Feature1

.github/workflows/sast-pullreq.yml

@@ -0,0 +1,28 @@
+name: "SAST_PULLREQ"
+on: pull_request
+jobs:
+  Coverity:
+    runs-on: self-hosted
+    env:
+      COV_URL: ${{ secrets.COV_URL }}
+      COV_USER: ${{ secrets.COV_USER }}
+      COVERITY_PASSPHRASE: ${{ secrets.COVERITY_PASSPHRASE }}
+      COVERITY_PROJECT: hello-java
+      COVHOME: /home/hugues/cov-analysis-linux64-2021.03
+      BLDCMD: mvn clean compile
+      CHECKERS: --all
+
+    steps:
+    - id: changeset
+      name: Get Pull Request Changeset
+      uses: jitterbit/get-changed-files@v1
+      if: ${{ github.event_name == 'pull_request' }}
+
+    - name: Coverity Incremental Scan
+      if: ${{ github.event_name == 'pull_request' && steps.changeset.outputs.added_modified != '' }}
+      run: |
+        export PATH=$PATH:/tmp/$CSA/bin
+        set -x
+        cov-run-desktop --dir idir --url $COV_URL --stream $COVERITY_PROJECT-$GITHUB_BASE_REF --build $BLDCMD
+        cov-run-desktop --dir idir --url $COV_URL --stream $COVERITY_PROJECT-$GITHUB_BASE_REF --present-in-reference false \
+          --ignore-uncapturable-inputs true --exit1-if-defects true ${{ steps.changeset.outputs.added_modified }}    

.github/workflows/sast-push.yml

@@ -0,0 +1,52 @@
+name: "SAST"
+on:
+  push:
+    branches:
+      - master
+      - develop
+    tags-ignore:
+      - '*'
+    paths-ignore:
+      - '.txt'
+      - '*.MD'
+      - '*.md'
+      - 'LICENSE'
+      - 'docs/**'
+
+jobs:
+  Coverity:
+    runs-on: self-hosted
+    env:
+      COV_URL: ${{ secrets.COV_URL }}
+      COV_USER: ${{ secrets.COV_USER }}
+      COVERITY_PASSPHRASE: ${{ secrets.COVERITY_PASSPHRASE }}
+      COVERITY_PROJECT: hello-java
+      COVHOME: /home/hugues/cov-analysis-linux64-2021.03
+      BLDCMD: mvn clean compile
+      CHECKERS: --all
+
+    steps:
+    - uses: AutoModality/action-clean@v1
+    - uses: actions/checkout@v2
+    - uses: actions/setup-java@v1
+      with:
+        java-version: 15
+    - name: Coverity Full Scan
+      run: |
+        set -x
+        $COVHOME/bin/cov-configure --java
+        $COVHOME/bin/cov-build --dir idir --fs-capture-search $GITHUB_WORKSPACE $BLDCMD
+        $COVHOME/bin/cov-analyze --dir idir --ticker-mode none --strip-path $GITHUB_WORKSPACE $CHECKERS
+        $COVHOME/bin/cov-commit-defects --dir idir --ticker-mode none --url $COV_URL --stream $COVERITY_PROJECT-${GITHUB_REF##*/} --scm git \
+          --description $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID --target $RUNNER_OS --version $GITHUB_SHA
+        $COVHOME/bin/cov-format-errors --dir idir --json-output-v8 cov-findings-v8.json
+        $COVHOME/node/bin/node $COVHOME/SARIF/cov-format-sarif-for-github.js --inputFile cov-findings-v8.json --outputFile cov-findings-sarif.json --repoName $GITHUB_REPOSITORY --checkoutPath $GITHUB_REPOSITORY `pwd` $GITHUB_SHA
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+         # Path to SARIF file relative to the root of the repository
+         sarif_file: cov-findings-sarif.json
+    - name: Coverity Quality Gate
+      run: |
+        curl -fLsSk --user $COV_USER:$COVERITY_PASSPHRASE $COV_URL/api/viewContents/issues/v1/commiter-test?projectId=$COVERITY_PROJECT > results.json
+        if [ $(cat results.json | jq .viewContentsV1.totalRows) -ne 0 ]; then cat results.json | jq .viewContentsV1.rows; exit 1; fi

.gitignore

@@ -4,3 +4,4 @@
 .settings
 .svn
 target
+bin