From 7b7b0e98b66bd016de549855640c53316b8a5893 Mon Sep 17 00:00:00 2001
From: Nick Banks <nibanks@microsoft.com>
Date: Fri, 27 Dec 2024 11:07:28 -0600
Subject: [PATCH] Filter CodeQL Sarif File to Exclude MsQuic (#290)

* Filter CodeQL Sarif File to Exclude MsQuic

* Update .github/workflows/build.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Add conditional checks for SARIF upload steps

* Update SARIF filter and name formatting

* Update actions to specific commit SHAs

* Update SARIF filter patterns in build.yml

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/build.yml | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ba2096d..f11b4bb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -68,9 +68,6 @@ jobs:
       with:
         languages: c-cpp
         build-mode: manual
-        config: |
-          paths-ignore:
-            - msquic
     - name: Build
       shell: pwsh
       run: ./build.ps1 -Arch ${{ matrix.arch }} -Tls ${{ matrix.tls }} -Link ${{ matrix.link }} -Install -BuildInstaller -Debug
@@ -79,6 +76,26 @@ jobs:
       uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
       with:
         category: "/language:c-cpp"
+        output: sarif-results
+        upload: failure-only
+    - name: Filter SARIF
+      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
+      uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d
+      with:
+        patterns: -msquic/**/*
+        input: sarif-results/cpp.sarif
+        output: sarif-results/cpp.sarif
+    - name: Upload SARIF
+      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
+      uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
+      with:
+        sarif_file: sarif-results/cpp.sarif
+    - name: Upload SARIF to Artifacts
+      if: ${{ (matrix.os == 'ubuntu') && (matrix.arch == 'x64') && (matrix.link == 'shared') }}
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
+      with:
+        name: sarif-results
+        path: sarif-results
     - name: Upload
       uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b
       with: