From 23075b912615981d5a73c647875b121836669fd7 Mon Sep 17 00:00:00 2001 From: audunsolemdal Date: Wed, 8 Jan 2025 09:31:00 +0100 Subject: [PATCH] Add script to generate autofixes for codeql --- github/codeql-autofix.ps1 | 103 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 github/codeql-autofix.ps1 diff --git a/github/codeql-autofix.ps1 b/github/codeql-autofix.ps1 new file mode 100644 index 0000000..4c5d6ef --- /dev/null +++ b/github/codeql-autofix.ps1 @@ -0,0 +1,103 @@ +<# +.SYNOPSIS +Fetch code scanning alerts in an org and attempt creating autofixes +#> + +param ( + [string] [Parameter(Mandatory=$false)] $org = "miljodir", + [string] [Parameter(Mandatory=$false)] $tool = "CodeQL", + [string] [Parameter(Mandatory=$false)] $ruleFilter = "cs/*" +) + +if ($org -eq "miljodir") { + $env:jwt = (node ../../local-repo-sync/authapp/app.js $org | ConvertFrom-Json | Select-Object token -ExpandProperty token) +} + +#$criticalAlerts = gh api --method GET "/orgs/$org/code-scanning/alerts?state=open&tool_name=$tool&severity=critical" --paginate | ConvertFrom-Json +$alerts = gh api --method GET "/orgs/$org/code-scanning/alerts?state=open&tool_name=$tool" --paginate | ConvertFrom-Json +$filteredAlerts = $alerts | Where-Object { $_.rule.id -like $ruleFilter -and ($_.most_recent_instance.classifications -ne "generated" -or "" -eq $_.most_recent_instance.classifications) } +$repofilter = "myrepo" +#$filteredAlerts = $filteredAlerts | Where-Object { $_.repository.name -like $repofilter } + +# Group alerts by repository +$alertsByRepo = $filteredAlerts | Group-Object -Property { $_.repository.name } + + +foreach ($alert in $filteredAlerts) { + $alertNumber = $alert.number + $repo = $alert.repository.name + Write-Host "Attempting to create autofix for alert $alertNumber in repo $repo" + gh api ` + --method POST ` + /repos/$org/$repo/code-scanning/alerts/$alertNumber/autofix +} + + +function CreateBranchFromDefault { + param ( + [Parameter(Mandatory = $true)] + [string]$org, + [Parameter(Mandatory = $true)] + [string]$repo, + [Parameter(Mandatory = $true)] + [string]$newBranch + ) + + # Get the default branch + $defaultBranch = gh api /repos/$org/$repo | ConvertFrom-Json | Select-Object -ExpandProperty default_branch + + # Get the latest commit SHA from the default branch + $latestCommitSha = gh api /repos/$org/$repo/git/ref/heads/$defaultBranch | ConvertFrom-Json | Select-Object -ExpandProperty object | Select-Object -ExpandProperty sha + + # Create a new branch from the default branch + gh api /repos/$org/$repo/git/refs -f ref="refs/heads/$newBranch" -f sha=$latestCommitSha +} + + + +# foreach ($folder in $filteredAlerts.repository.name | Sort-Object | get-unique) { +# CreateBranchFromDefault -org $org -repo $folder -newBranch "codeql-autofixes" +# } + +# after fix is created, commit the fix to the branch +#Start-Sleep 30 +$alerts = @() + +# foreach ($alert in $filteredAlerts) { +# $alertNumber = $alert.number +# $repo = $alert.repository.name +# $alerts += $alert.html_url +# Write-Host "Attempting to create autofix for alert $alertNumber in repo $repo" +# gh api ` +# --method POST ` +# /repos/$org/$repo/code-scanning/alerts/$alertNumber/autofix/commits ` +# -f "target_ref=refs/heads/codeql-autofixes" -f "message=AI-generated autofix for alert $alertNumber" +# } + +# finally - create a pull request with all the generated autofixes + + +function New-PR { + + param ( + [Parameter(Mandatory = $true)] + [string]$defaultBranch + ) + + gh api ` + --method POST ` + -H "Accept: application/vnd.github.v3+json" ` + "/repos/$org/$folder/pulls" ` + -f title="AI-generated CodeQL autofixes" ` + -f body="This PR batches together all C# AI-generated autofixable CodeQL alerts found in the repository. Consider testing these changes rather than blindly trusting the AI. This PR attempts to fix the following issues: $alerts" ` + -f head='codeql-autofixes' ` + -f base=$defaultBranch + #-f draft='false' +} + +# foreach ($repoGroup in $alertsByRepo) { +# $mostRecentAlert = $repoGroup.Group | Sort-Object -Property { $_.most_recent_instance.ref } -Descending | Select-Object -First 1 + +# # Create a new PR for the repository +# New-PR -defaultBranch ($mostRecentAlert.most_recent_instance.ref).Split("/")[-1] +# } \ No newline at end of file