Filter out suppressed warnings & archive full SARIF output (#15)

* Filter out suppressed warnings & archive full sarif output * Combine two `jq` invocations into one Also choose a nicer file name for the original file since we now archive it too. --------- Co-authored-by: Yaroslav Afenkin <yaroslavafenkin@users.noreply.github.com> Co-authored-by: Daniel Beck <1831569+daniel-beck@users.noreply.github.com>
jenkins-infra · Feb 9, 2023 · 99045b6 · 99045b6
1 parent e2a80c7
commit 99045b6
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/.github/workflows/jenkins-security-scan.yaml b/.github/workflows/jenkins-security-scan.yaml
@@ -63,15 +63,19 @@ jobs:
           echo "::endgroup::"
 
           echo "::group::Analyze Database"
-          codeql database analyze --sarif-add-query-help --format=sarifv2.1.0 --output=output.sarif "$GITHUB_WORKSPACE/database" "$CODEQL_RULES_DIR/src/" codeql/java-queries:AlertSuppression.ql codeql/java-queries:AlertSuppressionAnnotations.ql || { echo "Failed to analyze database" >&2 ; exit 1 ; }
+          codeql database analyze --sarif-add-query-help --format=sarifv2.1.0 --output=jenkins-security-scan-raw.sarif "$GITHUB_WORKSPACE/database" "$CODEQL_RULES_DIR/src/" codeql/java-queries:AlertSuppression.ql codeql/java-queries:AlertSuppressionAnnotations.ql || { echo "Failed to analyze database" >&2 ; exit 1 ; }
           echo "::endgroup::"
 
-          # Prevent conflicts with otherwise set up CodeQL scan
-          jq 'setpath(path(.runs[].tool.driver.name); "Jenkins Security Scan") | setpath(path(.runs[].tool.driver.organization); "Jenkins Project")' output.sarif > jenkins-security-scan.sarif
+          # Process the generated SARIF file:
+          # 1. Prevent conflicts with otherwise set up CodeQL scan by renaming the tool driver
+          # 2. Remove suppressed warnings because GitHub Code Scanning does not support inline suppressions
+          jq 'setpath(path(.runs[].tool.driver.name); "Jenkins Security Scan") | setpath(path(.runs[].tool.driver.organization); "Jenkins Project") | del(.runs[].results[] | select( .suppressions | length != 0 ))' jenkins-security-scan-raw.sarif > jenkins-security-scan.sarif
       - name: Archive SARIF
         uses: actions/upload-artifact@v3
         with:
-          path: jenkins-security-scan.sarif
+          path: |
+            jenkins-security-scan-raw.sarif
+            jenkins-security-scan.sarif
           name: Jenkins Security Scan SARIF
       - name: Upload Scan Result
         uses: github/codeql-action/upload-sarif@v2