From: Enrico Joerns <ejo@pengutronix.de>
Date: Wed, 28 Feb 2024 23:33:30 +0000 (+0100)
Subject: ci/codeql: use filter-sarif to filter meson-private
X-Git-Tag: v34~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b5d9681ce60cc8028812cd8db59adeb3c4354ed;p=thirdparty%2Fkmod.git

ci/codeql: use filter-sarif to filter meson-private

There is a severe number of false-positive in code scanning caused by
inspecting meson-internal test files like
'build/meson-private/tmpzb46osmq/testfile.c'.

As a workaround, use the 'filter-sarif' action to filter out these
results before uploading the SARIF (Static Analysis Results Interchange
Format).

This PR was inspired by https://github.com/rauc/rauc/pull/1346 and the
example from https://github.com/advanced-security/filter-sarif.

Signed-off-by: Enrico Joerns <ejo@pengutronix.de>
[Emil: port from rauc, use checksums for actions]
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/249
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9f5a9dc6..299c8d04 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -70,3 +70,19 @@ jobs:
         uses: github/codeql-action/analyze@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
         with:
           category: "/language:cpp"
+          upload: false
+          output: sarif-results
+
+      - name: Filter out meson-internal test files
+        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
+        with:
+          patterns: |
+            -build/meson-private/**/testfile.c
+          input: sarif-results/cpp.sarif
+          output: sarif-results/cpp.sarif
+
+      - name: Upload CodeQL results to code scanning
+        uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1
+        with:
+          sarif_file: sarif-results/cpp.sarif
+          category: "/language:cpp"