Coder Social home page Coder Social logo

redhat-actions / crda Goto Github PK

View Code? Open in Web Editor NEW
16.0 5.0 14.0 1.02 MB

Scan your project's dependencies with Code Ready Dependency Analytics

Home Page: https://github.com/marketplace/actions/codeready-dependency-analytics

License: MIT License

JavaScript 0.12% Shell 0.46% TypeScript 99.03% Go 0.40%
security-automation security crda sarif-report github-actions security-analysis

crda's Issues

Optionally upload SARIF file as an artifact

User may need SARIF as an artifact to download and view.
So uploading that as a part of this action can be a good addition.
Possible inputs can be:

  • upload_artifact (Boolean value, defaults to true)
  • upload_artifact_filename (File name to upload)

License is wrong

the redhat actions are MIT licensed. This repo is currently licensed under Apache 2.0.

Bugs found through testing

  1. There is an extra path.resolve or join here. the /home/runner/work/express-ts should not be part of this path.
    image

  2. Skip deps install chdir if not necessary
    image

  3. Improve output when sarif upload is slow
    image

[FEATURE] Provide better error information when something fails

Is your feature request related to a problem? Please describe.

I started using crda in a project and I love what I can get from it, but I'm getting random errors that I'm unable to debug because they are quite hard to reproduce (they appear randomly without a clear cause); furthermore, the error messages are not really clear about what's happening.

Describe the solution you'd like

I would like to have better error messages to know when the action is failing and why.

Describe alternatives you've considered

Are there any throttling limits for the scans that we should know?

Additional context

I provide here some examples, this is my workflow:

name: Scan Java project
on:
  push:
  
jobs:
  test:
    strategy:
      fail-fast: false
      matrix:
        os: [ "macos-latest", "ubuntu-20.04" ] # removed (, "windows-latest") because got a lot of timeout failures
        # Test once with explicit manifest_file, and once without
        manifest_file: [ "pom.xml", "" ]
    runs-on: ${{ matrix.os }}
    permissions: write-all
      # todo: find permissions
    defaults:
      run:
        shell: bash
    name: Analyse Java project
    steps:
      - name: Checkout action
        uses: actions/checkout@v3

      - name: Setup Java
        uses: actions/setup-java@v2
        with:
          distribution: temurin
          java-version: 11
          cache: maven

      - name: Install CRDA
        uses: redhat-actions/[email protected]
        with:
          source: github
          github_pat: ${{ github.token }}
          crda: "latest"

      - name: CRDA Scan
        id: crda_scan
        uses: redhat-actions/[email protected]
        with:
          manifest_file: ${{ matrix.manifest_file }}
          snyk_token: ${{ secrets.SNYK_KEY }}
          fail_on: never

      - name: Print JSON analysis report
        if: ${{ always() && steps.crda_scan.outputs.crda_report_json }}
        run: cat ${{ steps.crda_scan.outputs.crda_report_json }}

      - name: Print SARIF analysis report
        if: ${{ always() && steps.crda_scan.outputs.crda_report_sarif }}
        run: cat ${{ steps.crda_scan.outputs.crda_report_sarif }}

      - name: Print Report Link
        run: echo ${{ steps.crda_scan.outputs.report_link }}

      - name: Print Artifact Name
        run: echo ${{ steps.crda_scan.outputs.artifact_name }}

And sometimes all the runs fail, other times a few complete and others fail, this one failed only in the macos case without the pom.xml specified, complaining about an invalid '<' character, but the same action ran correctly only repeating the run (Re-run failed jobs):

Run redhat-actions/[email protected]
Working directory is /Users/runner/work/DevSecOpsWorkshop-jm/DevSecOpsWorkshop-jm
crda version
/usr/local/bin/git rev-parse HEAD
e0[19](https://[redacted]/DevSecOpsWorkshop-jm/actions/runs/3330075886/jobs/5508676708#step:5:21)9b383358e6ca316cd737d56931074f0f686e
Ref to analyze is "refs/heads/master"
Commit to analyze is "e0199b383358e6ca316cd737d56931074f0f686e"
"manifest_directory" not provided. Using working directory "/Users/runner/work/DevSecOpsWorkshop-jm/DevSecOpsWorkshop-jm"
"manifest_file" input not provided. Auto-detecting manifest file
๐Ÿ” Looking for manifest in "/Users/runner/work/DevSecOpsWorkshop-jm/DevSecOpsWorkshop-jm"
Manifest file is pom.xml
Dependencies will be installed using Maven strategy
โฌ‡๏ธ Installing dependencies...
mvn -ntp -B package
โœ… Finished installing dependencies
๐Ÿ–Š๏ธ Setting consent_telemetry to false.
/Users/runner/work/_temp/openshift-bin/crda config set consent_telemetry false
successfully set configuration value
๐Ÿ” Authenticating with the provided Snyk Token.
/Users/runner/work/_temp/openshift-bin/crda auth --snyk-token=***
*** Suppressing command output
Successfully Registered. 

crda_key:***

This key is confidential, Please keep it safe!

โœ… Successfully authenticated with the provided Snyk Token.
/Users/runner/work/_temp/openshift-bin/crda analyse pom.xml --verbose --client=gh-actions
Analysing your Dependency Stack! Please wait...
invalid character '<' looking for beginning of value
Error: crda exited with code 1
invalid character '<' looking for beginning of value

In another run I got this one (just the error msg), I got a timeout but I don't know for which server or where is it connecting:

[...]
Adding labels "CRDA Scan Failed" to pull request
Error: crda exited with code 1
2:09PM ERR Stack Analyses Get Request Failed with status code 408.  Please retry after sometime. If issue persists, Please raise at https://github.com/fabric8-analytics/cli-tools/issues."
message from server: Stack analysis request e08dce85b9784c6db2ced5e8ebd8d622 has timed out. Please retry with a new analysis.
[...]

This one looks that it couldn't authenticate for some reason, but got an exit code 1 only:

[...]
๐Ÿ” Authenticating with the provided Snyk Token.
/home/runner/work/_temp/openshift-bin/crda auth --snyk-token=***
*** Suppressing command output
Adding labels "CRDA Scan Failed" to pull request
Error: crda exited with code 1
Usage:
  crda auth [flags]

Flags:
  -h, --help                help for auth
  -t, --snyk-token string   Authenticate with Snyk Token to unlock Verbose stack analyses.

Global Flags:
  -m, --client string   Client [tekton/jenkins/gh-actions] (default "terminal")
  -d, --debug           Sets Log level to Debug.
  -c, --no-color        Toggle colors in output.



/usr/bin/git checkout master
Switched to branch 'master'
Your branch is up to date with 'origin/master'.
/usr/bin/git remote remove remote-8
/usr/bin/git branch -D pr-8
Deleted branch pr-8 (was a9989a3).

Thanks for the great work!

[QUESTION] Typo about Snyk on CRDA marketplace Github Actions page

Question

Marketplace documentation page for Github Actions about redhat-actions/crda contains typos making runs to fail.
Following typos considered:

  • Required unless synk_token is set
  • For authentication, you must provide either a CRDA Key or a Synk Token.
  • Sign up for Synk.
  • Go to Account settings to find your Synk Token (aka "key").
  • Provide the token in the synk_token input.
  • Run crda auth. Provide the Snyk token so the CRDA Key can also access the Synk database.

https://github.com/marketplace/actions/codeready-dependency-analytics#action-inputs

Improve test worflows

Workflows that we presently have as a test case is not at all suitable to test the different scenarios and different ecosystems.
The problem in adding test workflows is we can't have all the manifest files present in the redhat-actions/crda repository and if we checkout it in the workflow then commit-sha required during the SARIF upload will be invalid (as that doesn't belong to this repo).

We would have to discuss more on this to get a working workflow.

Verify crda_key output

It seems like the value set as a secret can't be set in output.
Verify this behavior once

Yarn support for node projects

If package-lock.json is present, npm ci is the correct deps installation command
Otherwise, if yarn.lock is present, yarn install --frozen-lockfile is the correct deps installation command

if neither is present, I suppose npm i is fine
if both are present, it should be an error

Improve input names

Few inputs are too long, which may be bad as per UX.
Need to think of a better replacement of those inputs.

  • dependency_installation_cmd ---> deps_install_cmd
  • manifest_file_path --> manifest_path
  • analysis_report_file_name ---> analysis_report_name
  • fail_on_vulnerability ---> fail_on with accepted values error, warning and never (same behaviour as false)

Fix logic to fail crda workflow in case of pull requests check

I think fail_on input doesn't work very well for a CI workflow. Ideally, before failing we should upload the SARIF to GitHub.
So that users are aware of which deps made the workflow fail.
and the other thing, if for a PR admin sets fail_on to never as he wants to see vuln. uploaded on GH security tab, but he will get CRDA scan passed in the label.
Both the things are kind of contradictory, on one side he is getting vuln in the security tab, and also he is getting crda scan passed.
Probably we should update the labels:

  • crda-found-warning ---> in case of warning
  • crda-found-error ---> in case of error
  • crda scan passed --> no vulnerability
  • crda-scan-failed --> for workflow failure/anything wrong
  • crda-scan-pending ---> pending approval
  • crda-scan-approved ---> scan approved

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.