Skip to content

Fix the Clang static analyser ingestion #772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 13, 2025
Merged

Fix the Clang static analyser ingestion #772

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/scripts/merge_sarif.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#! /usr/bin/env python3

# The purpose of this file is to adapt the output from
# Clang's static analyzer into a format suitable for GitHub
# Actions. The problem is that Clang outputs a separate "run"
# per file in its SARIF output, but GitHub requires a single
# run per tool (Clang is wrong here).

import sys
import json

if len(sys.argv) < 2:
print("Usage: munge-sarif.py INPUT", file=sys.stderr)
sys.exit(1)

data = None
with open(sys.argv[1], 'rb') as f:
data = json.load(f)

# Arbitrarily pick the first run as the one from which to copy all the properties
base_run = data['runs'][0]

# We don't need these, GitHub ignores them
base_run['artifacts'] = []

# Concatenate results
for r in data['runs'][1:]:
base_run['results'].extend(r['results'])

data['runs'] = [base_run]

def fix_region(region):
startLine = region.get('startLine', None)
startColumn = region.get('startColumn', 1)
endLine = region.get('endLine', None)
endColumn = region.get('endColumn', None)
if startLine is None:
raise ValueError("Region must have startLine")
if endLine is not None and endLine < startLine:
region['endLine'] = startLine
del region['endColumn']
endLine = startLine
endColumn = None
if endColumn is not None and (endLine == startLine or endLine is None) and endColumn < startColumn:
region['endColumn'] = startColumn
endColumn = startColumn

# Recursively scan the data dictionary, and apply the fix_region() function
# to all "region":Region key-value pairs.
def fix_regions(data):
if isinstance(data, dict):
if 'region' in data:
fix_region(data['region'])
for key, value in data.items():
fix_regions(value)
elif isinstance(data, list):
for item in data:
fix_regions(item)

fix_regions(data)

with open(sys.argv[1], 'w') as f:
json.dump(data, f, indent=2)
34 changes: 10 additions & 24 deletions .github/workflows/clang-analyzer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,6 @@ jobs:
security-events: write
contents: read

env:
# The @microsoft/sarif-multitool tool actually uses DotnetCore, which in
# turn aborts when it finds that GitHub's CI machine doesn't have ICU.
# Just turn off localisation. A future version of the ubuntu-24.04 or
# ubuntu-latest runners might not need this workaround.
# https://github.com/actions/runner-images/issues/10989
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT: 1

steps:
- name: Setup
run: |
Expand All @@ -37,36 +29,30 @@ jobs:
with:
submodules: true

- name: Configure
- name: Configure & Build
run: |
LLVM_VER=`clang --version | head -n1 | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | cut -d. -f1`
echo "Using LLVM version $LLVM_VER"

mkdir build
cd build
scan-build cmake -G Ninja -DPCRE2_SUPPORT_JIT=ON -DCMAKE_BUILD_TYPE=Debug ..

- name: Build
run: |
# Inefficiently run clang scan twice; once to generate HTML, and secondly
# to generate SARIF files. Ideally we would have some way to scan once and
# generate one of those outputs from the other, but I don't know a good way
# to do that.
cd build
scan-build -o clang-report/ ninja
scan-build-py-$LLVM_VER -o clang-sarif-root/ --sarif-html sh -c "cmake -G Ninja -DPCRE2_SUPPORT_JIT=ON -DCMAKE_BUILD_TYPE=Debug .. && ninja"
rm clang-sarif-root/*/result-*.sarif
mv clang-sarif-root/* ../clang-report

ninja clean
scan-build -o clang-sarif -sarif ninja
# Work around issue in GitHub's SARIF ingestion - merge all SARIF files into one
npx -y @microsoft/sarif-multitool merge clang-sarif/*/*.sarif --output-file=clang.sarif
../.github/scripts/merge_sarif.py ../clang-report/results-merged.sarif

# Upload the browsable HTML report as an artifact.
- name: Upload report
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "Clang Static Analyzer report"
path: './build/clang-report'
path: './clang-report'

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
with:
sarif_file: build/clang.sarif
sarif_file: ./clang-report/results-merged.sarif
category: clang-analyzer
Loading