chore: Improve script error handling

fortify · Jun 4, 2024 · de1108f · de1108f
1 parent bf28950
commit de1108f
Show file tree

Hide file tree

Showing 9 changed files with 107 additions and 38 deletions.
diff --git a/internal/run-script/action.yml b/internal/run-script/action.yml
@@ -12,6 +12,11 @@ inputs:
 runs:
   using: composite
   steps:
+    # Upgrade bash on MacOS
+    - name: Install current Bash on macOS
+      if: runner.os == 'macOS'
+      run: brew install bash
+      shell: bash
     # Define directory where scripts are located. This MUST be a static path which doesn't
     # change during job execution, otherwise post-job scripts will fail. As such, all scripts
     # must be in the same directory; we can't use github.action_path from the calling action.
@@ -24,6 +29,8 @@ runs:
         dir:    ${{ env._RUN_SCRIPTS_DIR }}
         script: ${{ inputs.script }}
         post:   ${{ inputs.post }}
+      env:
+        TEMP_DIR: ${{ env.RUNNER_TEMP }}
 
 branding:
   icon: 'shield'

diff --git a/internal/run-script/scripts/common.sh b/internal/run-script/scripts/common.sh
@@ -2,12 +2,71 @@
 if [ -n "$RUNNER_DEBUG" ]; then
   set -v -x
 fi
-if [ -z "$FCLI_CMD" ]; then
-  echo "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
-  exit 1;
-fi
 
+declare -a runs
+declare -a runsWithError
+declare -A runResults
+declare -A runCommands
 function run {
-  echo RUN: "$@"
-  "$@" 
+  local operation=$1; shift;
+  runs+=($operation)
+  runCommands[$operation]="$@"
+  echo RUN $operation: "$@"
+  "$@"
+  local exitCode=$?
+  runResults[$operation]=$exitCode
+  requireRun $operation || runsWithError+=($operation)
+}
+
+function requireRun {
+  local operation=$1;
+  [[ "${runResults[$operation]}" == "0" ]]
+}
+
+function printRunSummary {
+  echo "Summary:"
+  for value in "${runs[@]}"; do
+    echo -n "  $value: "
+    requireRun $value && echo "SUCCESS" || echo "ERROR"
+  done
+  if [ ! ${#runsWithError[@]} -eq 0 ]; then
+    echo "Failing commands:"
+    for value in "${runsWithError[@]}"; do
+      echo "  $value: ${runCommands[$value]}"
+    done
+  fi
+}
+
+function failOnError {
+  if [ ! ${#runsWithError[@]} -eq 0 ]; then
+    exit 1;
+  fi
 }
+
+declare -a failedRequirements
+function require {
+  local name=$1;
+  local msg=$2;
+  if [ -z "${!name}" ]; then
+    [ ! -z "${msg}" ] || msg="ERROR: ${name} is required"
+    failedRequirements+=("$msg")
+  fi
+}
+
+function requireIf {
+  local ifName=$1;
+  local name=$2;
+  local msg=$3;
+  [ -z "${!ifName}" ] || [ "${!ifName}" == "false" ] || require "$name" "$msg"
+}
+
+function checkRequirements {
+  if [ ! ${#failedRequirements[@]} -eq 0 ]; then
+    for value in "${failedRequirements[@]}"; do
+      echo "$value"
+    done
+    exit 1;
+  fi
+}
+
+require "FCLI_CMD" "ERROR: fortify/github-action/setup must be run to set up fcli before running this action"
diff --git a/internal/run-script/scripts/fod-login.sh b/internal/run-script/scripts/fod-login.sh
@@ -12,6 +12,9 @@ else
   echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"
   exit 1;
 fi
-run ${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS} \
-  || exit 1
+run "FOD_LOGIN" ${FCLI_CMD} fod session login --url "${FOD_URL}" "${_FOD_AUTH_OPTS[@]}" ${EXTRA_FOD_LOGIN_OPTS}
+
+printRunSummary
+failOnError
+
 echo '_FOD_LOGGED_IN=true' >> $GITHUB_ENV 
diff --git a/internal/run-script/scripts/fod-logout.sh b/internal/run-script/scripts/fod-logout.sh
@@ -3,6 +3,7 @@
 
 if [[ "${_FOD_LOGGED_IN}" == "true" ]]; then
   echo '_FOD_LOGGED_IN=false' >> $GITHUB_ENV
-  run ${FCLI_CMD} fod session logout \
-    || exit 1
+  run "FOD_LOGOUT" ${FCLI_CMD} fod session logout
+  printRunSummary
+  failOnError
 fi
diff --git a/internal/run-script/scripts/sc-sast-and-debricked-scan.sh b/internal/run-script/scripts/sc-sast-and-debricked-scan.sh
@@ -3,31 +3,26 @@
 
 # This script assumes that fcli and Debricked CLI have already been installed,
 # and that any necessary fcli sessions have been created.
-# TODO Check prerequisites like SSC_APPVERSION, DEBRICKED_TOKEN, ...
+
+require "SSC_APPVERSION"
+requireIf "DO_SC_SAST_SCAN" "SC_SAST_SENSOR_VERSION"
+requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_CLI_CMD"
+requireIf "DO_DEBRICKED_SCAN" "DEBRICKED_TOKEN"
+checkRequirements
 
 if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
-  run ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS} \
-    || exit 1
+  run "SAST_SCAN" ${FCLI_CMD} sc-sast scan start --publish-to "${SSC_APPVERSION}" -p package.zip -v "${SC_SAST_SENSOR_VERSION}" --store sc_sast_scan ${EXTRA_SC_SAST_SCAN_OPTS}
 fi
 if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then
   # Debricked may return non-zero exit code on automation rule failures, in which case
-  # we still want to run subsequent steps, hence we temporarily ignore the exit code,
-  run ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action" \
-    || FAIL_ON_EXIT=true
-  run ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan \
-    || exit 1
+  # we still want to run the import, so we don't explicitly check for Debricked scan success.
+  run "DEBRICKED_SCAN" ${DEBRICKED_CLI_CMD} scan -t "${DEBRICKED_TOKEN}" -i "Fortify GitHub Action"
+  run "DEBRICKED_IMPORT" ${FCLI_CMD} ssc artifact import-debricked --av "${SSC_APPVERSION}" --repository "${GITHUB_REPOSITORY}" --branch "${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}" -t "${DEBRICKED_TOKEN}" --store debricked_scan
 fi
 if [ "${DO_WAIT}" == "true" ] || [ "${DO_EXPORT}" == "true" ]; then
-  if [ "${DO_SC_SAST_SCAN}" == "true" ]; then
-    run ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan:: \
-      || exit 1
-  fi
-  if [ "${DO_DEBRICKED_SCAN}" == "true" ]; then 
-    run ${FCLI_CMD} ssc artifact wait-for ::debricked_scan:: \
-      || exit 1
-  fi
-fi
-if [ "${FAIL_ON_EXIT}" == "true" ]; then
-  echo "Earlier failures detected"
-  exit 1
+  requireRun "SAST_SCAN" && run "SAST_PUBLISH" ${FCLI_CMD} sc-sast scan wait-for ::sc_sast_scan::
+  requireRun "DEBRICKED_IMPORT" && run "DEBRICKED_PUBLISH" ${FCLI_CMD} ssc artifact wait-for ::debricked_scan::
 fi
+
+printRunSummary
+failOnError
diff --git a/internal/run-script/scripts/sc-sast-login.sh b/internal/run-script/scripts/sc-sast-login.sh
@@ -10,6 +10,7 @@ fi
 if [ -z "SSC_TOKEN" ]; then
   echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
 fi
-run ${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS} \
-  || exit 1
+run "SC_SAST_LOGIN" ${FCLI_CMD} sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}
+printRunSummary
+failOnError
 echo '_SC_SAST_LOGGED_IN=true' >> $GITHUB_ENV 
diff --git a/internal/run-script/scripts/sc-sast-logout.sh b/internal/run-script/scripts/sc-sast-logout.sh
@@ -3,6 +3,7 @@
 
 if [[ "${_SC_SAST_LOGGED_IN}" == "true" ]]; then
   echo '_SC_SAST_LOGGED_IN=false' >> $GITHUB_ENV
-  run ${FCLI_CMD} sc-sast session logout --no-revoke-token \
-    || exit 1
+  run "SC_SAST_LOGOUT" ${FCLI_CMD} sc-sast session logout --no-revoke-token 
+  printRunSummary
+  failOnError
 fi
diff --git a/internal/run-script/scripts/ssc-login.sh b/internal/run-script/scripts/ssc-login.sh
@@ -11,6 +11,7 @@ elif [ -n "${SSC_USER}" -a -n "${SSC_PASSWORD}" ]; then
 else
   echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
 fi
-run ${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS} \
-  || exit 1
+run "SSC_LOGIN" ${FCLI_CMD} ssc session login --url "${SSC_URL}" "${_SSC_AUTH_OPTS[@]}" ${EXTRA_SSC_LOGIN_OPTS}
+printRunSummary
+failOnError
 echo '_SSC_LOGGED_IN=true' >> $GITHUB_ENV 
diff --git a/internal/run-script/scripts/ssc-logout.sh b/internal/run-script/scripts/ssc-logout.sh
@@ -10,6 +10,7 @@ if [[ "${_SSC_LOGGED_IN}" == "true" ]]; then
   else
     echo "ERROR: Either SSC_TOKEN, or SSC_USER and SSC_PASSWORD environment variables must be set"; exit 1;
   fi
-  run ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" \
-    || exit 1
+  run "SSC_LOGOUT" ${FCLI_CMD} ssc session logout "${_SSC_LOGOUT_OPTS[@]}" 
+  printRunSummary
+  failOnError
 fi