chore: Add appversion-summary

fortify · Jun 5, 2024 · d5cd08a · d5cd08a
1 parent a26286f
commit d5cd08a
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 8 deletions.
diff --git a/internal/run-script/action.yml b/internal/run-script/action.yml
@@ -27,13 +27,13 @@ runs:
     - run: echo "_RUN_SCRIPTS_DIR=$(pwd)/scripts" >> $GITHUB_ENV
       shell: bash
       working-directory: ${{ github.action_path }}
+    - run: echo "TEMP_DIR=${RUNNER_TEMP}" >> $GITHUB_ENV
+      shell: bash
     - uses: fortify/github-action/internal/run-script/[email protected]
       with: 
         dir:    ${{ env._RUN_SCRIPTS_DIR }}
         script: ${{ inputs.script }}
         post:   ${{ inputs.post }}
-      env:
-        TEMP_DIR: ${{ env.RUNNER_TEMP }}
 
 branding:
   icon: 'shield'

diff --git a/internal/run-script/scripts/common.sh b/internal/run-script/scripts/common.sh
@@ -1,21 +1,48 @@
 #!/usr/bin/env bash
 if [ -n "$RUNNER_DEBUG" ]; then
   set -v -x
+  echo "Bash version: $BASH_VERSION"
 fi
 
-echo "Bash version: $BASH_VERSION"
+function printOutputFileName {
+  local operation=$1
+  local type=$2
+  mkdir -p "${TEMP_DIR}"
+  printf '%s/output_%s_%s.txt' "${TEMP_DIR}" "${operation}" "${type}"
+}
+
+function printOutput {
+  local operation=$1
+  local type=$2
+  cat $(printOutputFileName "${operation}" "${type}")
+}
 
 declare -a runs
 declare -a runsWithError
 declare -A runResults
 declare -A runCommands
 function run {
   local operation=$1; shift;
+  local cmd=( )
+  for arg in "$@"; do
+    # Expand environment variables that potentially contain multiple arguments.
+    # This is commonly used for *_EXTRA_OPTS environment variables, needed to
+    # properly handle quoted arguments containing whitespace.
+    if [[ "$arg" == "__expand:"* ]]; then
+      local varName=${arg#"__expand:"}
+      if [ ! -z "${!varName}" ]; then
+        readarray -d '' expandedArgs < <(xargs printf '%s\0' <<<"${!varName}")
+        cmd+=("${expandedArgs[@]}")
+      fi
+    else
+      cmd+=("$arg")
+    fi
+  done
   runs+=($operation)
-  runCommands[$operation]="$@"
-  echo RUN $operation: "$@"
-  "$@"
-  local exitCode=$?
+  runCommands[$operation]="${cmd[@]}"
+  echo RUN $operation: "${cmd[@]}"
+  { "${cmd[@]}" 2>&1 1>&3 3>&- | tee $(printOutputFileName "${operation}" "stderr"); } 3>&1 1>&2 | $(printOutputFileName "${operation}" "stdout")
+  local exitCode=${PIPESTATUS[0]}
   runResults[$operation]=$exitCode
   requireRun $operation || runsWithError+=($operation)
 }

diff --git a/internal/run-script/scripts/sc-sast-and-debricked-scan.sh b/internal/run-script/scripts/sc-sast-and-debricked-scan.sh
@@ -11,7 +11,7 @@ requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_TOKEN"
 checkRequirements
 
 if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
-  run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS}
+  run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan __expand:EXTRA_SC_SAST_SCAN_OPTS
 fi
 if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
   # Debricked may return non-zero exit code on automation rule failures, in which case
@@ -24,5 +24,12 @@ if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
   requireRun "DEBRICKED_IMPORT" && run "DEBRICKED_PUBLISH" ${FCLI_CMD} ssc artifact wait-for ::debricked_scan::
 fi
 
+JOB_SUMMARY_ACTION="${JOB_SUMMARY_ACTION:-appversion-summary}"
+run "APPVERSION_SUMMARY" ${FCLI_CMD} ssc action run "${JOB_SUMMARY_ACTION}" --av "${SSC_APPVERSION}" --progress=none __expand:JOB_SUMMARY_ACTION_EXTRA_OPTS
+printOutput "APPVERSION_SUMMARY" "stdout" >> $GITHUB_STEP_SUMMARY
+# TODO Output info to job summary about completed and (partially) failed scans, indicating that 
+# numbers above for non-listed or (partially) failed/non-published scans may reflect an older
+# scan status
+
 printRunSummary
 failOnError