Merge pull request #4 from advanced-security/fix-action

aegilops · web-flow · commit d8b45b02b304 · 2023-07-20T12:52:04.000+01:00
Fix action
diff --git a/README.md b/README.md
@@ -10,20 +10,19 @@ Set up a workflow that builds your JVM language project, then run this Action on
 
 First, build your Java, Scala or other JVM language project in an Actions workflow.
 
-Then, set up this Action as a step in your Actions workflow, e.g. for a typical Scala project:
+Then, set up this Action as a step in your Actions workflow, e.g. for a typical Scala project where you have locally published a Jar file:
 
 ```yaml
     - name: Run SpotBugs with FindSecBugs
       uses: advanced-security/spotbugs-findsecbugs-action@v1
-      with:
-        spotbugs_target: 'target/scala-2.13/classes'
 ```
 
 ## Inputs
 
 * `spotbugs_version`: The version of SpotBugs to use. Default: `4.7.3`
 * `findsecbugs_version`: The version of FindSecBugs to use. Default: `1.12.0`
 * `spotbugs_target`: The target directory to run SpotBugs against. Default: `target/`
+* `spotbugs_filename_glob`: The filenames to locate for SpotBugs, e.g. *.class, *.jar. Default: `*.jar`
 * `upload_sarif`: Whether to upload the SARIF file to GitHub Code Scanning. Default: `true`
 * `java_distribution`: The Java distribution to use. Default: `microsoft`
 * `java_version`: The Java version to use. Default: `11`
diff --git a/action.yml b/action.yml
@@ -16,9 +16,12 @@ inputs:
     required: false
     default: '1.12.0'
   spotbugs_target:
-    description: 'The target to run SpotBugs against'
+    description: 'The target directory to run SpotBugs against'
     required: false
     default: 'target/'
+  spotbugs_filename_glob:
+    description: 'The filenames to locate for SpotBugs, e.g. *.class, *.jar'
+    default: '*.jar'
   upload_sarif:
     description: 'Whether to upload the SARIF file to GitHub Code Scanning'
     required: false
@@ -68,10 +71,11 @@ runs:
         cd /home/runner/work/
         mkdir -p 'spotbugs+'
         cd 'spotbugs+'
-        wget -q https://github.com/spotbugs/spotbugs/releases/download/"${INPUT_SPOTBUGS_VERSION}"/spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz
+        wget -q -O spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz "https://github.com/spotbugs/spotbugs/releases/download/${INPUT_SPOTBUGS_VERSION}/spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
         tar -xzf spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz
         chmod +x spotbugs-"${INPUT_SPOTBUGS_VERSION}"/bin/spotbugs
-        echo "Got spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
+        ls "spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
+        echo "Got spotbugs"
       shell: bash
     - name: Get FindSecBugs
       if: inputs.no_cache == 'true' || steps.cache-findsecbugs.outputs.cache-hit != 'true'
@@ -81,18 +85,20 @@ runs:
         cd /home/runner/work/
         mkdir -p 'findsecbugs+'
         cd 'findsecbugs+'
-        wget -q https://search.maven.org/remotecontent?filepath=com/h3xstream/findsecbugs/findsecbugs-plugin/"${INPUT_FINDSECBUGS_VERSION}"/findsecbugs-plugin-"${INPUT_FINDSECBUGS_VERSION}".jar
-        echo "Got findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
+        wget -q -O "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" "https://search.maven.org/remotecontent?filepath=com/h3xstream/findsecbugs/findsecbugs-plugin/${INPUT_FINDSECBUGS_VERSION}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
+        ls "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
+        echo "Got findsecbugs"
       shell: bash
     - name: Run SpotBugs
       env:
         INPUT_FINDSECBUGS_VERSION: ${{ inputs.findsecbugs_version }}
         INPUT_SPOTBUGS_TARGET: ${{ inputs.spotbugs_target }}
+        INPUT_SPOTBUGS_GLOB: ${{ inputs.spotbugs_filename_glob }}
         SPOTBUGS_HOME: /home/runner/work/spotbugs+/spotbugs-${{ inputs.spotbugs_version }}
         FINDSECBUGS_HOME: /home/runner/work/findsecbugs+/
       run: |
-        SPOTBUGS_FILES=$(find "${INPUT_SPOTBUGS_TARGET}" -type f -exec echo -n {} \+)
-        "${SPOTBUGS_HOME}"/bin/spotbugs -textui -quiet -effort:max -low -bugCategories SECURITY -pluginList "${FINDSECBUGS_HOME}"/findsecbugs-plugin-"${INPUT_FINDSECBUGS_VERSION}".jar -sarif=spotbugs.sarif ${SPOTBUGS_FILES}
+        SPOTBUGS_FILES=$(find "${INPUT_SPOTBUGS_TARGET}" -type f -name "${INPUT_SPOTBUGS_GLOB}" -exec echo -n {} \+)
+        "${SPOTBUGS_HOME}/bin/spotbugs" -textui -quiet -effort:max -low -bugCategories SECURITY -pluginList "${FINDSECBUGS_HOME}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" -sarif=spotbugs.sarif ${SPOTBUGS_FILES}
       shell: bash
     - name: Upload SARIF file
       if: inputs.upload_sarif == 'true'
diff --git a/starter-workflow.yml b/starter-workflow.yml
@@ -22,15 +22,16 @@ jobs:
           with:
             distribution: 'microsoft'
             java-version: 11
-        # do your build steps. This example uses sbt
-        - name: Compile with sbt
-          run: sbt compile
+        # do your build steps. This example uses sbt to create a .jar file, which will go into the target/scala-2.13 folder
+        - name: Publish locally with sbt
+          run: sbt publishLocal
         # now run SpotBugs and upload the results to Code Scanning
         - name: Run SpotBugs with FindSecBugs
           uses: advanced-security/spotbugs-findsecbugs-action@v1
           with:
-            # set these appropriately for your project
-            spotbugs_target: 'target/scala-2.13/classes' # cannot have globs
+            # set these appropriately for your project - the defaults are shown here for context
+            spotbugs_target: 'target/scala-2.13' # cannot have globs
+            # spotbugs_filename_glob: '*.jar'
             # upload_sarif: 'true'
             # no_cache: 'false'
             # spotbugs_version: '4.7.3'
