spotbugs-findsecbugs-action/action.yml at ad86ba63ef8bf1a8b18c296cd79c135fec8b6575 · advanced-security/spotbugs-findsecbugs-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
name: SpotBugs with FindSecBugs

author: GitHub Field Security
description: Run SpotBugs with FindSecBugs on your build results, and upload the results to GitHub Code Scanning
branding:
  icon: 'shield'
  color: 'blue'

inputs:
  spotbugs_version:
    description: 'The version of SpotBugs to use'
    required: false
    default: '4.7.3'
  spotbugs_checksum:
    description: 'The SHA256 checksum of the SpotBugs tarball'
    required: false
    default: 'f02e2f1135b23f3edfddb75f64be0491353cfeb567b5a584115aa4fd373d4431'
  findsecbugs_version:
    description: 'The version of FindSecBugs to use'
    required: false
    default: '1.12.0'
  spotbugs_target:
    description: 'The target directory to run SpotBugs against'
    required: false
    default: 'target/'
  spotbugs_filename_glob:
    description: 'The filenames to locate for SpotBugs, e.g. *.class, *.jar'
    default: '*.jar'
  upload_sarif:
    description: 'Whether to upload the SARIF file to GitHub Code Scanning'
    required: false
    type: boolean
    default: 'true'
  java_distribution:
    description: 'The Java distribution to use'
    required: false
    default: 'microsoft'
  java_version:
    description: 'The Java version to use'
    required: false
    default: '11'
  no_cache:
    description: 'Do not use cached versions of the Spotbugs and FindSecBugs tools'
    required: false
    type: boolean
    default: 'false'
  path_prefix:
    description: 'Add this path prefix to the start of file locations'
    required: false
  ram:
    description: 'The amount of RAM to use for SpotBugs (in MB)'
    required: false
    default: '768'
  bug_categories:
    description: 'The bug categories to report (comma-separated). Available categories: SECURITY, BAD_PRACTICE, CORRECTNESS, PERFORMANCE, STYLE, MT_CORRECTNESS, I18N, MALICIOUS_CODE, EXPERIMENTAL, NOISE'
    required: false
    default: 'SECURITY'

  # Allows for a custom runner home directory to be specified for self-hosted runners
  base_path:
    description: 'The home directory of the runner'
    required: false
    default: '/home/runner/work'


runs:
  using: "composite"
  steps:
    - name: Setup Java
      uses: actions/setup-java@v4.7.0
      with:
        distribution: ${{ inputs.java_distribution }}
        java-version: ${{ inputs.java_version }}

    - name: Cache SpotBugs
      if: inputs.no_cache == 'false'
      id: cache-spotbugs
      uses: actions/cache@v4.2.3
      with:
        path: ${{ inputs.base_path }}/spotbugs+/spotbugs-${{ inputs.spotbugs_version }}
        key: ${{ runner.os }}-spotbugs-${{ inputs.spotbugs_version }}

    - name: Cache FindSecBugs
      if: inputs.no_cache == 'false'
      id: cache-findsecbugs
      uses: actions/cache@v4.2.3
      with:
        path: ${{ inputs.base_path }}/findsecbugs+/findsecbugs-plugin-${{ inputs.findsecbugs_version }}.jar
        key: ${{ runner.os }}-findsecbugs-${{ inputs.findsecbugs_version }}

    - name: Get SpotBugs
      if: inputs.no_cache == 'true' || steps.cache-spotbugs.outputs.cache-hit != 'true'
      env:
        INPUT_SPOTBUGS_VERSION: ${{ inputs.spotbugs_version }}
        INPUT_SPOTBUGS_CHECKSUM: ${{ inputs.spotbugs_checksum }}
        SPOTBUGS_HOME: ${{ inputs.base_path }}/spotbugs+/
      run: |
        mkdir -p "${SPOTBUGS_HOME}"
        cd "${SPOTBUGS_HOME}"
        wget -q -O spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz "https://github.com/spotbugs/spotbugs/releases/download/${INPUT_SPOTBUGS_VERSION}/spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
        if [ "${INPUT_SPOTBUGS_CHECKSUM}" != "" ]; then
          echo "Checking checksum"
          echo "${INPUT_SPOTBUGS_CHECKSUM}  spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz" | sha256sum -c - || { echo "Checksum verification failed for spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"; exit 1; }
        else
          echo "No checksum provided, showing current checksum"
          sha256sum spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz
        fi
        tar -xzf spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz
        chmod +x spotbugs-"${INPUT_SPOTBUGS_VERSION}"/bin/spotbugs
        ls "spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
        echo "Got spotbugs"
      shell: bash

    - name: Get FindSecBugs
      if: inputs.no_cache == 'true' || steps.cache-findsecbugs.outputs.cache-hit != 'true'
      env:
        INPUT_FINDSECBUGS_VERSION: ${{ inputs.findsecbugs_version }}
        FINDSECBUGS_HOME: ${{ inputs.base_path }}/findsecbugs+/
      run: |
        mkdir -p "${FINDSECBUGS_HOME}"
        cd "${FINDSECBUGS_HOME}"
        wget -q -O "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" "https://search.maven.org/remotecontent?filepath=com/h3xstream/findsecbugs/findsecbugs-plugin/${INPUT_FINDSECBUGS_VERSION}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
        # Maven Central provides immutable versions, so we don't check the checksum, but do print it for traceability
        sha256sum "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
        ls "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
        echo "Got findsecbugs"
      shell: bash

    - name: Run SpotBugs
      env:
        INPUT_FINDSECBUGS_VERSION: ${{ inputs.findsecbugs_version }}
        INPUT_SPOTBUGS_TARGET: ${{ inputs.spotbugs_target }}
        INPUT_SPOTBUGS_GLOB: ${{ inputs.spotbugs_filename_glob }}
        INPUT_RAM: ${{ inputs.ram }}
        INPUT_BUG_CATEGORIES: ${{ inputs.bug_categories }}
        SPOTBUGS_HOME: ${{ inputs.base_path }}/spotbugs+/spotbugs-${{ inputs.spotbugs_version }}
        FINDSECBUGS_HOME: ${{ inputs.base_path }}/findsecbugs+/
        SPOTBUGS_WORKING: ${{ inputs.base_path }}/spotbugs_working+/
      run: |
        mkdir -p "${SPOTBUGS_WORKING}"
        cd "${SPOTBUGS_WORKING}"
        SPOTBUGS_FILES=$(find "${GITHUB_WORKSPACE}/${INPUT_SPOTBUGS_TARGET}" -type f -name "${INPUT_SPOTBUGS_GLOB}" -exec echo -n {} \+)
        "${SPOTBUGS_HOME}/bin/spotbugs" -maxHeap "${INPUT_RAM}" -textui -quiet -effort:max -low -bugCategories "${INPUT_BUG_CATEGORIES}" -pluginList "${FINDSECBUGS_HOME}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" -sarif=spotbugs.sarif ${SPOTBUGS_FILES}
      shell: bash

    - name: Adjust file paths
      if: inputs.path_prefix != ''
      env:
        INPUT_PATH_PREFIX: ${{ inputs.path_prefix }}
        SPOTBUGS_WORKING: ${{ inputs.base_path }}/spotbugs_working+/
      run: |
        cd "${SPOTBUGS_WORKING}"
        jq --arg prefix "${INPUT_PATH_PREFIX}" '.runs[].results[].locations[].physicalLocation.artifactLocation.uri |= $prefix + .' < spotbugs.sarif > spotbugs_edited.sarif
        mv spotbugs.sarif spotbugs_orig.sarif
        mv spotbugs_edited.sarif spotbugs.sarif
      shell: bash

    - name: Upload SARIF file
      if: inputs.upload_sarif == 'true'
      uses: github/codeql-action/upload-sarif@v3.28.15
      with:
        sarif_file: ${{ inputs.base_path }}/spotbugs_working+/spotbugs.sarif