diff --git a/docs/configuration-inputs.md b/docs/configuration-inputs.md index 66274f6..36bc28a 100644 --- a/docs/configuration-inputs.md +++ b/docs/configuration-inputs.md @@ -70,11 +70,13 @@ Each table below represents a portion of the complete `scrub.cfg` file. | CODEQL_WARNINGS | True/False | Yes | Should CodeQL analysis be performed? | False | | CODEQL_PATH | String | Optional | Absolute path to the directory of the CodeQL installation | Check `PATH` | | CODEQL_QUERY_PATH | String | Yes | Absolute path to the CodeQL query files | N/A | +| CODEQL_CODING_STANDARDS_PATH | String | Yes | Absolute path to the CodeQL coding standard files | N/A | | CODEQL_BUILD_DIR | String | Optional | Relative path (to `SOURCE_DIR`) to the build directory | `SOURCE_DIR` | | CODEQL_BUILD_CMD | String | Optional | Command to build the source code for CodeQL analysis | N/A | | CODEQL_CLEAN_CMD | String | Optional | Command to clean the source code for CodeQL analysis | N/A | | CODEQL_BASELINE_ANALYSIS | True/False | Yes | Should baseline CodeQL analysis be performed? | True | | CODEQL_P10_ANALYSIS | True/False | Yes | Should CodeQL P10 analysis be performed? | True | +| CODEQL_AUTOSAR_ANALYSIS | True/False | Yes | Should CodeQL AUTOSAR analysis be performed? | True | | CODEQL_DATABASECREATE_FLAGS | String | Optional | Flags to be passed into 'codeql database create' command | '' | | CODEQL_DATEBASEANALYZE_FLAGS | String | Optional | Flags to be passed into 'codeql database analyze' command | '' | @@ -264,13 +266,15 @@ The configuration file provided below is a sample configuration file for a C pro # [CodeQL Variables] CODEQL_WARNINGS: True - CODEQL_PATH: /opt/local/codeql/codeql-cli - CODEQL_QUERY_PATH: /opt/local/codeql/queries - CODEQL_BUILD_DIR: src + CODEQL_PATH: ~/codeql-home/codeql-cli + CODEQL_QUERY_PATH: ~/codeql-home/codeql-repo + CODEQL_CODING_STANDARDS_PATH: ~/codeql-home/codeql-coding-standards + CODEQL_BUILD_DIR: build CODEQL_BUILD_CMD: make all CODEQL_CLEAN_CMD: make clean CODEQL_BASELINE_ANALYSIS: True - CODEQL_P10_ANALYSIS: False + CODEQL_P10_ANALYSIS: True + CODEQL_AUTOSAR_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: diff --git a/scrub/scrub.cfg b/scrub/scrub.cfg index 6c358b7..ca7c728 100644 --- a/scrub/scrub.cfg +++ b/scrub/scrub.cfg @@ -76,11 +76,14 @@ PYLINT_FLAGS: # CODEQL_WARNINGS Yes True/False # CODEQL_PATH No String # CODEQL_QUERY_PATH Yes String +# CODEQL_CODING_STANDARDS_PATH Yes String # CODEQL_BUILD_DIR No String # CODEQL_BUILD_CMD Yes String # CODEQL_CLEAN_CMD Yes String # CODEQL_BASELINE_ANALYSIS Yes True/False # CODEQL_P10_ANALYSIS Yes True/False +# CODEQL_AUTOSAR_ANALYSIS Yes True/False +# CODEQL_CERT_ANALYSIS Yes True/False # CODEQL_DATABASECREATE_FLAGS No String # CODEQL_DATABASEANALYZE_FLAGS No String # @@ -88,11 +91,14 @@ PYLINT_FLAGS: CODEQL_WARNINGS: False CODEQL_PATH: CODEQL_QUERY_PATH: +CODEQL_CODING_STANDARDS_PATH: CODEQL_BUILD_DIR: CODEQL_BUILD_CMD: CODEQL_CLEAN_CMD: CODEQL_BASELINE_ANALYSIS: True CODEQL_P10_ANALYSIS: True +CODEQL_AUTOSAR_ANALYSIS: True +CODEQL_CERT_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: diff --git a/scrub/tools/templates/codeql.template b/scrub/tools/templates/codeql.template index bdbe46c..7d927a7 100644 --- a/scrub/tools/templates/codeql.template +++ b/scrub/tools/templates/codeql.template @@ -39,11 +39,27 @@ do fi # Perform P10 analysis, if desired - if [[ ${{CODEQL_P10_ANALYSIS}} && $language == "cpp" ]]; then - ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif ${{TOOL_ANALYSIS_DIR}}/codeql-database "${{CODEQL_QUERY_PATH}}/cpp/ql/src/Power of 10" "${{CODEQL_QUERY_PATH}}/cpp/ql/src/AlertSuppression.ql" + if [ ${{CODEQL_P10_ANALYSIS}} == true ] && [ $language == "cpp" ]; then + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif $database "${{CODEQL_QUERY_PATH}}/cpp/ql/src/Power of 10" "$suppression_query" # Parse the SARIF P10 results output file into SCRUB format python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_p10_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_p10_raw.scrub ${{SOURCE_DIR}} scrub fi -done \ No newline at end of file + # Perform AUTOSAR analysis, if desired + if [ ${{CODEQL_AUTOSAR_ANALYSIS}} == true ] && [ $language == "cpp" ]; then + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif $database "${{CODEQL_CODING_STANDARDS_PATH}}/cpp/autosar/src/codeql-suites/autosar-default.qls" "$suppression_query" + + # Parse the SARIF AUTOSAR results output file into SCRUB format + python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_autosar_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_autosar_raw.scrub ${{SOURCE_DIR}} scrub + fi + + # Perform CERT analysis, if desired + if [ ${{CODEQL_CERT_ANALYSIS}} == true ] && [ $language == "cpp" ]; then + ${{CODEQL_PATH}}/codeql database analyze --format=sarif-latest --output=${{TOOL_ANALYSIS_DIR}}/codeql_cert_raw.sarif $database "${{CODEQL_CODING_STANDARDS_PATH}}/cpp/cert/src/codeql-suites/cert-default.qls" "$suppression_query" + + # Parse the SARIF cert results output file into SCRUB format + python3 -m scrub.tools.parsers.translate_results ${{TOOL_ANALYSIS_DIR}}/codeql_cert_raw.sarif ${{RAW_RESULTS_DIR}}/codeql_cert_raw.scrub ${{SOURCE_DIR}} scrub + fi + +done diff --git a/scrub/utils/filtering/do_filtering.py b/scrub/utils/filtering/do_filtering.py index d978545..ef82143 100644 --- a/scrub/utils/filtering/do_filtering.py +++ b/scrub/utils/filtering/do_filtering.py @@ -39,12 +39,18 @@ def filter_scrub_results(scrub_conf_data): # Sort the files into groups raw_compiler_files = [] raw_p10_files = [] + raw_autosar_files = [] + raw_cert_files = [] raw_generic_files = [] for results_file in results_files: if 'compiler_raw' in results_file.stem: raw_compiler_files.append(results_file) elif 'p10_raw' in results_file.stem: raw_p10_files.append(results_file) + elif 'autosar_raw' in results_file.stem: + raw_autosar_files.append(results_file) + elif 'cert_raw' in results_file.stem: + raw_cert_files.append(results_file) else: raw_generic_files.append(results_file) @@ -113,6 +119,70 @@ def filter_scrub_results(scrub_conf_data): # Print the exception traceback logging.debug(traceback.format_exc()) + # Filter AUTOSAR results + if raw_autosar_files: + try: + # Set the output file path + filtered_autosar_results = scrub_conf_data.get('scrub_analysis_dir').joinpath('autosar.scrub') + + # Parse all of the input files + autosar_results = [] + valid_warning_types = [] + for results_file in raw_autosar_files: + # Append the results file + autosar_results = (autosar_results + translate_results.parse_scrub(results_file, + scrub_conf_data.get('source_dir'))) + + # Append to the valid warning types + valid_warning_types.append(results_file.stem.split('_')[0]) + + filter_results.filter_results(autosar_results, filtered_autosar_results, + scrub_conf_data.get('filtering_output_file'), + scrub_conf_data.get('query_filters'), + scrub_conf_data.get('source_dir'), + scrub_conf_data.get('enable_micro_filter'), + scrub_conf_data.get('enable_ext_warnings'), + valid_warning_types) + + except: # lgtm [py/catch-base-exception] + # Print a status message + logging.warning("Could not generate output file %s", filtered_autosar_results) + + # Print the exception traceback + logging.debug(traceback.format_exc()) + + # Filter CERT results + if raw_cert_files: + try: + # Set the output file path + filtered_cert_results = scrub_conf_data.get('scrub_analysis_dir').joinpath('cert.scrub') + + # Parse all of the input files + cert_results = [] + valid_warning_types = [] + for results_file in raw_cert_files: + # Append the results file + cert_results = (cert_results + translate_results.parse_scrub(results_file, + scrub_conf_data.get('source_dir'))) + + # Append to the valid warning types + valid_warning_types.append(results_file.stem.split('_')[0]) + + filter_results.filter_results(cert_results, filtered_cert_results, + scrub_conf_data.get('filtering_output_file'), + scrub_conf_data.get('query_filters'), + scrub_conf_data.get('source_dir'), + scrub_conf_data.get('enable_micro_filter'), + scrub_conf_data.get('enable_ext_warnings'), + valid_warning_types) + + except: # lgtm [py/catch-base-exception] + # Print a status message + logging.warning("Could not generate output file %s", filtered_cert_results) + + # Print the exception traceback + logging.debug(traceback.format_exc()) + # Filter everything else if raw_generic_files: for raw_generic_file in raw_generic_files: diff --git a/scrub/utils/scrub_defaults.cfg b/scrub/utils/scrub_defaults.cfg index b402b85..3d43070 100644 --- a/scrub/utils/scrub_defaults.cfg +++ b/scrub/utils/scrub_defaults.cfg @@ -77,11 +77,14 @@ PYLINT_FLAGS: # CODEQL_WARNINGS Yes True/False # CODEQL_PATH No String # CODEQL_QUERY_PATH Yes String +# CODEQL_CODING_STANDARDS_PATH Yes String # CODEQL_BUILD_DIR No String # CODEQL_BUILD_CMD Yes String # CODEQL_CLEAN_CMD Yes String # CODEQL_BASELINE_ANALYSIS Yes True/False # CODEQL_P10_ANALYSIS Yes True/False +# CODEQL_AUTOSAR_ANALYSIS Yes True/False +# CODEQL_CERT_ANALYSIS Yes True/False # CODEQL_DATABASECREATE_FLAGS No String # CODEQL_DATABASEANALYZE_FLAGS No String # @@ -89,11 +92,14 @@ PYLINT_FLAGS: CODEQL_WARNINGS: False CODEQL_PATH: CODEQL_QUERY_PATH: +CODEQL_CODING_STANDARDS_PATH: CODEQL_BUILD_DIR: CODEQL_BUILD_CMD: CODEQL_CLEAN_CMD: CODEQL_BASELINE_ANALYSIS: True CODEQL_P10_ANALYSIS: True +CODEQL_AUTOSAR_ANALYSIS: True +CODEQL_CERT_ANALYSIS: True CODEQL_DATABASECREATE_FLAGS: CODEQL_DATABASEANALYZE_FLAGS: @@ -231,4 +237,4 @@ ENABLE_EXT_WARNINGS: False ENABLE_MICRO_FILTER: True CUSTOM_FILTER_CMD: ANALYSIS_FILTERS: -QUERY_FILTERS: \ No newline at end of file +QUERY_FILTERS: