Giter Site home page Giter Site logo

security-code-scan-results-action's Introduction

Security-Code-Scan Results Action

This action is designed to run as part of a workflow that builds projects referencing NuGet SecurityCodeScan.VS2019.

It produces a GitHub compatible SARIF file for uploading to the repository 'Code scanning alerts'.

Usage

See action.yml

Input Parameters

sarif_directory: (optional) The output directory where SARIF files should be collected.

Workflow Examples

on:
  push:

jobs:
  SCS:
    runs-on: ubuntu-latest
    steps:     
      - uses: actions/checkout@v2
      
      - name: Set up projects
        uses: security-code-scan/[email protected]

      - name: Build
        run: |
          dotnet restore
          dotnet build
        
      - name: Convert sarif for uploading to GitHub
        uses: security-code-scan/security-code-scan-results-action@v1
        
      - name: Upload sarif	
        uses: github/codeql-action/upload-sarif@v1

For .NET 4.x example see FullDotNetWebApp demo repository.

security-code-scan-results-action's People

Contributors

jarlob avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

mstrisoline jmservera marcelraschke norschel validusa felickz ok-omes stone-payments

security-code-scan-results-action's Issues

TypeError: Cannot read property 'filter' of undefined

I'm getting this error:

2021-07-08T07:40:28.5323142Z ##[group]Run security-code-scan/security-code-scan-results-action@main
2021-07-08T07:40:28.5323987Z with:
2021-07-08T07:40:28.5324433Z   sarif_directory: ../results
2021-07-08T07:40:28.5324804Z env:
2021-07-08T07:40:28.5325356Z   NUGET: C:\hostedtoolcache\windows\nuget.exe\5.10.0\x64/nuget.exe
2021-07-08T07:40:28.5326087Z ##[endgroup]
2021-07-08T07:40:33.7776972Z You can invoke the tool using the following command: sarif
2021-07-08T07:40:33.7778165Z Tool 'sarif.multitool' (version '2.3.10') was successfully installed.
2021-07-08T07:40:43.2192577Z D:\a\Microsoft.Extensions.AspNet\Microsoft.Extensions.AspNet\convert.js:12
2021-07-08T07:40:43.2194554Z     run.tool.driver.rules = run.tool.driver.rules.filter((e => e.id.startsWith("SCS")));
2021-07-08T07:40:43.2195578Z                                                   ^
2021-07-08T07:40:43.2195957Z 
2021-07-08T07:40:43.2196729Z TypeError: Cannot read property 'filter' of undefined
2021-07-08T07:40:43.2199700Z     at Object.<anonymous> (D:\a\Microsoft.Extensions.AspNet\Microsoft.Extensions.AspNet\convert.js:12:51)
2021-07-08T07:40:43.2201166Z     at Module._compile (internal/modules/cjs/loader.js:1085:14)
2021-07-08T07:40:43.2202090Z     at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
2021-07-08T07:40:43.2202947Z     at Module.load (internal/modules/cjs/loader.js:950:32)
2021-07-08T07:40:43.2203976Z     at Function.Module._load (internal/modules/cjs/loader.js:790:14)
2021-07-08T07:40:43.2205158Z     at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12)
2021-07-08T07:40:43.2206709Z     at internal/main/run_main_module.js:17:47
2021-07-08T07:40:43.2312568Z ##[error]Process completed with exit code 1.

TypeError: Cannot read properties of undefined (reading 'filter')

Getting the following Error at the Convert sarif for uploading to GitHub step

I have tried Tag v1.2, v1.3 and main

Run security-code-scan/security-code-scan-results-action@main
Run dotnet tool install --global Sarif.Multitool --version 2.3.10

Welcome to .NET 7.0!
---------------------
SDK Version: 7.0.202

Telemetry
---------
The .NET tools collect usage data in order to help us improve your experience. It is collected by Microsoft and shared with the community. You can opt-out of telemetry by setting the DOTNET_CLI_TELEMETRY_OPTOUT environment variable to '1' or 'true' using your favorite shell.

Read more about .NET CLI Tools telemetry: https://aka.ms/dotnet-cli-telemetry

----------------
Installed an ASP.NET Core HTTPS development certificate.
To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only).
Learn about HTTPS: https://aka.ms/dotnet-https
----------------
Write your first app: https://aka.ms/dotnet-hello-world
Find out what's new: https://aka.ms/dotnet-whats-new
Explore documentation: https://aka.ms/dotnet-docs
Report issues and find source on GitHub: https://github.com/dotnet/core
Use 'dotnet --help' to see available commands or visit: https://aka.ms/dotnet-cli
--------------------------------------------------------------------------------------
You can invoke the tool using the following command: sarif
Tool 'sarif.multitool' (version '2.3.10') was successfully installed.
D:\a\ViVeTool-GUI\ViVeTool-GUI\convert.js:12
    run.tool.driver.rules = run.tool.driver.rules.filter((e => e.id.startsWith("SCS")));
                                                  ^

TypeError: Cannot read properties of undefined (reading 'filter')
    at Object.<anonymous> (D:\a\ViVeTool-GUI\ViVeTool-GUI\convert.js:12:51)
    at Module._compile (node:internal/modules/cjs/loader:1254:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1308:10)
    at Module.load (node:internal/modules/cjs/loader:1117:32)
    at Module._load (node:internal/modules/cjs/loader:958:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:[81](https://github.com/PeterStrick/ViVeTool-GUI/actions/runs/4616456594/jobs/8161487714#step:8:83):12)
    at node:internal/main/run_main_module:23:47

Node.js v18.15.0
Error: Process completed with exit code 1.

Workflow File:

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET

name: SecurityCodeScan

on:
  push:
  pull_request:
  schedule:
    - cron: '30 6 * * 3'

jobs:
  SCS:
    if: ${{ github.actor != 'dependabot[bot]' }}
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v3
      - uses: nuget/setup-nuget@fd9fffd6ca4541cf4152a9565835ca1a88a6eb37
      - uses: microsoft/[email protected]
      
      - name: Set up projects for analysis
        uses: security-code-scan/[email protected]
        
      - name: Restore dependencies	
        run: nuget restore

      - name: Build
        run: msbuild

      - name: Convert sarif for uploading to GitHub
        uses: security-code-scan/security-code-scan-results-action@main

      - name: Display Sarif Files in the results Folder
        run: cat D:\a\ViVeTool-GUI\results\*.sarif

      - name: Upload sarif
        uses: github/codeql-action/upload-sarif@v2

Link to failed Workflow: https://github.com/PeterStrick/ViVeTool-GUI/actions/runs/4616456594

"You cannot call a method on a null-valued expression." on "Set up projects for analysis"

I'm getting this error on "Set up projects for analysis"

InvalidOperation: D:\a\_temp\238bcc4a-d7dd-49be-9a75-f51f8f0d60ab.ps1:94
Line |
  94 |    $propertyGroups[0].AppendChild($errorLog)
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You cannot call a method on a null-valued expression.

Error: Process completed with exit code 1.

Repo is this: https://github.com/paulomorgado/Microsoft.Extensions.AspNet

securitycodescan-analysis.yml file:

# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET

name: SecurityCodeScan

on:
  push:
    branches: [ main ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
  schedule:
    - cron: '31 23 * * 6'

jobs:
  SCS:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v2
      - uses: nuget/[email protected]
      - uses: microsoft/[email protected]
      
      - name: Set up projects for analysis
        uses: security-code-scan/security-code-scan-add-action@main
        
      - name: Restore dependencies	
        run: dotnet restore

      - name: Build
        run: dotnet build --no-restore

      - name: Convert sarif for uploading to GitHub
        uses: security-code-scan/security-code-scan-results-action@main

      - name: Upload sarif
        uses: github/codeql-action/upload-sarif@v1

How can I diagnose this?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.