search

synopsys-sig / synopsys-action

Synopsys Action consuming Synopsys scanning tools
Apache License 2.0
23 stars 16 forks source link

`coverity_prComment_enabled: true` doesn't work? #246

Open mherger opened 3 weeks ago

mherger commented 3 weeks ago

Hi there

I have an integration with Coverity, which is supposed to report issues in a pull request. For this purpose I have enabled coverity_prComment_enabled: true. Yet, I don't get any PR comments. The workflow basically comes straight out of your documentation:

      - name: Coverity Scan (PR Check)
        if: ${{ github.event_name == 'pull_request' }}
        uses: synopsys-sig/synopsys-action@v1.12.0
        with:
          coverity_url: ${{ env.COVERITY_URL }}
          coverity_user: ${{ env.COVERITY_USER }}
          coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }}
          coverity_project_name: ${{ env.COVERITY_PROJECT }}
          coverity_stream_name: ${{ env.COVERITY_STREAM }}
          project_directory: ./lib

          # Policy to break build on
          coverity_policy_view: ${{ env.COVERITY_POLICY }}

          # Enable pull request comments
          coverity_prComment_enabled: true
          github_token: ${{ secrets.GITHUB_TOKEN }} # Required when PR comments is enabled

          include_diagnostics: true

The flag is confirmed in the action's output:

Coverity PR comment is enabled

I added some dead code - which is correctly discovered:

2024-08-29 13:58:23.2970 UTC [Coverity Results] DEBUG: Added entry '1a9d64d0e16091e588eec3af68a20392' to resource 'commenter.issues.[29].uid'
2024-08-29 13:58:23.2970 UTC [Coverity Results] DEBUG: Added entry '### Coverity Issue - Structurally dead code
_Medium CWE-561_
This code cannot be reached: "console.log("this is unreac...".

Actions intended to be performed by the unreachable code will never occur.
' to resource 'commenter.issues.[29].comment'
2024-08-29 13:58:23.2970 UTC [Coverity Results] DEBUG: Added entry 'string' to resource 'commenter.issues.[29].commentType'
2024-08-29 13:58:23.2970 UTC [Coverity Results] DEBUG: Added entry 'sip-helper.js' to resource 'commenter.issues.[29].file'
2024-08-29 13:58:23.2970 UTC [Coverity Results] DEBUG: Added entry 'coverity' to resource 'commenter.issues.[29].from'
2024-08-29 13:58:23.2970 UTC [Coverity Results] DEBUG: Added entry '50' to resource 'commenter.issues.[29].lineNumber'

The analytics data even confirms this was a new finding:

{
    "mergeKey": "1a9d64d0e16091e588eec3af68a20392",
    "strippedMainEventFilePathname": "sip-helper.js",
    "mainEventLineNumber": 50,
    "mainEventColumnNumber": 3,
    "issueTypeDescription": "Structurally dead code",
    "cweCategory": "561",
    "impact": "Medium",
    "mainEventDescription": "This code cannot be reached: \"console.log(\"this is unreac...\".",
    "localEffect": "Actions intended to be performed by the unreachable code will never occur.",
    "presentInReferenceSnapshot": false
}

But then the bridge decides to still not report it, as "not part of PR":

2024-08-29 13:58:26.3839 UTC [GitHub Commenter] DEBUG: The issue from coverity with uid 1a9d64d0e16091e588eec3af68a20392 is not part of PR, skipping to post review comment

What's wrong here?

lsynopsys commented 5 days ago

Do you have any change in the sip-helper.js file? In order to raise an issue, The file should be part of PR. If not, Please share us the diagnostics file by include include_diagnostics: true. @mherger

mherger commented 5 days ago

I'm sorry, I can't share the actual file. But the change is a simple console.log() statement after a return:

  return new SomeClass();

  console.log('this is unreachable code');
  return true;

FWIW: I have a ticket opened on your support system where the issue has been accepted as a bug. Your B.C. has responded:

I have went ahead and set up a bug report. The ticket number is STGCOV-4767. I will let you know when it reaches approved status or if they require further information.