From e7d107f3f402b7939861d0183f445f45fbe2038d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=A1=82=E5=B0=91=E7=AB=8B?= Date: Thu, 5 Feb 2026 16:42:38 +0800 Subject: [PATCH] add ci actions Root Cause: continus integrate verify Solution: add static code analysis Test: self test Impact area: sast ci Fix status: done --- .github/workflows/ci.yml | 25 +++++++++++++++++++++++++ checkers/commit_message_check.py | 2 +- checkers/keyword_check.py | 31 ++++++++++++++++++------------- common/localgit.py | 5 ++++- run.py | 1 + 5 files changed, 49 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..fb8a614 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,25 @@ +name: Static Code Analysis + +on: + pull_request: + branches: + - master + - develop + push: + branches: + - master + - develop + +jobs: + static-check: + runs-on: self-hosted + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # 需要完整的git历史来比较变更 + + - name: Run static code analysis + run: | + sudo docker run --rm -v $(pwd):/app -v $(pwd):/sast -u $(id -u):$(id -g) -w /app registry-egc.enflame-tech.com/enflame/ci_sast:v1.0-os bash -c 'cd /app && python3 /sast/run.py --all_ci_check' diff --git a/checkers/commit_message_check.py b/checkers/commit_message_check.py index fee7091..cfbd73b 100644 --- a/checkers/commit_message_check.py +++ b/checkers/commit_message_check.py @@ -51,7 +51,7 @@ def check_func(self): # self.pass_flag = False # self.fail_message.append("After removing '[type](jira id)' in the title, the remaining content must have at least 10 valid characters.") for template_field in self.template_fields: - template_field_reg_find = re.findall(template_field + ":\s*\n(.*?)\n",self.commit_message) + template_field_reg_find = re.findall(template_field + ":\s*\n(.*?)",self.commit_message) if not template_field_reg_find: self.pass_flag = False self.fail_message.append("There must be {},please fill in it".format(template_field)) diff --git a/checkers/keyword_check.py b/checkers/keyword_check.py index cd532e9..06696c3 100644 --- a/checkers/keyword_check.py +++ b/checkers/keyword_check.py @@ -45,10 +45,10 @@ def check_func(self): self.files_static_check_status[file_need_check]['name_or_email_msg'] = set() self.files_static_check_status[file_need_check]['key_word'] = set() self.files_static_check_status[file_need_check]['add_string'] = set() - change_line_list = [x for x in self.diff_info.get(file_need_check, {}).get("add", [])] + change_line_list = [x for x in self.diff_info.get(file_need_check, {}).get("add", []) if isinstance(x, (tuple, list)) and len(x) > 1 and isinstance(x[1], str)] for index,line in change_line_list: for key_word in self.forbidden_string_dict.keys(): - if key_word in line: + if isinstance(line, str) and key_word in line: check_dirs = self.forbidden_string_dict[key_word].get("check_dirs",[]) if not check_dirs: check_flag = True @@ -61,15 +61,20 @@ def check_func(self): self.pass_flag = False self.files_static_check_status[file_need_check]['check_status'] = False self.files_static_check_status[file_need_check]['key_word'].add((index,key_word)) - check_name_msg = re.findall(self.judge_str,line) - if check_name_msg: - self.pass_flag = False - self.files_static_check_status[file_need_check]['check_status'] = False - for i in range(len(check_name_msg)): - name_msg = check_name_msg[i][0] - self.files_static_check_status[file_need_check]['name_or_email_msg'].add(name_msg) - add_lines = [x[1] for x in self.diff_info.get(file_need_check, {}).get("add",[]) if not x[1].lstrip().startswith('#')] - delete_lines = [x[1] for x in self.diff_info.get(file_need_check, {}).get("del",[]) if not x[1].lstrip().startswith('#')] + if self.judge_str and isinstance(line, str): # 只有当judge_str不为空且line是字符串时才检查 + check_name_msg = re.findall(self.judge_str,line) + if check_name_msg: + self.pass_flag = False + self.files_static_check_status[file_need_check]['check_status'] = False + for i in range(len(check_name_msg)): + if isinstance(check_name_msg[i], (tuple, list)) and len(check_name_msg[i]) > 0: + name_msg = check_name_msg[i][0] + self.files_static_check_status[file_need_check]['name_or_email_msg'].add(name_msg) + elif isinstance(check_name_msg[i], str): + # 如果返回的是字符串而不是元组/列表 + self.files_static_check_status[file_need_check]['name_or_email_msg'].add(check_name_msg[i]) + add_lines = [x[1] for x in self.diff_info.get(file_need_check, {}).get("add",[]) if isinstance(x, (tuple, list)) and len(x) > 1 and isinstance(x[1], str) and not x[1].lstrip().startswith('#')] + delete_lines = [x[1] for x in self.diff_info.get(file_need_check, {}).get("del",[]) if isinstance(x, (tuple, list)) and len(x) > 1 and isinstance(x[1], str) and not x[1].lstrip().startswith('#')] for keyword in self.forbidden_add_string: del_count = 0 add_count = 0 @@ -87,7 +92,7 @@ def check_func(self): self.files_static_check_status[file_need_check]["check_status"] = False self.files_static_check_status[file_need_check]["msg"] = self.files_static_check_status[file_need_check].get("msg","") + "Add '{}' is not allowed!\n".format(keyword) self.files_static_check_status[file_need_check]['add_string'].add(keyword) - add_line_info = [x for x in self.diff_info.get(file_need_check, {}).get("add",[]) ] + add_line_info = [x for x in self.diff_info.get(file_need_check, {}).get("add",[]) if isinstance(x, (tuple, list)) and len(x) > 1 and isinstance(x[1], str)] for check_mode in self.forbidden_string_mode: flag = False for repo in self.forbidden_string_mode[check_mode].get("repo",[]): @@ -95,7 +100,7 @@ def check_func(self): flag = True if flag: for add_line in add_line_info: - if re.match(check_mode,add_line[1]): + if len(add_line) > 1 and isinstance(add_line[1], str) and re.match(check_mode,add_line[1]): self.pass_flag = False if file_need_check not in self.files_static_check_status: self.files_static_check_status[file_need_check] = {"check_status":False} diff --git a/common/localgit.py b/common/localgit.py index ff25ae8..cf5b6e1 100644 --- a/common/localgit.py +++ b/common/localgit.py @@ -112,7 +112,10 @@ def get_edit_commit_message(self): command_output = pipe.communicate()[0] return command_output.decode("utf-8",errors="ignore").strip() else: - return "" + pipe = subprocess.Popen("git log -1 --pretty=format:%B", + stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True, executable="/bin/bash") + command_output = pipe.communicate()[0] + return command_output.decode("utf-8",errors="ignore").strip() def get_local_path(self): ''' diff --git a/run.py b/run.py index b7361ee..a60f597 100755 --- a/run.py +++ b/run.py @@ -60,6 +60,7 @@ def fully_check(self): try: checker.check() except Exception as e: + print(sast_checker,e) exit_flag = 1 sys.exit(exit_flag)