Coder Social home page Coder Social logo

applicationinspector-action's Introduction

Application Inspector GitHub Action

Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third party software components based on well-known library/API calls and is helpful in security and non-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source code to aid in determining what the software is or what it does and received industry attention as a new and valuable contribution to OSS on ZDNet, SecurityWeek, CSOOnline, Linux.com/news, HelpNetSecurity, Twitter and more and was first featured on Microsoft.com.

The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Ruby, PowerShell and more and can scan projects with mixed language files.

Be sure to see our project wiki page for more help https://Github.com/Microsoft/ApplicationInspector/wiki for illustrations and additional information and help.

This Action calls the Analyze functionality of Application Inspector.

Usage

Add ApplicationInspector to your GitHub Actions pipeline like below to scan the repository root and output to AppInspectorResults.json in the repository root.

- uses: actions/checkout@v2
- uses: microsoft/ApplicationInspector-Action@v1
- uses: actions/upload-artifact@v2
    with:
        name: AppInspectorResults
        path: AppInspectorResults.json

A common use case is to run Application Inspector in tags only mode

- uses: microsoft/ApplicationInspector-Action@v1
      with:
        arguments: -t

You can also specify a number of options to the action. See the Application Inspector wiki for guidance. Use the documentation for the analyze command.

- uses: microsoft/ApplicationInspector-Action@v1
  with:
    location-to-scan: relative/path/in/repo
    output-path: relative/path/in/repo
    output-format: [json | text]
    file-path-exclusions: comma,separated,glob,patterns
    arguments: -any -arguments -to -analyze
    pre-release: [ true | false ]

Main Project

The engine powering this GitHub Action is also available here as a Cli.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

applicationinspector-action's People

Contributors

callmegreg avatar felix-rohrer-imprivata avatar gfs avatar microsoftopensource avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

taffywrinkle claudiusgonzo felixro adioss manljc global-localhost global19 global19-atlassian-net test-mass-forker-org-1 guden callmegreg

applicationinspector-action's Issues

Argument add suggestions

  1. As a Github action I would think the -t argument to only output tags might be valuable as opposed to the verbose default for each of the format types.

  2. Additionally, the exclusion filter argument will be limiting if not added as some teams have indicated the need to add/substract files or paths to scan.

Unable to run GitHub action

Hi,
I am not able to run the workflow, getting the error (please see attached image below).
Here is my workflow file -

name: Code Review 
on:
  # Triggers the workflow on pull request events but only for the "main" branch
  pull_request:
    branches: [ "main" ]

jobs:
  check-quality:
    runs-on: ubuntu-latest
    name: A job to check my code quality
    steps:
    - uses: actions/checkout@v2
    - uses: microsoft/ApplicationInspector-Action@v1
    - uses: actions/upload-artifact@v2
      with:
        name: AppInspectorResults
        path: AppInspectorResults.json

workflow-run

Fail to load microsoft/ApplicationInspector-Action/v1/action.yml

Hi there, I am trying ApplicationInspector in Github Action, here is my yml file, very simple, but it doesn't work. Could anyone help to point out what's the problem? I can't find in the document.

name: Code scanning

on:
    push:
        branches:
            - "master"

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
    # This workflow contains a single job called "build"
    build:
        # The type of runner that the job will run on
        runs-on: ubuntu-latest

        # Steps represent a sequence of tasks that will be executed as part of the job
        steps:
            # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
            - name: Checkout repository
              uses: actions/checkout@v2
              with:
                  fetch-depth: 0

            - uses: microsoft/ApplicationInspector-Action@v1
            - uses: actions/upload-artifact@v2
              with:
                  name: AppInspectorResults
                  path: AppInspectorResults.json
Prepare workflow directory
Prepare all required actions
Download action repository 'actions/checkout@v2'
Download action repository 'github/codeql-action@v1'
Download action repository 'microsoft/ApplicationInspector-Action@v1'
##[error]microsoft/ApplicationInspector-Action/v1/action.yml (Line: 25, Col: 9): Unexpected value ''
##[error]microsoft/ApplicationInspector-Action/v1/action.yml (Line: 25, Col: 9): Unexpected value ''
##[error]System.ArgumentException: Unexpected type 'NullToken' encountered while reading 'outputs'. The type 'MappingToken' was expected.
   at GitHub.DistributedTask.ObjectTemplating.Tokens.TemplateTokenExtensions.AssertMapping(TemplateToken value, String objectDescription)
   at GitHub.Runner.Worker.ActionManifestManager.Load(IExecutionContext executionContext, String manifestFile)
##[error]Fail to load microsoft/ApplicationInspector-Action/v1/action.yml

Thanks in advance

Invalid SARIF format

When running this App Inspector workflow, the attempted SARIF upload to GitHub code scanning fails due to improper SARIF format:

Unable to upload "AppInspectorResults.sarif" as it is not valid SARIF:
- instance is not allowed to have the additional property "SarifNodeKind"
- instance is not allowed to have the additional property "SchemaUri"
- instance is not allowed to have the additional property "Version"
- instance is not allowed to have the additional property "Runs"
- instance is not allowed to have the additional property "InlineExternalProperties"
- instance is not allowed to have the additional property "PropertyNames"
- instance is not allowed to have the additional property "Tags"
- instance requires property "version"
- instance requires property "runs"

After reviewing the SARIF spec and testing with the SARIF validator, I believe the following changes will help fix the issue:

  1. Update all key names to camelCase values (starting with lowercase)
  2. Remove the SarifNodeKind and PropertyNames key/value pairs
  3. Change the SchemaUri key to $schema
  4. Update the version value from 2 to "2.1.0"

Error uploading SARIF to code scanning

After the recent SARIF format fixes it looks like the GitHub code scanning API is unable to parse the JSON body that's sent across. With this workflow I'm seeing the following error:
Screenshot 2023-06-26 at 11 53 31 AM

From VS Code, it appears there may be an issue with the schema URL, which could be causing the issue:
Screenshot 2023-06-26 at 11 54 10 AM

cc: @gfs @cqueern

Add findings as issues and/or PR comments

I am curious about this, but I don't want to add the output to a file. I'd rather see the problems flagged on the PR they're addressing or filed as issues so they get fixed.

I would also like to see a full example of what the output looks like. Please add an example to the README.

Executable path in entrypoint.sh

The app name looks wrong i.e. /tools/appinspector analyze -s "$ScanTarget" -o "$OutputPath" -f $3 $4 should be dotnet
/tools/applicationinspector.cli analyze -s "$ScanTarget" -o "$OutputPath" -f $3 $4

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.