diff --git a/.github/workflows/codeql-multiple-repo-scan.yml b/.github/workflows/codeql-multiple-repo-scan.yml index 35f45d63875..df78c1ce976 100644 --- a/.github/workflows/codeql-multiple-repo-scan.yml +++ b/.github/workflows/codeql-multiple-repo-scan.yml @@ -174,24 +174,62 @@ jobs: run: | RECATEGORIZE_SCRIPT="codeql-coding-standards-repo/scripts/guideline_recategorization/recategorize.py" CODING_STANDARDS_CONFIG="./.github/codeql/coding-standards.yml" - + CODING_STANDARDS_SCHEMA="codeql-coding-standards-repo/schemas/coding-standards-schema-1.0.0.json" SARIF_SCHEMA="codeql-coding-standards-repo/schemas/sarif-schema-2.1.0.json" - - - SARIF_FILE="sarif-results/cpp.sarif" - + + SARIF_FILE="sarif-results/cpp.sarif" + mkdir -p sarif-results-recategorized echo "Processing $SARIF_FILE for recategorization..." + python3 "$RECATEGORIZE_SCRIPT" \ - --coding-standards-schema-file "$CODING_STANDARDS_SCHEMA" \ - --sarif-schema-file "$SARIF_SCHEMA" \ - "$CODING_STANDARDS_CONFIG" \ - "$SARIF_FILE" \ - "sarif-results-recategorized/$(basename "$SARIF_FILE")" - - rm "$SARIF_FILE" - mv "sarif-results-recategorized/$(basename "$SARIF_FILE")" "$SARIF_FILE" + --coding-standards-schema-file "$CODING_STANDARDS_SCHEMA" \ + --sarif-schema-file "$SARIF_SCHEMA" \ + "$CODING_STANDARDS_CONFIG" \ + "$SARIF_FILE" \ + "sarif-results-recategorized/$(basename "$SARIF_FILE")" + + PY_EXIT=$? + if [ $PY_EXIT -ne 0 ]; then + echo "Recategorization failed (exit code $PY_EXIT). SARIF file not updated." >&2 + exit $PY_EXIT + fi + + # Replace original SARIF file + rm -f "$SARIF_FILE" + mv "sarif-results-recategorized/$(basename "$SARIF_FILE")" "$SARIF_FILE" + + # Ensure jq is available + if ! command -v jq >/dev/null 2>&1; then + echo "Error: jq is required but not installed. Please install jq and rerun this script." >&2 + exit 1 + fi + + # Filter SARIF to entries with paths matching repos/ + echo "Filtering SARIF results to only include entries with paths matching (^|/)repos/ ..." + + jq ' + (.runs) |= map( + .results |= map( + select( + (.locations // [] | length > 0) + and + ((.locations[0].physicalLocation.artifactLocation.uri // "") | test("(^|/)repos/")) + ) + ) + ) + ' "$SARIF_FILE" > "${SARIF_FILE}.filtered" + + if [ $? -eq 0 ]; then + mv "${SARIF_FILE}.filtered" "$SARIF_FILE" + else + echo "jq filtering failed. SARIF file was not modified." >&2 + rm -f "${SARIF_FILE}.filtered" + exit 1 + fi + + - name: Generate HTML Report from SARIF run: | @@ -209,4 +247,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: codeql-html-report - path: codeql-report.html \ No newline at end of file + path: codeql-report.html diff --git a/scripts/generate_rust_analyzer_support.sh b/scripts/generate_rust_analyzer_support.sh index 23998bb4cec..5014d236858 100755 --- a/scripts/generate_rust_analyzer_support.sh +++ b/scripts/generate_rust_analyzer_support.sh @@ -1,6 +1,8 @@ #!/bin/bash -set -e +set -e # Manual targets are not take into account, must be set explicitly -bazel run @rules_rust//tools/rust_analyzer:gen_rust_project -- "@//feature_showcase/..." "@//feature_integration_tests/rust_test_scenarios:rust_test_scenarios" \ No newline at end of file +bazel run @rules_rust//tools/rust_analyzer:gen_rust_project -- "@//feature_showcase/..." "@//feature_integration_tests/rust_test_scenarios:rust_test_scenarios" + +# will add filters here