs-scan.yml index ba1ccb97..a2d2f512 100644 --- a/.github/workflows/spotbugs-scan.yml +++ b/.github/workflows/spotbugs-scan.yml @@ -2,7 +2,7 @@ name: "SpotBugs" on: push: - branches: [ main ] + branches: [ main, adamve/multiple_sarif_files ] pull_request: # The branches below must be a subset of the branches above branches: [ main ] @@ -23,7 +23,7 @@ jobs: strategy: fail-fast: false matrix: - language: ["java"] + language: [ "java" ] steps: - name: Checkout repository @@ -38,35 +38,61 @@ jobs: - name: Build with Gradle run: ./gradlew spotbugsRelease spotbugsMain - - name: Fix SARIF + - uses: actions/upload-artifact@v4 + with: + name: sarif-files + path: ./build/spotbugs/*.sarif + retention-days: 1 + + upload: + name: Upload SARIF + needs: analyze + runs-on: ubuntu-latest + + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + module: + [ + "android", + "AndroidDemo", + "core", + "fido", + "management", + "oath", + "openpgp", + "piv", + "support", + "testing", + "yubiotp", + ] + + steps: + - uses: actions/download-artifact@v4 + with: + name: sarif-files + + - name: Fix SARIF of module ${{ matrix.module }} run: >- - for module in \ - "android" \ - "AndroidDemo" \ - "core" \ - "fido" \ - "management" \ - "oath" \ - "openpgp" \ - "piv" \ - "support" \ - "testing" \ - "yubiotp"; - do - SARIF="./build/spotbugs/spotbugs-$module.sarif" - jq '.runs |= map( if .taxonomies == [null] then .taxonomies = [] else . end)' < $SARIF | - jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uri |= \"$module/src/main/java/\" + ." | - jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uriBaseId |= \"%SRC_ROOT%\" " | - jq '.runs[].tool.driver.rules |= map( . += { fullDescription: { text: .shortDescription.text } } )' | - jq '.runs[].tool.driver.rules |= map( . += { name: ("SpotBugs_" + .id | ascii_downcase | sub("(^|_)(?[a-z])";"\(.x|ascii_upcase)";"g")) } )' | - jq '.runs[].tool.driver.rules |= map( . += { help: { text: .helpUri } } )' | - jq 'del(.runs[].originalUriBaseIds)' | - jq -c '.' > $SARIF.json - mv $SARIF.json $SARIF - done + module=${{ matrix.module }} + SARIF=spotbugs-$module.sarif + jq '.runs |= map( if .taxonomies == [null] then .taxonomies = [] else . end)' < $SARIF | + jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uri |= \"$module/src/main/java/\" + ." | + jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uriBaseId |= \"%SRC_ROOT%\" " | + jq '.runs[].tool.driver.rules |= map( . += { fullDescription: { text: .shortDescription.text } } )' | + jq '.runs[].tool.driver.rules |= map( . += { name: ("SpotBugs_" + .id | ascii_downcase | sub("(^|_)(?[a-z])";"\(.x|ascii_upcase)";"g")) } )' | + jq '.runs[].tool.driver.rules |= map( . += { help: { text: .helpUri } } )' | + jq 'del(.runs[].originalUriBaseIds)' | + jq -c '.' > $SARIF.json + mv $SARIF.json $SARIF - - name: upload SARIF + - name: Upload SARIF for ${{ matrix.module }} uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: build/spotbugs/ - category: spotbugs-analysis + sarif_file: spotbugs-${{ matrix.module }}.sarif + category: spotbugs-analysis-${{ matrix.module }} From bb1260825ba118e57064d65eb3f96d36634796b0 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Fri, 14 Jun 2024 15:12:27 +0200 Subject: [PATCH 2/4] fix run --- .github/workflows/spotbugs-scan.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/spotbugs-scan.yml b/.github/workflows/spotbugs-scan.yml index a2d2f512..ac2f656b 100644 --- a/.github/workflows/spotbugs-scan.yml +++ b/.github/workflows/spotbugs-scan.yml @@ -77,10 +77,7 @@ jobs: with: name: sarif-files - - name: Fix SARIF of module ${{ matrix.module }} - run: >- - module=${{ matrix.module }} - SARIF=spotbugs-$module.sarif + - run: | jq '.runs |= map( if .taxonomies == [null] then .taxonomies = [] else . end)' < $SARIF | jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uri |= \"$module/src/main/java/\" + ." | jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uriBaseId |= \"%SRC_ROOT%\" " | @@ -88,8 +85,7 @@ jobs: jq '.runs[].tool.driver.rules |= map( . += { name: ("SpotBugs_" + .id | ascii_downcase | sub("(^|_)(?[a-z])";"\(.x|ascii_upcase)";"g")) } )' | jq '.runs[].tool.driver.rules |= map( . += { help: { text: .helpUri } } )' | jq 'del(.runs[].originalUriBaseIds)' | - jq -c '.' > $SARIF.json - mv $SARIF.json $SARIF + jq -c '.' > spotbugs-${{ matrix.module }}.sarif - name: Upload SARIF for ${{ matrix.module }} uses: github/codeql-action/upload-sarif@v3 From 9757d1a8837a9d693a2e1bbc8dcdaa3bb56e098c Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Fri, 14 Jun 2024 15:17:26 +0200 Subject: [PATCH 3/4] fix run --- .github/workflows/spotbugs-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/spotbugs-scan.yml b/.github/workflows/spotbugs-scan.yml index ac2f656b..11cedf4a 100644 --- a/.github/workflows/spotbugs-scan.yml +++ b/.github/workflows/spotbugs-scan.yml @@ -78,17 +78,17 @@ jobs: name: sarif-files - run: | - jq '.runs |= map( if .taxonomies == [null] then .taxonomies = [] else . end)' < $SARIF | + jq '.runs |= map( if .taxonomies == [null] then .taxonomies = [] else . end)' < spotbugs-${{ matrix.module }}.sarif | jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uri |= \"$module/src/main/java/\" + ." | jq ".runs[].results[].locations[].physicalLocation.artifactLocation.uriBaseId |= \"%SRC_ROOT%\" " | jq '.runs[].tool.driver.rules |= map( . += { fullDescription: { text: .shortDescription.text } } )' | jq '.runs[].tool.driver.rules |= map( . += { name: ("SpotBugs_" + .id | ascii_downcase | sub("(^|_)(?[a-z])";"\(.x|ascii_upcase)";"g")) } )' | jq '.runs[].tool.driver.rules |= map( . += { help: { text: .helpUri } } )' | jq 'del(.runs[].originalUriBaseIds)' | - jq -c '.' > spotbugs-${{ matrix.module }}.sarif + jq -c '.' > spotbugs-${{ matrix.module }}.json - name: Upload SARIF for ${{ matrix.module }} uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: spotbugs-${{ matrix.module }}.sarif + sarif_file: spotbugs-${{ matrix.module }}.json category: spotbugs-analysis-${{ matrix.module }} From b629a456eeaa727c5c304271c2751092e1af91cd Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Fri, 14 Jun 2024 15:45:50 +0200 Subject: [PATCH 4/4] limit to main --- .github/workflows/spotbugs-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/spotbugs-scan.yml b/.github/workflows/spotbugs-scan.yml index 11cedf4a..be0f9bcf 100644 --- a/.github/workflows/spotbugs-scan.yml +++ b/.github/workflows/spotbugs-scan.yml @@ -2,7 +2,7 @@ name: "SpotBugs" on: push: - branches: [ main, adamve/multiple_sarif_files ] + branches: [ main ] pull_request: # The branches below must be a subset of the branches above branches: [ main ]