On Monday, 10 November 2025 15:31:59 CET David Malcolm wrote: > On Tue, 2025-11-04 at 14:38 +0100, Kamil Dudka wrote: > > But it does not work well with sarif-replay at all: > > > > % sarif-replay 452-M3DZ-csmock.sarif > > /builddir/build/BUILD/sscg-4.0.0-build/sscg-sscg- > > 4.0.0/test/create_cert_test.c:118:3: warning: leak of ‘ext_str’ > > [GCC_ANALYZER_WARNING: warning[-Wanalyzer-malloc-leak]] > > event 1 > > │ > > │ > > └──> events 2-17 > > │ > > │...... > > │...... > > │...... > > │...... > > │...... > > │...... > > │...... > > │ > > Gahhh; sorry about this. I think the issue here is that sarif-replay > can't find the source code, and my path-printing code isn't doing a > good job of handling that. > > I've filed https://gcc.gnu.org/bugzilla/show_bug.cgi?id=122622 for > myself to take a look at handling this case better.
Thanks! > In your workflow, is the source code still around when this runs (and > so if sarif-replay were given some kind of path to look relative to > this might be fixable [1]), or is it not available (e.g. on a different > machine, or run at some later time after cleanup of the build)? When the results processing takes place, the source code is not available any more. The source code is built and analyzed in mock's chroot (in fact systemd-nspawn). The captured files with scan results are then copied to the host environment for post-processing. > FWIW gcc's SARIF output automatically embeds a copy of any file > mentioned anywhere in the SARIF, and sarif-replay will use this; see > https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=778336e0e4f25745f76a127801dc3bab5e9c1334 > for the details. So the above problem doesn't show up on gcc SARIF > output (but this might be bloating the SARIF output you have to deal > with). I am not sure if sarif-replay could be used in the chroot environment, where csmock has very limited control. It uses csgrep to embed source code context (by default only 5 lines of source code per each finding) but this step is optional. If csgrep fails in the chroot environment for whatever reason, the results are still delivered (only with the source code context missing). Kamil > [...snip..] > > Dave > [1] sarif-replay doesn't support such relative paths yet, but I can > implement it if it would be useful -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
