chore: Improve script error handling

fortify · Jun 4, 2024 · 658346c · 658346c
1 parent bf28950
commit 658346c
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 26 deletions.
diff --git a/internal/run-script/action.yml b/internal/run-script/action.yml
@@ -24,6 +24,8 @@ runs:
         dir:    ${{ env._RUN_SCRIPTS_DIR }}
         script: ${{ inputs.script }}
         post:   ${{ inputs.post }}
+      env:
+        TEMP_DIR: ${{ env.RUNNER_TEMP }}
 
 branding:
   icon: 'shield'

diff --git a/internal/run-script/scripts/common.sh b/internal/run-script/scripts/common.sh
@@ -2,12 +2,69 @@
 if [ -n "$RUNNER_DEBUG" ]; then
   set -v -x
 fi
-if [ -z "$FCLI_CMD" ]; then
-  echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
-  exit 1;
-fi
 
+declare -a runs
+declare -a runsWithError
+declare -A runResults
+declare -A runCommands
 function run {
-  echo RUN: "$@"
-  "$@" 
+  local operation=$1; shift;
+  runs+=($operation)
+  runCommands[$operation]="$@"
+  echo RUN $operation: "$@"
+  "$@"
+  local exitCode=$?
+  runResults[$operation]=$exitCode
+  requireRun $operation || runsWithError+=($operation)
+}
+
+function requireRun {
+  local operation=$1;
+  [[ "${runResults[$operation]}" == "0" ]]
+}
+
+function printRunSummary {
+  echo "Summary:"
+  for value in "${runs[@]}"; do
+    echo -n "  $value: "
+    requireRun $value && echo "SUCCESS" || echo "ERROR"
+  done
+  echo "Failing commands:"
+  for value in "${runsWithError[@]}"; do
+    echo "  $value: ${runCommands[$value]}"
+  done
+}
+
+function failOnError {
+  if [ ! ${#runsWithError[@]} -eq 0 ]; then
+    exit 1;
+  fi
 }
+
+declare -a failedRequirements
+function require {
+  local name=$1;
+  local msg=$2;
+  if [ -z "${!name}" ]; then
+    [ ! -z "${msg}" ] || msg="ERROR: ${name} is required"
+    failedRequirements+=("$msg")
+  fi
+}
+
+function requireIf {
+  local ifName=$1;
+  local name=$2;
+  local msg=$3;
+  [ -z "${!ifName}" ] || [ "${!ifName}" == "false" ] || require "$name" "$msg"
+}
+
+function checkRequirements {
+  if [ ! ${#failedRequirements[@]} -eq 0 ]; then
+    for value in "${failedRequirements[@]}"; do
+      echo "$value"
+    done
+    exit 1;
+  fi
+}
+
+require "FCLI_CMD" "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
diff --git a/internal/run-script/scripts/sc-sast-and-debricked-scan.sh b/internal/run-script/scripts/sc-sast-and-debricked-scan.sh
@@ -3,31 +3,26 @@
 
 # This script assumes that fcli and Debricked CLI have already been installed,
 # and that any necessary fcli sessions have been created.
-# TODO Check prerequisites like SSC_APPVERSION, DEBRICKED_TOKEN, ...
+
+require "SSC_APPVERSION"
+require "SC_SAST_SENSOR_VERSION"
+requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_CLI_CMD"
+requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_TOKEN"
+checkRequirements
 
 if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
-  run ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS} \
-    || exit 1
+  run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS}
 fi
 if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
   # Debricked may return non-zero exit code on automation rule failures, in which case
-  # we still want to run subsequent steps, hence we temporarily ignore the exit code,
-  run ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action" \
-    || FAIL_ON_EXIT=true
-  run ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan \
-    || exit 1
+  # we still want to run the import, so we don't explicitly check for Debricked scan success.
+  run "DEBRICKED_SCAN" ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action"
+  run "DEBRICKED_IMPORT" ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan
 fi
 if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
-  if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
-    run ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan:: \
-      || exit 1
-  fi
-  if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then 
-    run ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: \
-      || exit 1
-  fi
-fi
-if [ "${FAIL_ON_EXIT}" == "true" ]; then
-  echo "Earlier failures detected"
-  exit 1
+  requireRun "SAST_SCAN" && run "SAST_PUBLISH" ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan::
+  requireRun "DEBRICKED_IMPORT" && run "DEBRICKED_PUBLISH" ${FCLI_CMD} ssc artifact wait-for ::debricked_scan::
 fi
+
+printRunSummary
+failOnError