Corrige les workflows d'analyse de sécurité by Smartappli · Pull Request #95 · Smartappli/LLM_SERVER

Smartappli · 2026-05-30T06:26:38Z

Motivation

Résoudre les échecs d'upload SARIF causés par des rapports multi-runs et éviter le rejet GitHub Code Scanning lorsque plusieurs runs partagent la même catégorie.
Stabiliser le job OSSAR en corrigeant la version de l'action et en garantissant la présence d'un SDK .NET compatible et d'un runner Windows fixe.

Description

Ajout de .github/scripts/split_sarif_runs.py qui découpe un fichier SARIF multi-runs en fichiers SARIF unitaires avec un automationDetails.id déterministe et unique.
Mise à jour de .github/workflows/codacy.yml pour exécuter python .github/scripts/split_sarif_runs.py results.sarif sarif-results --category-prefix codacy avant l'upload et envoyer le dossier sarif-results à github/codeql-action/upload-sarif@v4.
Mise à jour de .github/workflows/ossar.yml pour utiliser runs-on: windows-2022, installer .NET via actions/setup-dotnet@v5 avec dotnet-version: '6.0.x' et pointer uses: github/ossar-action@v2.0.0.

Testing

Vérification de la syntaxe Python du script avec python -m py_compile .github/scripts/split_sarif_runs.py (succès).
Exécution du script sur un SARIF factice et validation que deux fichiers distincts sont générés avec des automationDetails.id uniques (succès).
Validation des fichiers workflow YAML via ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f) }' .github/workflows/*.yml (succès).
Exécution des tests unitaires du projet avec python -m pytest (12 tests, tous réussis).

Codex Task

coderabbitai · 2026-05-30T06:26:49Z

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7d6d9e00-2c59-475e-a0da-1d0f5662f41f

📥 Commits

Reviewing files that changed from the base of the PR and between d0acc6e and 7a23f50.

📒 Files selected for processing (3)

.github/scripts/split_sarif_runs.py
.github/workflows/codacy.yml
.github/workflows/ossar.yml

📝 Walkthrough

Summary by CodeRabbit

Chores
- Added a SARIF file splitting utility to organize security scan results
- Updated Codacy workflow to process and split generated SARIF files into separate outputs
- Updated OSSAR workflow with pinned runner version and explicit .NET SDK installation for improved consistency

Walkthrough

This PR introduces a SARIF splitting utility for multi-run security scan results and updates two CI workflows. The new Python script splits SARIF files into per-run outputs with deterministic naming, integrated into Codacy's workflow. OSSAR workflow receives environment stabilization: pinned Windows runner, explicit .NET SDK 6.0.x installation, and action version upgrade to v2.0.0.

Changes

SARIF Splitting Tool and Codacy Integration

Layer / File(s)	Summary
SARIF splitting utility implementation `\.github/scripts/split_sarif_runs.py`	New Python CLI with `slugify`, `tool_name`, `split_sarif`, and `main` functions that parses JSON SARIF input, validates and deep-copies individual runs, assigns deterministic `automationDetails.id` values using category prefix and tool name slugs, and writes each run to a separate SARIF document with zero-padded filenames.
Codacy workflow SARIF split and upload `\.github/workflows/codacy.yml`	Adds a step that invokes the SARIF splitting script with `codacy` category prefix, then updates the GitHub Advanced Security upload step to target the split `sarif-results` directory instead of the original `results.sarif`.

OSSAR Workflow Environment and Action Updates

Layer / File(s)	Summary
OSSAR runner pinning, .NET setup, and action upgrade `\.github/workflows/ossar.yml`	Runner pinned to `windows-2022`, new step installs .NET SDK 6.0.x via `actions/setup-dotnet@v5`, OSSAR action upgraded to `github/ossar-action@v2.0.0` (from `v2`), and job-level permissions remain configured for reading contents and writing security events/actions.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A script to split the SARIF runs so fine,
With slugified names and IDs so divine,
Codacy flows through, and OSSAR stands tall,
Windows-2022 and .NET for all! 🔐

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch audit-repo-and-apply-necessary-fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

sonarqubecloud · 2026-05-30T06:27:06Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

codacy-production · 2026-05-30T06:27:26Z

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 11 complexity · 0 duplication

Metric Results

Complexity 11

Duplication 0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer}
_{TIP This summary will be updated as you push new changes.}

gemini-code-assist

Code Review

This pull request introduces a new Python script, split_sarif_runs.py, designed to split multi-run SARIF logs into individual files per run to comply with GitHub code scanning requirements. The review feedback focuses on improving the robustness of the JSON parsing and dictionary access. Specifically, it points out potential runtime errors (such as AttributeError and TypeError) that could occur if optional keys like tool, driver, or automationDetails are explicitly set to null in the input SARIF file, or if the JSON root is a list instead of an object. Code suggestions were provided to safely handle these edge cases.

gemini-code-assist · 2026-05-30T06:27:32Z

+def tool_name(run: dict[str, Any], index: int) -> str:
+    driver = run.get("tool", {}).get("driver", {})
+    return str(driver.get("name") or driver.get("semanticVersion") or f"run-{index + 1}")


Si la clé "tool" ou "driver" est explicitement définie à null dans le fichier SARIF, run.get("tool", {}) retournera None (car la clé existe mais sa valeur est null). Cela provoquera une erreur AttributeError: 'NoneType' object has no attribute 'get' lors de l'appel suivant.

Pour éviter cela, utilisez l'opérateur or pour vous assurer d'obtenir un dictionnaire par défaut si la valeur est falsy (comme None).

Suggested change

def tool_name(run: dict[str, Any], index: int) -> str:

driver = run.get("tool", {}).get("driver", {})

return str(driver.get("name") or driver.get("semanticVersion") or f"run-{index + 1}")

def tool_name(run: dict[str, Any], index: int) -> str:

tool = run.get("tool") or {}

driver = tool.get("driver") or {}

return str(driver.get("name") or driver.get("semanticVersion") or f"run-{index + 1}")

gemini-code-assist · 2026-05-30T06:27:32Z

+    sarif = json.loads(input_path.read_text(encoding="utf-8"))
+    runs = sarif.get("runs")


Si le fichier JSON est valide mais contient un tableau à la racine (par exemple []) au lieu d'un objet, json.loads retournera une list. L'appel sarif.get("runs") lèvera alors une exception AttributeError.

Il est préférable de valider que sarif est bien un dictionnaire avant d'appeler .get().

Suggested change

sarif = json.loads(input_path.read_text(encoding="utf-8"))

runs = sarif.get("runs")

sarif = json.loads(input_path.read_text(encoding="utf-8"))

if not isinstance(sarif, dict):

raise ValueError(f"{input_path} is not a valid SARIF object")

runs = sarif.get("runs")

gemini-code-assist · 2026-05-30T06:27:32Z

+    for index, run in enumerate(runs):
+        run_copy = deepcopy(run)
+        category = f"{category_prefix}/{index + 1}-{slugify(tool_name(run_copy, index))}"
+        run_copy["automationDetails"] = {**run_copy.get("automationDetails", {}), "id": category}


De la même manière, si "automationDetails" est explicitement défini à null dans le run SARIF, run_copy.get("automationDetails", {}) retournera None, ce qui provoquera une erreur TypeError: 'NoneType' object is not a mapping lors du dépaquetage {**...}.

Il est plus sûr d'utiliser run_copy.get("automationDetails") or {} pour parer à cette éventualité.

Suggested change

run_copy["automationDetails"] = {**run_copy.get("automationDetails", {}), "id": category}

automation_details = run_copy.get("automationDetails") or {}

run_copy["automationDetails"] = {**automation_details, "id": category}

github-advanced-security · 2026-05-30T06:29:24Z

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.