Maintenance release: v1.0.6 (#13)

* Using pinned versions of immutable Actions
* Use explicit immutable actions in sample workflow
* Use pinned commit in sample workflow and README
* Checksum verification for SpotBugs download
* Spaced out for readability
* Fixed link to LICENSE
* Changed to NOTE markup
* Updated CHANGELOG

Author: aegilops

CHANGELOG.md

@@ -1,5 +1,17 @@
 # CHANGELOG
 
+## 1.0.6 - 2025-04-08
+
+A supply chain security and maintenance release.
+
+* Added SHA256 checksum verification for SpotBugs (not for FindSecBugs, Maven Central versions are immutable)
+* Using immutable Actions versions where possible
+* Added pinned commit to sample workflow
+
+## 1.0.5 - 2024-10-08
+
+* Allowed setting RAM in the inputs
+
 ## 1.0.0 - 2023-07-13
 
 * Created Action

CONTRIBUTING.md

@@ -18,7 +18,7 @@ Please fork the repository, and raise a Pull Request (PR) for review.
 
 Remember to update the [README](README.md) and [CHANGELOG](CHANGELOG.md).
 
-Your changes must be acceptable under the [LICENSE](LICENSE.md) of the project.
+Your changes must be acceptable under the [LICENSE](LICENSE) of the project.
 
 ## Code of conduct
 

README.md

@@ -1,6 +1,7 @@
 # spotbugs-findsecbugs-action
 
-> ℹ️ This is an _unofficial_ tool created by Field Security Services, and is not officially supported by GitHub.
+> [!NOTE]
+> This is an _unofficial_ tool created by Field Security Services, and is not officially supported by GitHub.
 
 This Action run SpotBugs with FindSecBugs, and uploads the results to GitHub Code Scanning.
 
@@ -14,15 +15,18 @@ Then, set up this Action as a step in your Actions workflow, e.g. for a typical
 
 ```yaml
     - name: Run SpotBugs with FindSecBugs
-      uses: advanced-security/spotbugs-findsecbugs-action@v1
+      uses: advanced-security/spotbugs-findsecbugs-action@33c1fbec0ef4c37b5d32fc41b072bb624962d5d8 # v1.0.6
 ```
 
 ## Inputs
 
 * `spotbugs_version`: The version of SpotBugs to use. Default: `4.7.3`
+* `spotbugs_checksum`: The SHA256 checksum of the SpotBugs tarball. Default is the checksum for the default version. Set to '' to disable checksum verification (not recommended).
+  * find the checksum for the SpotBugs version you specify on the [GitHub release page](https://github.com/spotbugs/spotbugs/releases)
 * `findsecbugs_version`: The version of FindSecBugs to use. Default: `1.12.0`
+  * Maven Central releases are immutable, so there is no need to specify a checksum, but it is shown in the workflow log for traceability
 * `spotbugs_target`: The target directory to run SpotBugs against. Default: `target/`
-* `spotbugs_filename_glob`: The filenames to locate for SpotBugs, e.g. *.class, *.jar. Default: `*.jar`
+* `spotbugs_filename_glob`: The filenames to locate for SpotBugs, e.g. `*.class`, `*.jar`. Default: `*.jar`
 * `upload_sarif`: Whether to upload the SARIF file to GitHub Code Scanning. Default: `true`
 * `java_distribution`: The Java distribution to use. Default: `microsoft`
 * `java_version`: The Java version to use. Default: `11`
@@ -67,7 +71,8 @@ See [CODEOWNERS](CODEOWNERS) for the list of maintainers.
 
 ## Support
 
-> ℹ️ This is an _unofficial_ tool created by Field Security Services, and is not officially supported by GitHub.
+> [!NOTE]
+> This is an _unofficial_ tool created by Field Security Services, and is not officially supported by GitHub.
 
 See the [SUPPORT](SUPPORT.md) file.
 

action.yml

@@ -11,6 +11,10 @@ inputs:
     description: 'The version of SpotBugs to use'
     required: false
     default: '4.7.3'
+  spotbugs_checksum:
+    description: 'The SHA256 checksum of the SpotBugs tarball'
+    required: false
+    default: 'f02e2f1135b23f3edfddb75f64be0491353cfeb567b5a584115aa4fd373d4431'
   findsecbugs_version:
     description: 'The version of FindSecBugs to use'
     required: false
@@ -59,38 +63,50 @@ runs:
   using: "composite"
   steps:
     - name: Setup Java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@4.7.0
       with:
         distribution: ${{ inputs.java_distribution }}
         java-version: ${{ inputs.java_version }}
+
     - name: Cache SpotBugs
       if: inputs.no_cache == 'false'
       id: cache-spotbugs
-      uses: actions/cache@v3
+      uses: actions/cache@4.2.3
       with:
         path: ${{ inputs.base_path }}/spotbugs+/spotbugs-${{ inputs.spotbugs_version }}
         key: ${{ runner.os }}-spotbugs-${{ inputs.spotbugs_version }}
+
     - name: Cache FindSecBugs
       if: inputs.no_cache == 'false'
       id: cache-findsecbugs
-      uses: actions/cache@v3
+      uses: actions/cache@4.2.3
       with:
         path: ${{ inputs.base_path }}/findsecbugs+/findsecbugs-plugin-${{ inputs.findsecbugs_version }}.jar
         key: ${{ runner.os }}-findsecbugs-${{ inputs.findsecbugs_version }}
+
     - name: Get SpotBugs
       if: inputs.no_cache == 'true' || steps.cache-spotbugs.outputs.cache-hit != 'true'
       env:
         INPUT_SPOTBUGS_VERSION: ${{ inputs.spotbugs_version }}
+        INPUT_SPOTBUGS_CHECKSUM: ${{ inputs.spotbugs_checksum }}
         SPOTBUGS_HOME: ${{ inputs.base_path }}/spotbugs+/
       run: |
         mkdir -p "${SPOTBUGS_HOME}"
         cd "${SPOTBUGS_HOME}"
         wget -q -O spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz "https://github.com/spotbugs/spotbugs/releases/download/${INPUT_SPOTBUGS_VERSION}/spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
+        if [ "${INPUT_SPOTBUGS_CHECKSUM}" != "" ]; then
+          echo "Checking checksum"
+          echo "${INPUT_SPOTBUGS_CHECKSUM}  spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz" | sha256sum -c - || { echo "Checksum verification failed for spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"; exit 1; }
+        else
+          echo "No checksum provided, showing current checksum"
+          sha256sum spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz
+        fi
         tar -xzf spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz
         chmod +x spotbugs-"${INPUT_SPOTBUGS_VERSION}"/bin/spotbugs
         ls "spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
         echo "Got spotbugs"
       shell: bash
+
     - name: Get FindSecBugs
       if: inputs.no_cache == 'true' || steps.cache-findsecbugs.outputs.cache-hit != 'true'
       env:
@@ -100,9 +116,12 @@ runs:
         mkdir -p "${FINDSECBUGS_HOME}"
         cd "${FINDSECBUGS_HOME}"
         wget -q -O "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" "https://search.maven.org/remotecontent?filepath=com/h3xstream/findsecbugs/findsecbugs-plugin/${INPUT_FINDSECBUGS_VERSION}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
+        # Maven Central provides immutable versions, so we don't check the checksum, but do print it for traceability
+        sha256sum "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
         ls "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
         echo "Got findsecbugs"
       shell: bash
+
     - name: Run SpotBugs
       env:
         INPUT_FINDSECBUGS_VERSION: ${{ inputs.findsecbugs_version }}
@@ -118,6 +137,7 @@ runs:
         SPOTBUGS_FILES=$(find "${GITHUB_WORKSPACE}/${INPUT_SPOTBUGS_TARGET}" -type f -name "${INPUT_SPOTBUGS_GLOB}" -exec echo -n {} \+)
         "${SPOTBUGS_HOME}/bin/spotbugs" -maxHeap "${INPUT_RAM}" -textui -quiet -effort:max -low -bugCategories SECURITY -pluginList "${FINDSECBUGS_HOME}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" -sarif=spotbugs.sarif ${SPOTBUGS_FILES}
       shell: bash
+
     - name: Adjust file paths
       if: inputs.path_prefix != ''
       env:
@@ -129,8 +149,9 @@ runs:
         mv spotbugs.sarif spotbugs_orig.sarif
         mv spotbugs_edited.sarif spotbugs.sarif
       shell: bash
+
     - name: Upload SARIF file
       if: inputs.upload_sarif == 'true'
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@3.28.15
       with:
         sarif_file: ${{ inputs.base_path }}/spotbugs_working+/spotbugs.sarif

starter-workflow.yml

@@ -20,10 +20,10 @@ jobs:
 
       steps:
         - name: Checkout
-          uses: actions/checkout@v3
+          uses: actions/checkout@4.2.2
         # this needs to be appropriately configured for your project
         - name: Setup Java
-          uses: actions/setup-java@v3
+          uses: actions/setup-java@4.7.0
           with:
             distribution: 'microsoft'
             java-version: 11
@@ -32,14 +32,18 @@ jobs:
           run: sbt publishLocal
         # now run SpotBugs and upload the results to Code Scanning
         - name: Run SpotBugs with FindSecBugs
-          uses: advanced-security/spotbugs-findsecbugs-action@v1
+          uses: advanced-security/spotbugs-findsecbugs-action@33c1fbec0ef4c37b5d32fc41b072bb624962d5d8 # v1.0.6
           with:
             # set these appropriately for your project - the defaults are shown here for context
+            # make sure to set a SHA256 checksum that matches the version you want to use of SpotBugs
+            # check https://github.com/spotbugs/spotbugs/releases
+            # you can switch off checksum checking by setting the checksum to '', but this is not recommended
             spotbugs_target: 'target/scala-2.13' # cannot have globs
             # spotbugs_filename_glob: '*.jar'
             # upload_sarif: 'true'
             # no_cache: 'false'
             # spotbugs_version: '4.7.3'
+            # spotbugs_checksum: 'f02e2f1135b23f3edfddb75f64be0491353cfeb567b5a584115aa4fd373d4431'
             # findsecbugs_version: '1.12.0'
             # java_distribution: 'microsoft'
             # java_version: '11'