Skip to content

Commit eec9f99

Browse files
committed
Fix script to handle SARIF file recategorization
adding GitPython lib cleaning the files for redundant made Codeql executable with bazel fixing bzel run issues adding a version
1 parent ebd508f commit eec9f99

11 files changed

Lines changed: 560 additions & 151 deletions

File tree

.github/codeql/codeql-config.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,3 +19,11 @@ paths-ignore:
1919
- "**/test/**"
2020
- "**/mock/**"
2121
- "**/codeql-coding-standards-repo/**"
22+
- "**/examples/**"
23+
- "**/docs/**"
24+
- "**/target/**"
25+
- "**/bazel-*/**"
26+
- "**/.git/**"
27+
- "**/node_modules/**"
28+
- "**/build/**"
29+
- "**/dist/**"

.github/workflows/codeql-multiple-repo-scan.yml

Lines changed: 44 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ jobs:
3232
analyze-repos:
3333
name: Analyze Multiple Repositories
3434
runs-on: ubuntu-latest
35+
timeout-minutes: 120 # Prevent indefinite hanging
3536
permissions:
3637
security-events: write
3738
packages: read
@@ -40,45 +41,73 @@ jobs:
4041
steps:
4142
- name: Checkout central repository
4243
uses: actions/checkout@v4
43-
- name: Checkout CodeQL Coding Standards scripts
44-
uses: actions/checkout@v4
45-
with:
46-
repository: github/codeql-coding-standards
47-
path: codeql-coding-standards-repo # Klonen in diesen Ordner
48-
ref: main # Oder eine spezifische Release-Version, z.B. 'v2.53.0-dev'
4944
# Add coding standard packages and dependencies
50-
- name: Install Python dependencies for Coding Standards scripts
45+
- name: Install Python dependencies
5146
run: |
5247
python3 -m pip install --upgrade pip
53-
pip3 install pyyaml jsonpath-ng jsonschema jsonpatch jsonpointer pytest sarif-tools
54-
- name: Parse known_good.json and create repos.json
55-
id: parse-repos
56-
run: |
57-
scripts/workflow/parse_repos.sh
48+
pip3 install --break-system-packages pyyaml jsonpath-ng jsonschema jsonpatch jsonpointer pytest sarif-tools GitPython
49+
# Cache repository checkouts to speed up re-runs
50+
- name: Cache repository checkouts
51+
uses: actions/cache@v4
52+
with:
53+
path: repos/
54+
key: repos-${{ hashFiles('known_good.json') }}
55+
restore-keys: |
56+
repos-
5857
- name: Checkout all pinned repositories
5958
id: checkout-repos
59+
timeout-minutes: 30
60+
env:
61+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
62+
run: |
63+
bazel run //scripts/tooling:checkout_repos
64+
- name: List files in repos directory (debug)
6065
run: |
61-
scripts/workflow/checkout_repos.sh
66+
echo "Listing repos directory structure:"
67+
du -sh repos/* 2>/dev/null || echo "repos directory not found"
68+
df -h
6269
- name: Initialize CodeQL for all repositories
70+
timeout-minutes: 15
6371
uses: github/codeql-action/init@v4
6472
with:
6573
languages: cpp
6674
build-mode: none
67-
packs: codeql/misra-cpp-coding-standards
75+
packs: codeql/misra-cpp-coding-standards@2.50.0
6876
config-file: ./.github/codeql/codeql-config.yml
6977
- name: Perform CodeQL Analysis
78+
timeout-minutes: 120 # Increased for multi-repo MISRA analysis
7079
uses: github/codeql-action/analyze@v4
7180
with:
7281
upload-database: false # Don't upload databases for each repo
7382
output: sarif-results/
7483
category: "multi-repo-scan"
84+
# Cleanup large repo directories to free disk space
85+
- name: Cleanup repository checkouts
86+
if: always()
87+
run: |
88+
echo "Cleaning up checked out repositories to free disk space"
89+
rm -rf repos/
90+
df -h
91+
# Checkout CodeQL Coding Standards AFTER analysis for recategorization
92+
- name: Checkout CodeQL Coding Standards scripts
93+
uses: actions/checkout@v4
94+
with:
95+
repository: github/codeql-coding-standards
96+
path: codeql-coding-standards-repo
97+
ref: v2.50.0
7598
- name: Recategorize Guidelines
7699
if: always()
100+
timeout-minutes: 10
77101
run: |
78-
scripts/workflow/recategorize_guidelines.sh
102+
python3 scripts/tooling/cli/workflow/recategorize_guidelines.py
79103
- name: Generate HTML Report from SARIF
104+
timeout-minutes: 5
80105
run: |
81106
SARIF_FILE="sarif-results/cpp.sarif"
107+
if [ ! -f "$SARIF_FILE" ]; then
108+
echo "Error: SARIF file not found at $SARIF_FILE"
109+
exit 1
110+
fi
82111
sarif html "$SARIF_FILE" --output codeql-report.html
83112
- name: Upload SARIF results as artifact
84113
uses: actions/upload-artifact@v4

scripts/tooling/BUILD

Lines changed: 41 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,42 @@
11
# *******************************************************************************
2+
23
# Copyright (c) 2026 Contributors to the Eclipse Foundation
4+
35
#
6+
47
# See the NOTICE file(s) distributed with this work for additional
5-
# information regarding copyright ownership.
8+
9+
# information regarding copyright ownership
10+
611
#
12+
713
# This program and the accompanying materials are made available under the
14+
815
# terms of the Apache License Version 2.0 which is available at
9-
# https://www.apache.org/licenses/LICENSE-2.0
16+
17+
# <https://www.apache.org/licenses/LICENSE-2.0>
18+
1019
#
20+
1121
# SPDX-License-Identifier: Apache-2.0
22+
1223
# *******************************************************************************
24+
1325
load("@ref_int_scripts_env//:requirements.bzl", "all_requirements")
1426
load("@rules_python//python:defs.bzl", "py_binary", "py_library")
1527
load("@rules_python//python:pip.bzl", "compile_pip_requirements")
1628
load("@score_tooling//python_basics:defs.bzl", "score_py_pytest")
1729

18-
# In order to update the requirements, change the `requirements.in` file and run:
19-
# `bazel run //src:requirements.update`.
20-
# This will update the `requirements.txt` file.
21-
# To upgrade all dependencies to their latest versions, run:
22-
# `bazel run //src:requirements.update -- --upgrade`.
30+
# In order to update the requirements, change the `requirements.in` file and run
31+
32+
# `bazel run //src:requirements.update`
33+
34+
# This will update the `requirements.txt` file
35+
36+
# To upgrade all dependencies to their latest versions, run
37+
38+
# `bazel run //src:requirements.update -- --upgrade`
39+
2340
compile_pip_requirements(
2441
name = "requirements",
2542
srcs = [
@@ -33,13 +50,15 @@ compile_pip_requirements(
3350
)
3451

3552
# Library target
53+
3654
py_library(
3755
name = "lib",
3856
srcs = glob(["lib/**/*.py"]),
3957
visibility = ["//visibility:public"],
4058
)
4159

4260
# CLI library target (shared between binary and tests)
61+
4362
py_library(
4463
name = "cli",
4564
srcs = glob(["cli/**/*.py"]),
@@ -50,6 +69,7 @@ py_library(
5069
)
5170

5271
# CLI binary target
72+
5373
py_binary(
5474
name = "tooling",
5575
srcs = ["cli/main.py"],
@@ -58,7 +78,21 @@ py_binary(
5878
deps = [":cli"],
5979
)
6080

81+
# Workflow scripts as executables
82+
83+
py_binary(
84+
name = "checkout_repos",
85+
srcs = ["cli/workflow/checkout_repos.py"],
86+
main = "cli/workflow/checkout_repos.py",
87+
visibility = ["//visibility:public"],
88+
deps = [
89+
":cli",
90+
":lib",
91+
] + all_requirements,
92+
)
93+
6194
# Tests target
95+
6296
score_py_pytest(
6397
name = "tooling_tests",
6498
srcs = glob(["tests/**/*.py"]),
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# *******************************************************************************
2+
# Copyright (c) 2026 Contributors to the Eclipse Foundation
3+
#
4+
# See the NOTICE file(s) distributed with this work for additional
5+
# information regarding copyright ownership.
6+
#
7+
# This program and the accompanying materials are made available under the
8+
# terms of the Apache License Version 2.0 which is available at
9+
# https://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# SPDX-License-Identifier: Apache-2.0
12+
# *******************************************************************************
Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
# *******************************************************************************
2+
# Copyright (c) 2026 Contributors to the Eclipse Foundation
3+
#
4+
# See the NOTICE file(s) distributed with this work for additional
5+
# information regarding copyright ownership.
6+
#
7+
# This program and the accompanying materials are made available under the
8+
# terms of the Apache License Version 2.0 which is available at
9+
# https://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# SPDX-License-Identifier: Apache-2.0
12+
# *******************************************************************************
13+
14+
"""
15+
Checkout all pinned repositories for CodeQL analysis.
16+
17+
Clones repositories directly from known_good.json using GitPython library
18+
with GitHub token authentication to avoid rate limits.
19+
"""
20+
21+
import logging
22+
import os
23+
import sys
24+
from pathlib import Path
25+
26+
from scripts.tooling.lib.git_operations import shallow_clone_repository
27+
from scripts.tooling.lib.known_good import load_known_good
28+
29+
_LOG = logging.getLogger(__name__)
30+
logging.basicConfig(level=logging.INFO, format="%(message)s")
31+
32+
33+
def checkout_repo(name: str, url: str, ref: str, path: Path) -> None:
34+
"""
35+
Checkout a single repository using git_operations library.
36+
37+
Args:
38+
name: Repository name
39+
url: Repository URL
40+
ref: Git reference (branch, tag, or commit hash)
41+
path: Local path to checkout into
42+
43+
Raises:
44+
Exception: If checkout fails
45+
"""
46+
_LOG.info(f"Checking out {name} ({ref}) to {path}")
47+
48+
shallow_clone_repository(url=url, path=path, ref=ref)
49+
50+
51+
def main() -> int:
52+
"""Main entry point for standalone execution."""
53+
# When running with bazel, use BUILD_WORKING_DIRECTORY to find workspace root
54+
workspace_root = Path(os.environ.get("BUILD_WORKING_DIRECTORY", "."))
55+
known_good_path = workspace_root / "known_good.json"
56+
57+
if not known_good_path.exists():
58+
_LOG.error(f"known_good.json not found at {known_good_path}")
59+
return 1
60+
61+
try:
62+
known_good = load_known_good(known_good_path)
63+
except Exception as e:
64+
_LOG.error(f"Failed to parse known_good.json: {e}")
65+
return 1
66+
67+
# Extract target_sw modules
68+
modules = known_good.modules.get("target_sw", {})
69+
repo_count = len(modules)
70+
71+
_LOG.info(f"Checking out {repo_count} repositories from known_good.json...")
72+
73+
# Track successfully checked out repositories
74+
repo_paths = []
75+
76+
# Checkout each repository
77+
for name, module in modules.items():
78+
url = module.repo
79+
ref = module.version or module.branch or module.hash
80+
# Use workspace-relative path
81+
path = workspace_root / "repos" / name
82+
83+
try:
84+
checkout_repo(name, url, ref, path)
85+
repo_paths.append(str(path))
86+
except Exception as e:
87+
_LOG.error(f"Failed to checkout {name}: {e}")
88+
return 1
89+
90+
# Output all paths (comma-separated for GitHub Actions compatibility)
91+
repo_paths_output = ",".join(repo_paths)
92+
93+
# Write to GITHUB_OUTPUT if available
94+
github_output = os.environ.get("GITHUB_OUTPUT")
95+
if github_output:
96+
try:
97+
with open(github_output, "a") as f:
98+
f.write(f"repo_paths={repo_paths_output}\n")
99+
except IOError as e:
100+
_LOG.warning(f"Failed to write GITHUB_OUTPUT: {e}")
101+
102+
# Log summary
103+
_LOG.info(f"Successfully checked out {len(repo_paths)} of {repo_count} repositories")
104+
105+
return 0
106+
107+
108+
if __name__ == "__main__":
109+
sys.exit(main())

0 commit comments

Comments
 (0)