Prune results of Ruby query from SARIF
This commit is contained in:
Edoardo Pirovano
parent
71510779c2
commit
862a512899
8 changed files with 316 additions and 19 deletions
|
|
@ -1,5 +1,6 @@
|
|||
import * as fs from "fs";
|
||||
import * as path from "path";
|
||||
import { env } from "process";
|
||||
import zlib from "zlib";
|
||||
|
||||
import * as core from "@actions/core";
|
||||
|
|
@ -15,7 +16,7 @@ import { Logger } from "./logging";
|
|||
import { parseRepositoryNwo, RepositoryNwo } from "./repository";
|
||||
import * as sharedEnv from "./shared-environment";
|
||||
import * as util from "./util";
|
||||
import { SarifFile } from "./util";
|
||||
import { SarifFile, SarifResult, SarifRun } from "./util";
|
||||
|
||||
// Takes a list of paths to sarif files and combines them together,
|
||||
// returning the contents of the combined sarif file.
|
||||
|
|
@ -396,6 +397,9 @@ async function uploadFiles(
|
|||
environment
|
||||
);
|
||||
|
||||
if (env["CODEQL_DISABLE_SARIF_PRUNING"] !== "true")
|
||||
sarif = pruneInvalidResults(sarif, logger);
|
||||
|
||||
const toolNames = util.getToolNames(sarif);
|
||||
|
||||
validateUniqueCategory(sarif);
|
||||
|
|
@ -546,3 +550,42 @@ export function validateUniqueCategory(sarif: SarifFile): void {
|
|||
function sanitize(str?: string) {
|
||||
return (str ?? "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
|
||||
}
|
||||
|
||||
export function pruneInvalidResults(
|
||||
sarif: SarifFile,
|
||||
logger: Logger
|
||||
): SarifFile {
|
||||
let pruned = 0;
|
||||
const newRuns: SarifRun[] = [];
|
||||
for (const run of sarif.runs || []) {
|
||||
if (
|
||||
run.tool?.driver?.name === "CodeQL" &&
|
||||
run.tool?.driver?.semanticVersion === "2.11.2"
|
||||
) {
|
||||
// Version 2.11.2 of the CodeQL CLI had many false positives in the
|
||||
// rb/weak-cryptographic-algorithm query which we prune here. The
|
||||
// issue is tracked in https://github.com/github/codeql/issues/11107.
|
||||
const newResults: SarifResult[] = [];
|
||||
for (const result of run.results || []) {
|
||||
if (
|
||||
result.ruleId === "rb/weak-cryptographic-algorithm" &&
|
||||
(result.message?.text?.includes(" MD5 ") ||
|
||||
result.message?.text?.includes(" SHA1 "))
|
||||
) {
|
||||
pruned += 1;
|
||||
continue;
|
||||
}
|
||||
newResults.push(result);
|
||||
}
|
||||
newRuns.push({ ...run, results: newResults });
|
||||
} else {
|
||||
newRuns.push(run);
|
||||
}
|
||||
}
|
||||
if (pruned > 0) {
|
||||
logger.info(
|
||||
`Pruned ${pruned} results believed to be invalid from SARIF file.`
|
||||
);
|
||||
}
|
||||
return { ...sarif, runs: newRuns };
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue