Provided authentication credentials not taken into account when checking for open issues

[hazcod]

Ongoing open issue has been identified #41
172
Alerts present in the current report: true
173
Process completed successfully and a new issue #42 has been created for the ZAP Scan.

https://github.com/ironPeakServices/ironpeak.be/runs/578941295?check_suite_focus=true

[sshniro]

I assume this is due to the fact that the runner could not read the previous report and executing the create new issue workflow. I'll check and update you on this.

action-baseline/index.js

Line 133 in 08af42e

previousReport = await actionHelper.readPreviousReport(octokit, owner, repo, workSpace, previousRunnerID);

[sshniro]

Hi @hazcod, I assume this is an isolated event, as the new scans (for 2 days) did not create a new issue: ironpeakservices/ironpeak.be#42

I will add more logs to figure out what went wrong.

[navpreet-securitas]

Hi
We are facing same issue , where GH issue is getting created again even though GH issue is present.
It works well when using default GITHUB_TOKEN , but if we use PAT token(with required permissions on repo) as below:

        id: baseline
        uses: zaproxy/action-baseline@v0.7.0
        with:
          token: ${{ secrets.ZAP_TOKEN }}
          target: 'https://www.example.com'
          rules_file_name: 'rules.tsv' 

it is not able to find existing open issue. Probably because of :
if ( issue["state"] === "open" && issue["user"]!["login"] === "github-actions[bot]" )
https://github.com/zaproxy/actions-common/blob/master/src/index.ts#LL73C1-L74C1

Since we are using PAT token it creates issue with another username in previous runs and username is verified as above it fails to get issue.
Why we are using PAT token instead of default GITHUB_TOKEN because we want to trigger another workflow which create jira ticket , whenever a GH issue is created by base zap scan workflow.
https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow

@sshniro any suggestions how to workaround this or fixes coming for this. maybe token can be used to identify user used for zap scan / issue creation and then verify that user in actions-common.

[navpreet-securitas]

Quoted message

Hi We are facing same issue , where GH issue is getting created again even though GH issue is present. It works well when using default GITHUB_TOKEN , but if we use PAT token(with required permissions on repo) as below:

        id: baseline
        uses: zaproxy/action-baseline@v0.7.0
        with:
          token: ${{ secrets.ZAP_TOKEN }}
          target: 'https://www.example.com'
          rules_file_name: 'rules.tsv' 

it is not able to find existing open issue. Probably because of : if ( issue["state"] === "open" && issue["user"]!["login"] === "github-actions[bot]" ) https://github.com/zaproxy/actions-common/blob/master/src/index.ts#LL73C1-L74C1

Since we are using PAT token it creates issue with another username in previous runs and username is verified as above it fails to get issue. Why we are using PAT token instead of default GITHUB_TOKEN because we want to trigger another workflow which create jira ticket , whenever a GH issue is created by base zap scan workflow. https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow

@sshniro any suggestions how to workaround this or fixes coming for this. maybe token can be used to identify user used for zap scan / issue creation and then verify that user in actions-common.

probably this can be used:
getting user by using token passed and then comparing with OR condition ( along with github-actions[bot])

// Octokit.js
// https://github.com/octokit/core.js#readme
const octokit = new Octokit({
  auth: 'YOUR-TOKEN'
})

await octokit.request('GET /user', {
  headers: {
    'X-GitHub-Api-Version': '2022-11-28'
  }
})

https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user

[Den4200]

Thanks so much!