Skip to content

Enhance Spotbugs parametrization and sarif output #1#2

Open
jmservera wants to merge 10 commits intoabirismyname:mainfrom
jmservera:Enhance-Spotbugs-parametrization-and-sarif-output
Open

Enhance Spotbugs parametrization and sarif output #1#2
jmservera wants to merge 10 commits intoabirismyname:mainfrom
jmservera:Enhance-Spotbugs-parametrization-and-sarif-output

Conversation

@jmservera
Copy link
Copy Markdown

@jmservera jmservera commented Oct 19, 2022
edited
Loading

An effort to generalize the action so it works with Maven, Gradle, etc. and provides a better sarif integration with GitHub. Linked to issue #1

@jmservera
Copy link
Copy Markdown
Author

jmservera commented Oct 20, 2022

I have a first version of the generalized action that works also with GitHub Security, but I only have tested it with my test project that uses Maven for the build and dependencies, and I only tested the SARIF output, but in theory it should work with any other output config.

@jmservera jmservera marked this pull request as ready for review October 20, 2022 17:51
jmservera
jmservera commented Oct 20, 2022
View reviewed changes
analyze.sh
# Download SpotBugs
wget https://github.com/spotbugs/spotbugs/releases/download/"${SPOTBUGS_VERSION}"/spotbugs-"${SPOTBUGS_VERSION}".zip
unzip spotbugs-"${SPOTBUGS_VERSION}".zip
wget -q -N https://github.com/spotbugs/spotbugs/releases/download/"${SPOTBUGS_VERSION}"/spotbugs-"${SPOTBUGS_VERSION}".zip
Copy link
Copy Markdown
Author

@jmservera jmservera Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change serves to avoid a too long log that is not related to the actual SAST review

jmservera
jmservera commented Oct 20, 2022
View reviewed changes
analyze.sh

# Check whether to use latest version of PMD
if [ "$SPOTBUGS_VERSION" == 'latest' ]; then
if [ "$SPOTBUGS_VERSION" == 'latest' ] || [ "$SPOTBUGS_VERSION" == "" ]; then
Copy link
Copy Markdown
Author

@jmservera jmservera Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This way the default behavior downloads the latest version

jmservera
jmservera commented Oct 20, 2022
View reviewed changes
analyze.sh

# Take care of parameter order, sometimes does not work if you change it

CMD="java -Xmx1900M -Dlog4j2.formatMsgNoLookups=true \
Copy link
Copy Markdown
Author

@jmservera jmservera Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we start building the SpotBugs command line depending on the provided parameters

jmservera
jmservera commented Oct 20, 2022
View reviewed changes
analyze.sh
if [ "$OUTPUT_TYPE" == "sarif" ] && [ "$BASE_PATH" != "" ]; then
# prepend the pyhsical path
echo "Transform sarif file to include the physical path"
jq -c "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) |=\"$BASE_PATH\"+." resultspre.sarif > "$OUTPUT"
Copy link
Copy Markdown
Author

@jmservera jmservera Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed to provide compatibility with the GitHub SARIF parser that needs the base path as a prefix (typically src/main/java)

@jmservera jmservera mentioned this pull request Oct 21, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmservera