We now have access to the GitHub code-scanning beta, so we can upload a SARIF file from the LLVM analysis
cc @pocmatos
@samth interesting - i am currently on holidays for a couple of days camping. I will look at it as soon as i am back. Possibly Thursday given the weather… :)
ah, have fun! where are you camping?
South Germany - Bavaria. Near the Austrian border. Only about 3 hours from home but I love the Alps so it’s always a good break for me.
We are also mid-year and I want to return to do some more CI work. Unless there are any suggestions I will start with adding CI pipelines for arm32 and aarch64 devices before looking into benchmarking.
@samth was quickly looking at the link you sent. Have you registered the racket org for https://github.com/features/security/advanced-security/signup ?
It’s tricky to edit this at the moment but here:
the sarif file is being output in ../.., so it won’t be I think in the expected place.
you mgiht want to name it racketcgc-report.sarif
just started the laptop to look at this quickly…
i had never tried the -sarif option to scan-build.
when you do, the output is in subfolder.
so:
if you do scan-build -sarif -o report.sarif
you get the real sarif file in a subfolder: report.sarif/2020-06-30-200249-1884-1/report-b2oQHB.sarif
we need after the scan-build to do something like cp $(find racketcgc-report -name '*.sarif') /tmp/report.sarif and then use the absolute path /tmp/report.sarif in the sarif file keyword.
that should work.
Tomorrow I might have more time to prepare a patch if you haven’t done so already.
We might still have a problem. The scan-build I just used says its using the 2.0.0 schema. Github says it requires 2.1.0 https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/sarif-support-for-code-scanning#supported-sarif-output-file-properties
# cat report.sarif/2020-06-30-200249-1884-1/report-b2oQHB.sarif{
"$schema": "<http://json.schemastore.org/sarif-2.0.0-csd.2.beta.2018-11-28>",
unsure if this is going to be a problem.
Upstream supports 2.1.0. So updating scan-build image to use llvm10, instead of llvm9.