From 97ae522e87c82637b1e24e04e2eb7263b6eed6b0 Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Tue, 17 Sep 2024 10:26:35 +0200
Subject: [PATCH] fix(ci/cve-scanning): up retries and use a unique category
 for each chart otherwise the last run overrides the earlier, see
 https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit

---
 .github/scripts/generate-sarif-reports.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/scripts/generate-sarif-reports.sh b/.github/scripts/generate-sarif-reports.sh
index a97f2a10f..6d73c4e03 100755
--- a/.github/scripts/generate-sarif-reports.sh
+++ b/.github/scripts/generate-sarif-reports.sh
@@ -20,7 +20,7 @@ function createSarifReports() {
   # shellcheck disable=SC2046
   yq -r '.annotations["artifacthub.io/images"]' "$chart/Chart.yaml" |
     yq -r '.[] | .image' |
-    parallel ${GITHUB_JOB+--bar} --retries 3 -P 0 -k generateSarifReport "$chart" "{}" "reports/$chartName-{#}.json"
+    parallel ${GITHUB_JOB+--bar} --retries 10 -P 0 -k generateSarifReport "$chart" "{}" "reports/$chartName-{#}.json"
   # shellcheck disable=SC1009
   cat "reports/$chartName-"*.json | jq -r -s '{"$schema": .[0]["$schema"], version: .[0].version, runs: [reduce map(.runs[])[] as $run (null; .+$run as $new | .tool.driver.rules |= (.+$run.tool.driver.rules|unique_by(.id)) | $new*. | .results += ($run.results | map(.locations |= (([.[] | select(.physicalLocation)][0].physicalLocation.artifactLocation) as $physicalLocation | .[] | select(.logicalLocations)[] | map({physicalLocation:{artifactLocation:{uri:"\(.fullyQualifiedName)/\($run.properties.imageName)/\($run.originalUriBaseIds[$physicalLocation.uriBaseId].uri)\($physicalLocation.uri)"}}})))) | del(.properties, .originalUriBaseIds))]}' >"reports/$chartName.json.sarif"
 }
@@ -39,7 +39,7 @@ function generateSarifReport() {
   locationsJson="$(yq --arg image "$image" -r '.annotations["artifacthub.io/images"] | split("\n")[] | select(contains($image))' "$chart/Chart.yaml" |
     awk '{print $NF}' |
     jq -r -c -Rn '[inputs] | map({fullyQualifiedName: .})')"
-  if trivy image "$image" -f sarif --quiet --ignore-unfixed | jq -r --argjson locations "$locationsJson" --arg category "${GITHUB_JOB:-local}/$chart" '.runs |= map(.results |= map(.locations += [{logicalLocations: $locations}])) | .runs |= map(.automationDetails = {id: $category})' >"$tmpFile"; then
+  if trivy image "$image" -f sarif --quiet --ignore-unfixed | jq -r --argjson locations "$locationsJson" --arg category "$chart/${GITHUB_JOB:-local}" '.runs |= map(.results |= map(.locations += [{logicalLocations: $locations}])) | .runs |= map(.automationDetails = {id: $category})' >"$tmpFile"; then
     mv "${tmpFile}" "${outFile}"
   else
     rm "$tmpFile"