Skip to content

Commit

Permalink
chore: Add appversion-summary
Browse files Browse the repository at this point in the history
  • Loading branch information
rsenden committed Jun 5, 2024
1 parent a26286f commit 04de8cd
Show file tree
Hide file tree
Showing 3 changed files with 133 additions and 17 deletions.
5 changes: 3 additions & 2 deletions internal/run-script/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,14 @@ runs:
- run: echo "_RUN_SCRIPTS_DIR=$(pwd)/scripts" >> $GITHUB_ENV
shell: bash
working-directory: ${{ github.action_path }}
- run: echo "TEMP_DIR=$(pwd)" >> $GITHUB_ENV
shell: bash
working-directory: ${{ runner.temp }}
- uses: fortify/github-action/internal/run-script/js@feat-1.3.0
with:
dir: ${{ env._RUN_SCRIPTS_DIR }}
script: ${{ inputs.script }}
post: ${{ inputs.post }}
env:
TEMP_DIR: ${{ env.RUNNER_TEMP }}

branding:
icon: 'shield'
Expand Down
87 changes: 76 additions & 11 deletions internal/run-script/scripts/common.sh
Original file line number Diff line number Diff line change
@@ -1,46 +1,111 @@
#!/usr/bin/env bash
if [ -n "$RUNNER_DEBUG" ]; then
set -v -x
echo "Bash version: $BASH_VERSION"
fi

echo "Bash version: $BASH_VERSION"
function printOutputFileName {
local operation=$1
local type=$2
mkdir -p "${TEMP_DIR}"
printf '%s/output_%s_%s.txt' "${TEMP_DIR}" "${operation}" "${type}"
}

function printOutput {
local operation=$1
local type=$2
local fileName=$(printOutputFileName "${operation}" "${type}")
[ -r "${fileName}" ] && cat "${fileName}"
}

declare -a runs
declare -a runsWithError
declare -A runResults
declare -A runCommands
function run {
local operation=$1; shift;
local cmd=( )
for arg in "$@"; do
# Expand environment variables that potentially contain multiple arguments.
# This is commonly used for *_EXTRA_OPTS environment variables, needed to
# properly handle quoted arguments containing whitespace.
if [[ "$arg" == "__expand:"* ]]; then
local varName=${arg#"__expand:"}
if [ ! -z "${!varName}" ]; then
readarray -d '' expandedArgs < <(xargs printf '%s\0' <<<"${!varName}")
cmd+=("${expandedArgs[@]}")
fi
else
cmd+=("$arg")
fi
done
runs+=($operation)
runCommands[$operation]="$@"
echo RUN $operation: "$@"
"$@"
local exitCode=$?
runCommands[$operation]="${cmd[@]}"
echo "::group::RUN $operation: ${cmd[@]}"
# Any better way of doing this, avoiding writing exit code to temporary file?
local exitCodeFile="$TEMP_DIR/exit_code.txt"
{ ("${cmd[@]}"; echo >"$exitCodeFile" $?) 2>&1 1>&3 3>&- \
| tee $(printOutputFileName "${operation}" "stderr"); } 3>&1 1>&2 \
| tee $(printOutputFileName "${operation}" "stdout")
local exitCode=$(cat "$exitCodeFile")
rm -f ${exitCodeFile}
runResults[$operation]=$exitCode
echo "::endgroup::"
}

function overrideExitCode {
local operation=$1
local exitCode=$2
runResults[$operation]=$exitCode
requireRun $operation || runsWithError+=($operation)
}

function requireRun {
local operation=$1;
[[ "${runResults[$operation]}" == "0" ]]
}

function printRunStatus {
local operations=("$@");
local fail=0, success=0;
for op in "${operations[@]}"; do
if [ -z "${runResults[$op]}" ]; then
skip=1
elif [[ "${runResults[$op]}" == "0" ]]; then
success=1
else
fail=1
fi
done
if [[ ${fail} == 1 ]]; then
echo "FAILED"
elif [[ ${success} == 1 ]]; then
echo "SUCCESS"
else
echo "SKIPPED"
fi
}

function printRunSummary {
echo "Summary:"
local failingOperations=()
for value in "${runs[@]}"; do
echo -n " $value: "
requireRun $value && echo "SUCCESS" || echo "ERROR"
if requireRun $value; then
echo "SUCCESS"
else
echo "ERROR"
failingOperations+=("${value}")
fi
done
if [ ! ${#runsWithError[@]} -eq 0 ]; then
if [ ! ${#failingOperations[@]} -eq 0 ]; then
echo "Failing commands:"
for value in "${runsWithError[@]}"; do
for value in "${failingOperations[@]}"; do
echo " $value: ${runCommands[$value]}"
done
fi
}

function failOnError {
if [ ! ${#runsWithError[@]} -eq 0 ]; then
if [[ "$(printRunSummary)" == *"ERROR"* ]]; then
exit 1;
fi
}
Expand Down
58 changes: 54 additions & 4 deletions internal/run-script/scripts/sc-sast-and-debricked-scan.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,69 @@ requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_CLI_CMD"
requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_TOKEN"
checkRequirements

# Disable Debricked CLI colors
export NO_COLOR=true

if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS}
run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start \
--publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" \
--store sc_sast_scan __expand:EXTRA_SC_SAST_SCAN_OPTS
fi
if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
# Debricked may return non-zero exit code on automation rule failures, in which case
# we still want to run the import, so we don't explicitly check for Debricked scan success.
run "DEBRICKED_SCAN" ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action"
run "DEBRICKED_IMPORT" ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan
run "DEBRICKED_IMPORT" ${FCLI_CMD} ssc artifact import-debricked \
--av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" \
--branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" \
--store debricked_scan
fi
if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
requireRun "SAST_SCAN" && run "SAST_PUBLISH" ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan::
requireRun "DEBRICKED_IMPORT" && run "DEBRICKED_PUBLISH" ${FCLI_CMD} ssc artifact wait-for ::debricked_scan::
requireRun "SAST_SCAN" && run "SAST_PUBLISH" \
${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan::
requireRun "DEBRICKED_IMPORT" && run "DEBRICKED_PUBLISH" \
${FCLI_CMD} ssc artifact wait-for ::debricked_scan::
fi

# Collect Debricked scan output
DEBRICKED_SCAN_RESULTS=$(printOutput DEBRICKED_SCAN stdout | fgrep -e '───' -e '' -e 'vulnerabilities found' -e 'For full details')

# Collect scan/publish statuses for inclusion in job summary.
SAST_SCAN_STATUS=$(printRunStatus "SAST_SCAN")
SAST_PUBLISH_STATUS=$(printRunStatus "SAST_PUBLISH")
DEBRICKED_SCAN_STATUS=$(printRunStatus "DEBRICKED_SCAN")
DEBRICKED_PUBLISH_STATUS=$(printRunStatus "DEBRICKED_IMPORT" "DEBRICKED_PUBLISH")
[ "${DEBRICKED_SCAN_STATUS}" == "FAILED" ] && [ ! -z "${DEBRICKED_SCAN_RESULTS}" ] && DEBRICKED_SCAN_STATUS="FAILED_RULES"

cat <<EOF >> $GITHUB_STEP_SUMMARY
# Scan Summary
This section provides a status overview of the scans types supported by this GitHub Action,
together with their status.
| Analysis Type | Scan Status | Publish Status |
| ------------- | ----------- | -------------- |
| DEBRICKED | ${DEBRICKED_SCAN_STATUS} | ${DEBRICKED_PUBLISH_STATUS} |
| SCA | ${SAST_SCAN_STATUS} | ${SAST_PUBLISH_STATUS} |
EOF

[ ! -z "${DEBRICKED_SCAN_RESULTS}" ] && cat <<EOF >> $GITHUB_STEP_SUMMARY
# Debricked Scan Results
\`\`\`
${DEBRICKED_SCAN_RESULTS}
\`\`\`
EOF

APPVERSION_SUMMARY_ACTION="${APPVERSION_SUMMARY_ACTION:-appversion-summary}"
run "APPVERSION_SUMMARY" ${FCLI_CMD} ssc action run "${APPVERSION_SUMMARY_ACTION}" \
--av "${SSC_APPVERSION}" --progress=none __expand:APPVERSION_SUMMARY_ACTION_EXTRA_OPTS
requireRun "APPVERSION_SUMMARY" \
&& printOutput "APPVERSION_SUMMARY" "stdout" >> $GITHUB_STEP_SUMMARY \
|| cat<<EOF >> $GITHUB_STEP_SUMMARY
# SSC Application Version Summary
There was an error generating the application version summary; please review pipeline log for details.
EOF


printRunSummary
failOnError

0 comments on commit 04de8cd

Please sign in to comment.