opentaint/.github/workflows/ci-rules.yaml at main · seqra/opentaint · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: CI Rules

on:
  push:
    paths:
      - 'rules/**'
      - '.github/workflows/ci-rules.yaml'
    branches: [ "main" ]
  pull_request:
    paths:
      - 'rules/**'
      - '.github/workflows/ci-rules.yaml'
    branches: [ "main" ]
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check:
    runs-on: ubuntu-latest
    container: gitlab/gitlab-runner-helper:ubuntu-x86_64-latest
    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      - uses: robinraju/release-downloader@v1.12
        with:
          repository: ${{ github.repository }}
          token: ${{ secrets.SEQRA_GITHUB_TOKEN }}
          tag: autobuilder/latest
          fileName: opentaint-project-auto-builder.jar
          out-file-path: opentaint-autobuilder

      - uses: robinraju/release-downloader@v1.12
        with:
          repository: ${{ github.repository }}
          token: ${{ secrets.SEQRA_GITHUB_TOKEN }}
          tag: analyzer/latest
          fileName: opentaint-project-analyzer.jar
          out-file-path: opentaint-analyzer

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: Build tests jar
        run: cd rules/test && ./gradlew :build
        env:
          SEQRA_GITHUB_ACTOR: ${{ secrets.SEQRA_GITHUB_ACTOR }}
          SEQRA_GITHUB_TOKEN: ${{ secrets.SEQRA_GITHUB_TOKEN }}

      - name: Check rules coverage
        run: cd rules/test && ./gradlew :checkRulesCoverage
        env:
          SEQRA_GITHUB_ACTOR: ${{ secrets.SEQRA_GITHUB_ACTOR }}
          SEQRA_GITHUB_TOKEN: ${{ secrets.SEQRA_GITHUB_TOKEN }}

      - name: OpenTaint compile test project
        run: |
          java -jar opentaint-autobuilder/opentaint-project-auto-builder.jar \
               --project-root-dir rules/test \
               --build portable \
               --result-dir ./opentaint-project \
               --logs-file autobuild.log \
               --verbosity debug

      - name: Run OpenTaint analyzer
        run: |
          java -Xmx8G -Djdk.util.jar.enableMultiRelease=false -Dorg.opentaint.ir.impl.storage.defaultBatchSize=2000 \
               -jar opentaint-analyzer/opentaint-project-analyzer.jar \
               --project opentaint-project/project.yaml --output-dir opentaint-result --verbosity debug \
               --semgrep-rule-set ./rules/ruleset --debug-run-rule-tests

      - name: Show test results
        run: cat opentaint-result/test-result.json

      - name: Upload test results
        if: (!cancelled())
        uses: actions/upload-artifact@v4
        with:
          name: test-results
          path: opentaint-result/
          retention-days: 1

      - name: Install jq
        run: apt-get update && apt-get install -y jq

      - name: Test result
        run: |
          SUCCESS_COUNT=$(jq '.success | length' opentaint-result/test-result.json)
          SKIPPED_COUNT=$(jq '.skipped | length' opentaint-result/test-result.json)
          FP_COUNT=$(jq '.falsePositive | length' opentaint-result/test-result.json)
          FN_COUNT=$(jq '.falseNegative | length' opentaint-result/test-result.json)

          echo "OK $SUCCESS_COUNT | Skip $SKIPPED_COUNT | FP $FP_COUNT | FN $FN_COUNT"

          FAILURE_COUNT=$(( $SKIPPED_COUNT + $FP_COUNT + $FN_COUNT ))

          if [ "$FAILURE_COUNT" -eq 0 ]; then
            echo "Success"
            exit 0
          else
            echo "Failed: $FAILURE_COUNT"
            exit 1
          fi