All-green GitLab CI in 11.0 branch

Include cppcheck and FlawFinder for SAST scanning. Ignorelists are present for both, so only new problems will trigger a CI failure. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
MariaDB · Mar 30, 2023 · 9c287c0 · 9c287c0
1 parent b844a37
commit 9c287c0
Show file tree

Hide file tree

Showing 3 changed files with 1,024 additions and 1 deletion.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -27,6 +27,7 @@ stages:
  - build
  - test
  - Salsa-CI
+ - sast
 
 default:
  # Base image for builds and tests unless otherwise defined
@@ -42,7 +43,7 @@ variables:
  CMAKE_FLAGS: "-DWITH_SSL=system -DPLUGIN_COLUMNSTORE=NO -DPLUGIN_ROCKSDB=NO -DPLUGIN_S3=NO -DPLUGIN_MROONGA=NO -DPLUGIN_CONNECT=NO -DPLUGIN_MROONGA=NO -DPLUGIN_TOKUDB=NO -DPLUGIN_PERFSCHEMA=NO -DWITH_WSREP=OFF"
  # Major version dictates which branches share the same ccache. E.g. 10.6-abc
  # and 10.6-xyz will have the same cache.
- MARIADB_MAJOR_VERSION: "10.8"
+ MARIADB_MAJOR_VERSION: "11.0"
  # NOTE! Currently ccache is only used on the Centos8 build. As each job has
  # sufficiently different environments they are unable to benefit from each
  # other's ccaches. As each build generates about 1 GB of ccache, having
@@ -517,6 +518,70 @@ mini-benchmark:
  metrics:
  - metrics.txt
 
+cppcheck: 
+ stage: sast
+ needs: []
+ variables:
+ GIT_STRATEGY: fetch
+ GIT_SUBMODULE_STRATEGY: normal
+ script:
+ - yum install -y cppcheck diffutils
+ # --template: use a single-line template
+ # --force: check large directories without warning
+ # -i<directory>: ignore this directory when scanning
+ # -j: run multiple cppcheck threads
+ # Use newline to escape colon in yaml
+ - >
+ cppcheck --template="{file}:{line}: {severity}: {message}" --force
+ client dbug extra include libmariadb libmysqld libservices mysql-test mysys mysys_ssl pcre plugin
+ strings tests unittest vio wsrep-lib sql sql-common storage
+ -istorage/mroonga -istorage/tokudb -istorage/spider -istorage/rocksdb -iextra/ -ilibmariadb/ -istorage/columnstore
+ --output-file=cppcheck.txt -j $(nproc)
+ # Parallel jobs may output findings in an nondeterministic order. Sort to match ignorelist.
+ - cat cppcheck.txt | sort > cppcheck_sorted.txt
+ # Remove line numbers for diff
+ - sed 's/:[^:]*:/:/' cppcheck_sorted.txt > cppcheck_sorted_no_line_numbers.txt
+ # Only print new issues not found in ignore list
+ - echo "Problems found in ignore list that were not discovered by cppcheck (may have been fixed)."
+ - diff --changed-group-format='%>' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt || true
+ - echo "Problems found by cppcheck that were not in ignore list."
+ - diff --changed-group-format='%<' --unchanged-group-format='' cppcheck_sorted_no_line_numbers.txt tests/code_quality/cppcheck_ignorelist.txt > lines_not_ignored.txt || true
+ - cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt
+ artifacts:
+ when: always
+ paths:
+ - cppcheck_sorted.txt
+
+flawfinder:
+ stage: sast
+ needs: []
+ variables:
+ GIT_STRATEGY: fetch
+ GIT_SUBMODULE_STRATEGY: normal
+ script:
+ - yum install -y python3 python3-pip jq diffutils git
+ - pip install flawfinder
+ - flawfinder --falsepositive --quiet --html . > flawfinder-all-vulnerabilities.html
+ - cat flawfinder-all-vulnerabilities.html | grep "Hits ="
+ - flawfinder --falsepositive --quiet --minlevel=5 --sarif . > flawfinder-output.json
+ # FlawFinder's --sarif output will display all vulnerabilities despite having --minlevel=5 specified.
+ # Therefore, we postprocess the results with jq and filter out findings where the vulnerability level is less than 5.
+ # Also in the SARIF output format, the vulnerabilities are ranked as 0.2/0.4/0.6/0.8/1.0 which correspond to the --minlevel=1/2/3/4/5 of FlawFinder.
+ # Additionally, we sort the results because individual findings are consistent across different runs, but their ordering may not be.
+ # Vulnerabilities can also be ignored in-line (/* Flawfinder: ignore */), but this option was chosen as to not clutter the codebase.
+ - jq 'del(.runs[] | .tool | .driver | .rules) | del(.runs[] | .results[] | select(.rank < 1)) | del(.runs[] | .results[] | .locations[] | .physicalLocation | .region | .startLine) | .runs[0].results|=sort_by(.fingerprints)' flawfinder-output.json > flawfinder-min-level5.json
+ # Diff against known vulnerabilities, but ignore the line number.
+ - echo "Problems found in ignore list that were not discovered by flawfinder (may have been fixed)."
+ - diff --changed-group-format='%>' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json || true
+ - echo "Problems found by flawfinder that were not in ignore list."
+ - diff --changed-group-format='%<' --unchanged-group-format='' flawfinder-min-level5.json tests/code_quality/flawfinder_ignorelist.json > lines_not_ignored.txt || true
+ - cat lines_not_ignored.txt && test ! -s lines_not_ignored.txt
+ artifacts:
+ when: always
+ paths:
+ - flawfinder-all-vulnerabilities.html
+ - flawfinder-min-level5.json
+
 # Once all RPM builds and tests have passed, also run the DEB builds and tests
 # @NOTE: This is likely to work well only on salsa.debian.org as the Gitlab.com
 # runners are too small for everything this stage does.