Skip to content

Commit

Permalink
fixup! fixup! fixup! fixup! fixup! fixup! Add ossf-compiler-flags-sca…
Browse files Browse the repository at this point in the history 
…nner
  • Loading branch information
@garazdawi
garazdawi committed Nov 6, 2024
1 parent da3e31a commit f0e534f
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 10 deletions.
19 changes: 10 additions & 9 deletions .github/scripts/ossf-sarif-generator.es
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,38 +24,39 @@ sarif(Missing) ->
#{ ~"informationUri" => ~"https://github.com/erlang/otp/.github/workflow/ossf-scanner",
~"name" => ~"ossf-scanner",
~"rules" =>
[ #{ ~"id" => integer_to_binary(Id),
~"name" => ~"Missing Compiler Flag",
[ #{ ~"id" => base64:encode(erlang:md5(Opt)),
~"name" => ~"MissingCompilerFlag",
~"shortDescription" =>
#{ ~"text" => <<"Missing CFLAGS ",Opt/binary>> },
#{ ~"text" => <<"Missing CFLAGS ", Opt/binary>> },
~"helpUri" => ~"https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++",
~"fullDescription" =>
#{
~"text" => <<Desc/binary,"\nA OSSF C/C++ compiler hardening flag is missing from the tests. "
"Please check https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++ for details.">>
}
}
|| {Id, #{ ~"desc" := Desc, ~"opt" := Opt }} <- Missing],
|| {_Id, #{ ~"desc" := Desc, ~"opt" := Opt }} <- Zip],
~"version" => ~"1.0"
}
},
~"artifacts" =>
[ #{
~"location" => #{
~"uri" => ~".github/workflow/main/ossf-scanner.yaml"
~"uri" => ~".github/docker/Dockerfile.64-bit"
},
~"length" => -1
}
],
~"results" =>
[ #{
~"ruleId" => integer_to_binary(Id),
~"ruleIndex" => 0,
~"ruleId" => base64:encode(erlang:md5(Opt)),
~"ruleIndex" => Id,
~"level" => ~"warning",
~"message" => #{ ~"text" => <<"Missing CFLAGS ",Opt/binary>> },
~"message" => #{ ~"text" => <<"Missing CFLAGS ", Opt/binary>> },
~"locations" =>
[ #{ ~"physicalLocation" =>
#{ ~"artifactLocation" =>
#{ ~"uri" => ~".github/workflow/main/ossf-scanner.yaml" }
#{ ~"uri" => ~".github/docker/Dockerfile.64-bit" }
}
} ]
} || {Id, #{ ~"opt" := Opt }} <- Zip]
Expand Down
15 changes: 14 additions & 1 deletion .github/workflows/ossf-compiler-flags-scanner.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,19 @@ jobs:

- name: Run compiler flag comparison
run: |
docker run -v `pwd`/.github/scripts:/github --entrypoint "" erlang:27 bash -c "/github/ossf-sarif-generator.es '$(cat compiler-options.json)'"
docker run -v `pwd`/.github/scripts:/github --entrypoint "" erlang:27 bash -c "/github/ossf-sarif-generator.es '$(cat compiler-options.json)'" > results.sarif
- name: "Upload artifact"
if: "!cancelled()"
uses: actions/upload-artifact@v4 # v4.4.3
with:
name: SARIF file
path: results.sarif

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: "${{ !cancelled() && inputs.upload-sarif == true }}"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: result.sarif

0 comments on commit f0e534f

Please sign in to comment.