Merge pull request #117 from actions/ljones140/clean-detector-categories-pr
Add DetectorCategories input So we can run by ecosystem
This commit is contained in:
@@ -1,6 +1,6 @@
|
|||||||
# Component detection dependency submission action
|
# Component detection dependency submission action
|
||||||
|
|
||||||
This GitHub Action runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.
|
This GitHub Action runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems.
|
||||||
|
|
||||||
### Example workflow
|
### Example workflow
|
||||||
|
|
||||||
@@ -12,7 +12,7 @@ on:
|
|||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
push:
|
push:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
id-token: write
|
id-token: write
|
||||||
contents: write
|
contents: write
|
||||||
|
|
||||||
@@ -21,19 +21,20 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
- name: Component detection
|
- name: Component detection
|
||||||
uses: advanced-security/component-detection-dependency-submission-action@v0.0.3
|
uses: advanced-security/component-detection-dependency-submission-action@v0.0.3
|
||||||
```
|
```
|
||||||
|
|
||||||
### Configuration options
|
### Configuration options
|
||||||
|
|
||||||
| Parameter | Description | Example |
|
| Parameter | Description | Example |
|
||||||
| --- | --- | --- |
|
| --- | --- | --- |
|
||||||
filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'`
|
filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'`
|
||||||
directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test`
|
directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test`
|
||||||
detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
|
detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
|
||||||
dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on | ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab |
|
dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on | ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab |
|
||||||
detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector`
|
detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector`
|
||||||
|
detectorsCategories | A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories. | `NuGet,Npm`
|
||||||
correlator | An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the [job_id](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id) of the current job | `csharp-backend`
|
correlator | An optional identifier to distinguish between multiple dependency snapshots of the same type. Defaults to the [job_id](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_id) of the current job | `csharp-backend`
|
||||||
|
|
||||||
For more information: https://github.com/microsoft/component-detection
|
For more information: https://github.com/microsoft/component-detection
|
||||||
|
|||||||
+5
-3
@@ -5,7 +5,7 @@ inputs:
|
|||||||
description: "GitHub Personal Access Token (PAT). Defaults to PAT provided by Actions runner."
|
description: "GitHub Personal Access Token (PAT). Defaults to PAT provided by Actions runner."
|
||||||
required: false
|
required: false
|
||||||
default: ${{ github.token }}
|
default: ${{ github.token }}
|
||||||
filePath:
|
filePath:
|
||||||
description: 'The path to the directory containing the environment files to upload. Defaults to Actions working directory.'
|
description: 'The path to the directory containing the environment files to upload. Defaults to Actions working directory.'
|
||||||
required: false
|
required: false
|
||||||
default: '.'
|
default: '.'
|
||||||
@@ -18,12 +18,14 @@ inputs:
|
|||||||
dockerImagesToScan:
|
dockerImagesToScan:
|
||||||
description: 'Comma separated list of docker image names or hashes to execute container scanning on, ex: ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab'
|
description: 'Comma separated list of docker image names or hashes to execute container scanning on, ex: ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab'
|
||||||
required: false
|
required: false
|
||||||
detectorsFilter:
|
detectorsFilter:
|
||||||
description: 'A comma separated list with the identifiers of the specific detectors to be used. This is meant to be used for testing purposes only.'
|
description: 'A comma separated list with the identifiers of the specific detectors to be used. This is meant to be used for testing purposes only.'
|
||||||
required: false
|
required: false
|
||||||
|
detectorsCategories:
|
||||||
|
description: 'A comma separated list with the categories of components that are going to be scanned. The detectors that are going to run are the ones that belongs to the categories. The possible values are: Npm, NuGet, Maven, RubyGems, Cargo, Pip, GoMod, CocoaPods, Linux.'
|
||||||
|
required: false
|
||||||
correlator:
|
correlator:
|
||||||
description: 'An optional identifier to distinguish between multiple dependency snapshots of the same type.'
|
description: 'An optional identifier to distinguish between multiple dependency snapshots of the same type.'
|
||||||
type: string
|
|
||||||
required: false
|
required: false
|
||||||
runs:
|
runs:
|
||||||
using: 'node20'
|
using: 'node20'
|
||||||
|
|||||||
+10
-9
@@ -22,7 +22,7 @@ export default class ComponentDetection {
|
|||||||
public static componentDetectionPath = process.platform === "win32" ? './component-detection.exe' : './component-detection';
|
public static componentDetectionPath = process.platform === "win32" ? './component-detection.exe' : './component-detection';
|
||||||
public static outputPath = './output.json';
|
public static outputPath = './output.json';
|
||||||
|
|
||||||
// This is the default entry point for this class.
|
// This is the default entry point for this class.
|
||||||
static async scanAndGetManifests(path: string): Promise<Manifest[] | undefined> {
|
static async scanAndGetManifests(path: string): Promise<Manifest[] | undefined> {
|
||||||
await this.downloadLatestRelease();
|
await this.downloadLatestRelease();
|
||||||
await this.runComponentDetection(path);
|
await this.runComponentDetection(path);
|
||||||
@@ -61,6 +61,7 @@ export default class ComponentDetection {
|
|||||||
parameters += (core.getInput('directoryExclusionList')) ? ` --DirectoryExclusionList ${core.getInput('directoryExclusionList')}` : "";
|
parameters += (core.getInput('directoryExclusionList')) ? ` --DirectoryExclusionList ${core.getInput('directoryExclusionList')}` : "";
|
||||||
parameters += (core.getInput('detectorArgs')) ? ` --DetectorArgs ${core.getInput('detectorArgs')}` : "";
|
parameters += (core.getInput('detectorArgs')) ? ` --DetectorArgs ${core.getInput('detectorArgs')}` : "";
|
||||||
parameters += (core.getInput('detectorsFilter')) ? ` --DetectorsFilter ${core.getInput('detectorsFilter')}` : "";
|
parameters += (core.getInput('detectorsFilter')) ? ` --DetectorsFilter ${core.getInput('detectorsFilter')}` : "";
|
||||||
|
parameters += (core.getInput('detectorsCategories')) ? ` --DetectorCategories ${core.getInput('detectorsCategories')}` : "";
|
||||||
parameters += (core.getInput('dockerImagesToScan')) ? ` --DockerImagesToScan ${core.getInput('dockerImagesToScan')}` : "";
|
parameters += (core.getInput('dockerImagesToScan')) ? ` --DockerImagesToScan ${core.getInput('dockerImagesToScan')}` : "";
|
||||||
return parameters;
|
return parameters;
|
||||||
}
|
}
|
||||||
@@ -86,7 +87,7 @@ export default class ComponentDetection {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const packageUrl = ComponentDetection.makePackageUrl(component.component.packageUrl);
|
const packageUrl = ComponentDetection.makePackageUrl(component.component.packageUrl);
|
||||||
|
|
||||||
// Skip if the packageUrl is empty (indicates an invalid or missing packageUrl)
|
// Skip if the packageUrl is empty (indicates an invalid or missing packageUrl)
|
||||||
if (!packageUrl) {
|
if (!packageUrl) {
|
||||||
core.debug(`Skipping component with invalid packageUrl: ${component.component.id}`);
|
core.debug(`Skipping component with invalid packageUrl: ${component.component.id}`);
|
||||||
@@ -110,15 +111,15 @@ export default class ComponentDetection {
|
|||||||
core.debug(`Skipping referrer without packageUrl for component: ${pkg.id}`);
|
core.debug(`Skipping referrer without packageUrl for component: ${pkg.id}`);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const referrerUrl = ComponentDetection.makePackageUrl(referrer.packageUrl);
|
const referrerUrl = ComponentDetection.makePackageUrl(referrer.packageUrl);
|
||||||
|
|
||||||
// Skip if the generated packageUrl is empty
|
// Skip if the generated packageUrl is empty
|
||||||
if (!referrerUrl) {
|
if (!referrerUrl) {
|
||||||
core.debug(`Skipping referrer with invalid packageUrl for component: ${pkg.id}`);
|
core.debug(`Skipping referrer with invalid packageUrl for component: ${pkg.id}`);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const referrerPackage = packageCache.lookupPackage(referrerUrl);
|
const referrerPackage = packageCache.lookupPackage(referrerUrl);
|
||||||
if (referrerPackage) {
|
if (referrerPackage) {
|
||||||
@@ -195,10 +196,10 @@ export default class ComponentDetection {
|
|||||||
private static async getLatestReleaseURL(): Promise<string> {
|
private static async getLatestReleaseURL(): Promise<string> {
|
||||||
let githubToken = core.getInput('token') || process.env.GITHUB_TOKEN || "";
|
let githubToken = core.getInput('token') || process.env.GITHUB_TOKEN || "";
|
||||||
|
|
||||||
const githubAPIURL = 'https://api.github.com'
|
const githubAPIURL = 'https://api.github.com'
|
||||||
|
|
||||||
let ghesMode = github.context.apiUrl != githubAPIURL;
|
let ghesMode = github.context.apiUrl != githubAPIURL;
|
||||||
// If the we're running in GHES, then use an empty string as the token
|
// If the we're running in GHES, then use an empty string as the token
|
||||||
if (ghesMode) {
|
if (ghesMode) {
|
||||||
githubToken = "";
|
githubToken = "";
|
||||||
}
|
}
|
||||||
@@ -213,7 +214,7 @@ export default class ComponentDetection {
|
|||||||
const repo = "component-detection";
|
const repo = "component-detection";
|
||||||
core.debug("Attempting to download latest release from " + githubAPIURL);
|
core.debug("Attempting to download latest release from " + githubAPIURL);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
const latestRelease = await octokit.request("GET /repos/{owner}/{repo}/releases/latest", {owner, repo});
|
const latestRelease = await octokit.request("GET /repos/{owner}/{repo}/releases/latest", {owner, repo});
|
||||||
|
|
||||||
var downloadURL: string = "";
|
var downloadURL: string = "";
|
||||||
@@ -229,7 +230,7 @@ export default class ComponentDetection {
|
|||||||
core.error(error);
|
core.error(error);
|
||||||
core.debug(error.message);
|
core.debug(error.message);
|
||||||
core.debug(error.stack);
|
core.debug(error.stack);
|
||||||
throw new Error("Failed to download latest release");
|
throw new Error("Failed to download latest release");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
+3
-2
@@ -36004,7 +36004,7 @@ const exec = __importStar(__nccwpck_require__(5236));
|
|||||||
const dotenv_1 = __importDefault(__nccwpck_require__(8889));
|
const dotenv_1 = __importDefault(__nccwpck_require__(8889));
|
||||||
dotenv_1.default.config();
|
dotenv_1.default.config();
|
||||||
class ComponentDetection {
|
class ComponentDetection {
|
||||||
// This is the default entry point for this class.
|
// This is the default entry point for this class.
|
||||||
static scanAndGetManifests(path) {
|
static scanAndGetManifests(path) {
|
||||||
return __awaiter(this, void 0, void 0, function* () {
|
return __awaiter(this, void 0, void 0, function* () {
|
||||||
yield this.downloadLatestRelease();
|
yield this.downloadLatestRelease();
|
||||||
@@ -36047,6 +36047,7 @@ class ComponentDetection {
|
|||||||
parameters += (core.getInput('directoryExclusionList')) ? ` --DirectoryExclusionList ${core.getInput('directoryExclusionList')}` : "";
|
parameters += (core.getInput('directoryExclusionList')) ? ` --DirectoryExclusionList ${core.getInput('directoryExclusionList')}` : "";
|
||||||
parameters += (core.getInput('detectorArgs')) ? ` --DetectorArgs ${core.getInput('detectorArgs')}` : "";
|
parameters += (core.getInput('detectorArgs')) ? ` --DetectorArgs ${core.getInput('detectorArgs')}` : "";
|
||||||
parameters += (core.getInput('detectorsFilter')) ? ` --DetectorsFilter ${core.getInput('detectorsFilter')}` : "";
|
parameters += (core.getInput('detectorsFilter')) ? ` --DetectorsFilter ${core.getInput('detectorsFilter')}` : "";
|
||||||
|
parameters += (core.getInput('detectorsCategories')) ? ` --DetectorCategories ${core.getInput('detectorsCategories')}` : "";
|
||||||
parameters += (core.getInput('dockerImagesToScan')) ? ` --DockerImagesToScan ${core.getInput('dockerImagesToScan')}` : "";
|
parameters += (core.getInput('dockerImagesToScan')) ? ` --DockerImagesToScan ${core.getInput('dockerImagesToScan')}` : "";
|
||||||
return parameters;
|
return parameters;
|
||||||
}
|
}
|
||||||
@@ -36170,7 +36171,7 @@ class ComponentDetection {
|
|||||||
let githubToken = core.getInput('token') || process.env.GITHUB_TOKEN || "";
|
let githubToken = core.getInput('token') || process.env.GITHUB_TOKEN || "";
|
||||||
const githubAPIURL = 'https://api.github.com';
|
const githubAPIURL = 'https://api.github.com';
|
||||||
let ghesMode = github.context.apiUrl != githubAPIURL;
|
let ghesMode = github.context.apiUrl != githubAPIURL;
|
||||||
// If the we're running in GHES, then use an empty string as the token
|
// If the we're running in GHES, then use an empty string as the token
|
||||||
if (ghesMode) {
|
if (ghesMode) {
|
||||||
githubToken = "";
|
githubToken = "";
|
||||||
}
|
}
|
||||||
|
|||||||
+1
-1
File diff suppressed because one or more lines are too long
Reference in New Issue
Block a user