Fix #14006 (CI: upload cppcheck premium sarif results to github) (danmar#7662)

danmar · web-flow · commit 515c73e82d2e · 2025-07-15T08:51:26.000+02:00
diff --git a/.github/workflows/cppcheck-premium.yml b/.github/workflows/cppcheck-premium.yml
@@ -18,6 +18,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
 
@@ -28,7 +29,8 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Download cppcheckpremium
+      - name: Download cppcheckpremium release
+        if: false
         run: |
           premium_version=${{ inputs.premium_version }}
           if [ -z $premium_version ]; then
@@ -41,6 +43,15 @@ jobs:
           tar xzf cppcheckpremium.tar.gz
           mv cppcheckpremium-$premium_version cppcheckpremium
 
+      - name: Download cppcheckpremium devdrop
+        run: |
+          wget https://files.cppchecksolutions.com/devdrop/cppcheckpremium-devdrop-20250713-amd64.tar.gz -O cppcheckpremium.tar.gz
+          tar xzvf cppcheckpremium.tar.gz
+          mv cppcheckpremium-devdrop-20250713 cppcheckpremium
+          # Overwrite cppcheck binary
+          make -j$(nproc) CXXFLAGS=-O2 MATCHCOMPILER=yes
+          cp cppcheck cppcheckpremium/
+
       - name: Generate a license file
         run: |
           echo cppcheck > cppcheck.lic
@@ -52,4 +63,20 @@ jobs:
       - name: Check
         run: |
           cppcheckpremium/premiumaddon --check-loc-license cppcheck.lic > cppcheck-premium-loc
-          cppcheckpremium/cppcheck -j$(nproc) -D__GNUC__ -D__CPPCHECK__ --suppressions-list=cppcheckpremium-suppressions --platform=unix64 --enable=style --premium=misra-c++-2023 --premium=cert-c++-2016 --inline-suppr --error-exitcode=1 lib
+          cppcheckpremium/cppcheck --premium=safety-off -j$(nproc) -D__GNUC__ -D__CPPCHECK__ --suppressions-list=cppcheckpremium-suppressions --platform=unix64 --enable=style --premium=misra-c++-2023 --premium=cert-c++-2016 --inline-suppr lib --error-exitcode=0 --output-format=sarif 2> results.sarif
+
+      - name: Cat results
+        run: |
+          #sed -i 's|"security-severity":.*||' results.sarif
+          cat results.sarif
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: results
+          path: results.sarif
+
+      - name: Upload report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: cppcheckpremium
diff --git a/cli/cppcheckexecutor.cpp b/cli/cppcheckexecutor.cpp
@@ -109,12 +109,12 @@ namespace {
                     // rule.properties.precision, rule.properties.problem.severity
                     picojson::object properties;
                     properties["precision"] = picojson::value(sarifPrecision(finding));
-                    double securitySeverity = 0;
+                    const char* securitySeverity = nullptr;
                     if (finding.severity == Severity::error && !ErrorLogger::isCriticalErrorId(finding.id))
-                        securitySeverity = 9.9; // We see undefined behavior
+                        securitySeverity = "9.9"; // We see undefined behavior
                     //else if (finding.severity == Severity::warning)
                     //    securitySeverity = 5.1; // We see potential undefined behavior
-                    if (securitySeverity > 0.5) {
+                    if (securitySeverity) {
                         properties["security-severity"] = picojson::value(securitySeverity);
                         const picojson::array tags{picojson::value("security")};
                         properties["tags"] = picojson::value(tags);
@@ -139,8 +139,8 @@ namespace {
                 artifactLocation["uri"] = picojson::value(location.getfile(false));
                 physicalLocation["artifactLocation"] = picojson::value(artifactLocation);
                 picojson::object region;
-                region["startLine"] = picojson::value(static_cast<int64_t>(location.line));
-                region["startColumn"] = picojson::value(static_cast<int64_t>(location.column));
+                region["startLine"] = picojson::value(static_cast<int64_t>(location.line < 1 ? 1 : location.line));
+                region["startColumn"] = picojson::value(static_cast<int64_t>(location.column < 1 ? 1 : location.column));
                 region["endLine"] = region["startLine"];
                 region["endColumn"] = region["startColumn"];
                 physicalLocation["region"] = picojson::value(region);
diff --git a/test/cli/helloworld_test.py b/test/cli/helloworld_test.py
@@ -373,7 +373,7 @@ def test_sarif():
     assert res['runs'][0]['results'][0]['ruleId'] == 'zerodiv'
     assert res['runs'][0]['tool']['driver']['rules'][0]['id'] == 'zerodiv'
     assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['precision'] == 'high'
-    assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] > 9.5
+    assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] == '9.9'
     assert 'security' in res['runs'][0]['tool']['driver']['rules'][0]['properties']['tags']
     assert re.match(r'[0-9]+(.[0-9]+)+', res['runs'][0]['tool']['driver']['semanticVersion'])
     assert 'level' in res['runs'][0]['tool']['driver']['rules'][0]['defaultConfiguration'] # #13885
