buildah-sast: use the JSON output of gcc

konflux-ci · Nov 14, 2024 · 8bb2a68 · 8bb2a68
1 parent b527203
commit 8bb2a68
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 9 deletions.
diff --git a/task/buildah-sast/0.2/Containerfile b/task/buildah-sast/0.2/Containerfile
@@ -0,0 +1,10 @@
+FROM quay.io/konflux-ci/oras:latest AS oras
+FROM quay.io/konflux-ci/buildah-task
+
+RUN microdnf install --enable-repo=updates-testing -y cs{diff{,-static},gcca,wrap}
+
+RUN ln -fsv "../../bin/cswrap" "$(cswrap --print-path-to-wrap)/gcc-wrapper"
+COPY gcc-wrapper.sh /usr/bin/gcc-wrapper
+
+COPY --from=oras /usr/bin/oras /usr/bin/yq /usr/bin/
+COPY --from=oras /usr/local/bin/select-oci-auth /usr/local/bin/
diff --git a/task/buildah-sast/0.2/gcc-wrapper.sh b/task/buildah-sast/0.2/gcc-wrapper.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# assign file name for the diagnostics output
+sast_dir="/shared/sast-results"
+fn="$(flock "${sast_dir}" mktemp "${sast_dir}/$$-XXXX.json.raw")"
+
+# cleanup handler
+trap "rm -f '${fn}'" EXIT TERM
+
+# run gcc and record its exit code
+/usr/bin/gcc "$@" -fdiagnostics-format=json 2>"${fn}"
+EC=$?
+
+# embed source code context
+/usr/libexec/csgrep-static --mode=json --event=^warning --embed-context=3 --quiet "${fn}" >"${fn%.raw}"
+
+# preserve the exit code from gcc
+exit $EC
diff --git a/task/buildah-sast/0.2/patch.yaml b/task/buildah-sast/0.2/patch.yaml
@@ -61,6 +61,7 @@
       /shared:/shared
       /usr/bin/csgcca:/usr/bin/csgcca
       /usr/bin/cswrap:/usr/bin/cswrap
+      /usr/bin/gcc-wrapper:/usr/bin/gcc-wrapper
       /usr/lib64/csgcca:/usr/lib64/csgcca
       /usr/lib64/cswrap:/usr/lib64/cswrap
       /usr/libexec/csgrep-static:/usr/libexec/csgrep-static
@@ -123,16 +124,10 @@
       touch "${sast_dir}/empty.txt"
 
       # create a wrapper script to instrument RUN lines
+      GCC_WRAPPER="$(cswrap --print-path-to-wrap)/gcc-wrapper"
       tee /shared/cmd-wrap.sh << EOF
       #!/bin/bash -x
-      env "PATH=/usr/lib64/csgcca:/usr/lib64/cswrap:\$PATH" CSWRAP_TIMEOUT=30 CSWRAP_TIMEOUT_FOR=gcc CSWRAP_CAP_FILE="${sast_dir}/gcc-\$\$.txt" "\$@"
-      EC=\$?
-      src="${sast_dir}/gcc-\$\$.txt"
-      if test -f "\$src"; then
-        /usr/libexec/csgrep-static --mode=json --event=^warning --embed-context=3 --quiet "\$src" >"${sast_dir}/gcc-\$\$.json"
-        rm -f "\$src"
-      fi
-      exit \$EC
+      exec env "PATH=/usr/lib64/csgcca:/usr/lib64/cswrap:\$PATH" CSGCCA_ANALYZER_BIN="${GCC_WRAPPER}" CSWRAP_TIMEOUT=30 CSWRAP_TIMEOUT_FOR=gcc "\$@"
       EOF
       chmod 0755 /shared/cmd-wrap.sh
 
@@ -168,7 +163,7 @@
 
       # read the collected SAST scanning results
       UPLOAD_FILE=gcc-analyzer.sarif
-      (set -x && cd "$sast_dir" && csgrep --mode=sarif --event=^warning --remove-duplicates ./*) \
+      csgrep --mode=sarif --event=^warning --remove-duplicates --file-glob "${sast_dir}/*" \
         | tee "${UPLOAD_FILE}" | csgrep
 
       # upload scan results