Enhance Spotbugs parametrization and sarif output #1 #2
Conversation
|
I have a first version of the generalized action that works also with GitHub Security, but I only have tested it with my test project that uses Maven for the build and dependencies, and I only tested the SARIF output, but in theory it should work with any other output config. |
| # Download SpotBugs | ||
| wget https://github.com/spotbugs/spotbugs/releases/download/"${SPOTBUGS_VERSION}"/spotbugs-"${SPOTBUGS_VERSION}".zip | ||
| unzip spotbugs-"${SPOTBUGS_VERSION}".zip | ||
| wget -q -N https://github.com/spotbugs/spotbugs/releases/download/"${SPOTBUGS_VERSION}"/spotbugs-"${SPOTBUGS_VERSION}".zip |
There was a problem hiding this comment.
This change serves to avoid a too long log that is not related to the actual SAST review
|
|
||
| # Check whether to use latest version of PMD | ||
| if [ "$SPOTBUGS_VERSION" == 'latest' ]; then | ||
| if [ "$SPOTBUGS_VERSION" == 'latest' ] || [ "$SPOTBUGS_VERSION" == "" ]; then |
There was a problem hiding this comment.
This way the default behavior downloads the latest version
|
|
||
| # Take care of parameter order, sometimes does not work if you change it | ||
|
|
||
| CMD="java -Xmx1900M -Dlog4j2.formatMsgNoLookups=true \ |
There was a problem hiding this comment.
Here we start building the SpotBugs command line depending on the provided parameters
| if [ "$OUTPUT_TYPE" == "sarif" ] && [ "$BASE_PATH" != "" ]; then | ||
| # prepend the pyhsical path | ||
| echo "Transform sarif file to include the physical path" | ||
| jq -c "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) |=\"$BASE_PATH\"+." resultspre.sarif > "$OUTPUT" |
There was a problem hiding this comment.
This is needed to provide compatibility with the GitHub SARIF parser that needs the base path as a prefix (typically src/main/java)
An effort to generalize the action so it works with Maven, Gradle, etc. and provides a better sarif integration with GitHub. Linked to issue #1