diff --git a/.github/workflows/selfcheck.yml b/.github/workflows/selfcheck.yml index d58178a5c1a..d21f737c56b 100644 --- a/.github/workflows/selfcheck.yml +++ b/.github/workflows/selfcheck.yml @@ -187,3 +187,38 @@ jobs: with: name: Callgrind Output path: ./callgrind.* + + build_sarif_github: + # Perform selfcheck and upload results to github using sarif format + # Results are shown here: https://github.com/danmar/cppcheck/security/code-scanning + + strategy: + fail-fast: false # Prefer quick result + + runs-on: ubuntu-24.04 + + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Build Cppcheck + run: | + make CXXFLAGS=-O2 MATCOMPILER=yes -j$(nproc) + + - name: Run Cppcheck + run: | + ./cppcheck -D__CPPCHECK__ -D__GNUC__ -DCHECK_INTERNAL -DHAVE_RULES --std=c++11 --library=cppcheck-lib --library=qt --enable=style --inconclusive --inline-suppr cli frontend gui/*.cpp lib --output-format=sarif 2> results.sarif + + - name: Results + run: | + cat results.sarif + + - uses: actions/upload-artifact@v4 + with: + name: results + path: results.sarif + + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/cli/cppcheckexecutor.cpp b/cli/cppcheckexecutor.cpp index 0e30939a77e..e2160a38325 100644 --- a/cli/cppcheckexecutor.cpp +++ b/cli/cppcheckexecutor.cpp @@ -115,7 +115,8 @@ namespace { //else if (finding.severity == Severity::warning) // securitySeverity = 5.1; // We see potential undefined behavior if (securitySeverity > 0.5) { - properties["security-severity"] = picojson::value(securitySeverity); + // skipped: "security-severity" caused error when uploading to github + // properties["security-severity"] = picojson::value(securitySeverity); const picojson::array tags{picojson::value("security")}; properties["tags"] = picojson::value(tags); } @@ -139,8 +140,8 @@ namespace { artifactLocation["uri"] = picojson::value(location.getfile(false)); physicalLocation["artifactLocation"] = picojson::value(artifactLocation); picojson::object region; - region["startLine"] = picojson::value(static_cast(location.line)); - region["startColumn"] = picojson::value(static_cast(location.column)); + region["startLine"] = picojson::value(static_cast(location.line < 1 ? 1 : location.line)); + region["startColumn"] = picojson::value(static_cast(location.column < 1 ? 1 : location.column)); region["endLine"] = region["startLine"]; region["endColumn"] = region["startColumn"]; physicalLocation["region"] = picojson::value(region); diff --git a/test/cli/helloworld_test.py b/test/cli/helloworld_test.py index e3c450d884c..70bfe908fa4 100644 --- a/test/cli/helloworld_test.py +++ b/test/cli/helloworld_test.py @@ -373,7 +373,8 @@ def test_sarif(): assert res['runs'][0]['results'][0]['ruleId'] == 'zerodiv' assert res['runs'][0]['tool']['driver']['rules'][0]['id'] == 'zerodiv' assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['precision'] == 'high' - assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] > 9.5 + # github does not seem to handle "security-severity" well so it's not added + #assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] > 9.5 assert 'security' in res['runs'][0]['tool']['driver']['rules'][0]['properties']['tags'] assert re.match(r'[0-9]+(.[0-9]+)+', res['runs'][0]['tool']['driver']['semanticVersion']) assert 'level' in res['runs'][0]['tool']['driver']['rules'][0]['defaultConfiguration'] # #13885