Fix #14006 (CI: use cppcheck sarif output in github) (danmar#7668)

Author: danmar

.github/workflows/selfcheck.yml

@@ -187,3 +187,38 @@ jobs:
         with:
           name: Callgrind Output
           path: ./callgrind.*
+
+  build_sarif_github:
+    # Perform selfcheck and upload results to github using sarif format
+    # Results are shown here: https://github.com/danmar/cppcheck/security/code-scanning
+
+    strategy:
+      fail-fast: false # Prefer quick result
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Build Cppcheck
+        run: |
+          make CXXFLAGS=-O2 MATCOMPILER=yes -j$(nproc)
+
+      - name: Run Cppcheck
+        run: |
+          ./cppcheck -D__CPPCHECK__ -D__GNUC__ -DCHECK_INTERNAL -DHAVE_RULES --std=c++11 --library=cppcheck-lib --library=qt --enable=style --inconclusive --inline-suppr cli frontend gui/*.cpp lib --output-format=sarif 2> results.sarif
+
+      - name: Results
+        run: |
+          cat results.sarif
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: results
+          path: results.sarif
+
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

cli/cppcheckexecutor.cpp

@@ -115,7 +115,8 @@ namespace {
                     //else if (finding.severity == Severity::warning)
                     //    securitySeverity = 5.1; // We see potential undefined behavior
                     if (securitySeverity > 0.5) {
-                        properties["security-severity"] = picojson::value(securitySeverity);
+                        // skipped: "security-severity" caused error when uploading to github
+                        // properties["security-severity"] = picojson::value(securitySeverity);
                         const picojson::array tags{picojson::value("security")};
                         properties["tags"] = picojson::value(tags);
                     }
@@ -139,8 +140,8 @@ namespace {
                 artifactLocation["uri"] = picojson::value(location.getfile(false));
                 physicalLocation["artifactLocation"] = picojson::value(artifactLocation);
                 picojson::object region;
-                region["startLine"] = picojson::value(static_cast<int64_t>(location.line));
-                region["startColumn"] = picojson::value(static_cast<int64_t>(location.column));
+                region["startLine"] = picojson::value(static_cast<int64_t>(location.line < 1 ? 1 : location.line));
+                region["startColumn"] = picojson::value(static_cast<int64_t>(location.column < 1 ? 1 : location.column));
                 region["endLine"] = region["startLine"];
                 region["endColumn"] = region["startColumn"];
                 physicalLocation["region"] = picojson::value(region);

test/cli/helloworld_test.py

@@ -373,7 +373,8 @@ def test_sarif():
     assert res['runs'][0]['results'][0]['ruleId'] == 'zerodiv'
     assert res['runs'][0]['tool']['driver']['rules'][0]['id'] == 'zerodiv'
     assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['precision'] == 'high'
-    assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] > 9.5
+    # github does not seem to handle "security-severity" well so it's not added
+    #assert res['runs'][0]['tool']['driver']['rules'][0]['properties']['security-severity'] > 9.5
     assert 'security' in res['runs'][0]['tool']['driver']['rules'][0]['properties']['tags']
     assert re.match(r'[0-9]+(.[0-9]+)+', res['runs'][0]['tool']['driver']['semanticVersion'])
     assert 'level' in res['runs'][0]['tool']['driver']['rules'][0]['defaultConfiguration'] # #13885