From 6eaf06d941242e0fa7853eb32b2c04fb35c87e24 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 3 Jan 2025 13:57:38 -0500 Subject: [PATCH] docs: update docs to v6 remove stale changelog (#422) Signed-off-by: Keith Zantow --- CHANGELOG.md | 41 ----------------------------------------- README.md | 14 +++++++------- dist/index.js | 12 +++++++++--- index.js | 12 +++++++++--- package-lock.json | 34 ++++++++++++++++++---------------- package.json | 4 ++-- tests/action.test.js | 2 ++ tests/mocks.js | 10 ++++++---- 8 files changed, 53 insertions(+), 76 deletions(-) delete mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 6a5ce1bc..00000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,41 +0,0 @@ -# Release Notes - -## Version 2.0.2 - 2020-11-11 - -* Update `actions/core` to use version `1.2.6` [(Issue #71)](https://github.com/anchore/scan-action/issues/71) - -## Version 2.0.1 - 2020-02-11 - -Fixes: - -* Removes unnecessary constraint in deduplication for SARIF reporting -* Allows defining and referencing the location of the SARIF report file -* Fixes multiple instances where undefined items in the reporting would break scanning - - -## Version 2.0.0 - 2020-30-09 - -2.0.0 is a new major version of scan action based on the new [Grype](https://github.com/anchore/grype) tool from Anchore. -It is much faster for scanning compared to v1.x of the action and adds some new capabilities, including directory scanning as well as container image scanning, -and also has more metadata about the vulnerability matches than previous versions for more transparency on the matching process. - -Improvements and Changes: - -* Significantly faster performance for scans -* New vulnerabilities output format is the JSON output from Grype directly -* Adds support for scanning directories as well as Docker containers, so you can do the same checks pre-and post-build of the container. -* Supports Automatic Code Scanning/SARIF for exposing results via your repository's Security tab. -* Updated the default branch from `master` to `main` - -*NOTE: This is a breaking change from v1.x, as indicated by the major version change. We strongly recommend using a @v2 or specific version instead of @main* - -Breaking Changes for v2: - -* Inputs: - * Changed `image-reference` to `image` (required) - * `dockerfile-path` is no longer supported and not necessary for the vulnerability scans - * `custom-policy-path` is no longer supported - * `include-app-packages` is no longer necessary or supported. Application packages are on by default and will receive vulnerability matches. -* Outputs: - * `billofmaterials` is no longer output. V2 is focused on vulnerability scanning and another action may be introduced for BoM support with its own options/config. - * `policycheck` is no longer output diff --git a/README.md b/README.md index f76df412..001061bb 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ The simplest workflow for scanning a `localbuild/testimage` container: load: true - name: Scan image - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v6 with: image: "localbuild/testimage:latest" ``` @@ -66,7 +66,7 @@ To scan a directory, add the following step: ```yaml - name: Scan current project - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v6 with: path: "." ``` @@ -85,7 +85,7 @@ Use the `sbom` key to scan an SBOM file: output-file: "${{ github.event.repository.name }}-sbom.spdx.json" - name: Scan SBOM - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v6 with: sbom: "${{ github.event.repository.name }}-sbom.spdx.json" ``` @@ -98,7 +98,7 @@ With a different severity level: ```yaml - name: Scan image - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v6 with: image: "localbuild/testimage:latest" fail-build: true @@ -109,7 +109,7 @@ Optionally, change the `fail-build` field to `false` to avoid failing the build ```yaml - name: Scan image - uses: anchore/scan-action@v3 + uses: anchore/scan-action@v6 with: image: "localbuild/testimage:latest" fail-build: false @@ -160,7 +160,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build the container image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - uses: anchore/scan-action@v3 + - uses: anchore/scan-action@v6 with: image: "localbuild/testimage:latest" fail-build: true @@ -180,7 +180,7 @@ jobs: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build the Container image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - uses: anchore/scan-action@v3 + - uses: anchore/scan-action@v6 id: scan with: image: "localbuild/testimage:latest" diff --git a/dist/index.js b/dist/index.js index b62e07b0..0107fe41 100644 --- a/dist/index.js +++ b/dist/index.js @@ -189,12 +189,17 @@ async function getDbDir(grypeCommand) { } async function getDbBuildTime(grypeCommand) { - const { stdout, exitCode } = await runCommand( + const { stdout, stderr, exitCode } = await runCommand( grypeCommand, ["db", "status", "-vv"], process.env, ); if (exitCode !== 0) { + core.debug("nonzero exit from grype db status; exitCode: " + exitCode); + core.debug("stdout:"); + core.debug(stdout); + core.debug("stderr:"); + core.debug(stderr); return; } for (let line of stdout.split("\n")) { @@ -262,6 +267,7 @@ async function updateDbWithCache(grypeCommand) { async function runCommand(cmd, cmdArgs, env) { let stdout = ""; + let stderr = ""; // This /dev/null writable stream is required so the entire Grype output // is not written to the GitHub action log. the listener below @@ -282,7 +288,7 @@ async function runCommand(cmd, cmdArgs, env) { stdout += buffer.toString(); }, stderr(buffer) { - core.info(buffer.toString()); + stderr += buffer.toString(); }, debug(message) { core.debug(message); @@ -293,7 +299,7 @@ async function runCommand(cmd, cmdArgs, env) { core.debug(stdout); - return { stdout, exitCode }; + return { stdout, stderr, exitCode }; } async function runScan({ diff --git a/index.js b/index.js index 1f6d3400..6589ac1e 100644 --- a/index.js +++ b/index.js @@ -175,12 +175,17 @@ async function getDbDir(grypeCommand) { } async function getDbBuildTime(grypeCommand) { - const { stdout, exitCode } = await runCommand( + const { stdout, stderr, exitCode } = await runCommand( grypeCommand, ["db", "status", "-vv"], process.env, ); if (exitCode !== 0) { + core.debug("nonzero exit from grype db status; exitCode: " + exitCode); + core.debug("stdout:"); + core.debug(stdout); + core.debug("stderr:"); + core.debug(stderr); return; } for (let line of stdout.split("\n")) { @@ -248,6 +253,7 @@ async function updateDbWithCache(grypeCommand) { async function runCommand(cmd, cmdArgs, env) { let stdout = ""; + let stderr = ""; // This /dev/null writable stream is required so the entire Grype output // is not written to the GitHub action log. the listener below @@ -268,7 +274,7 @@ async function runCommand(cmd, cmdArgs, env) { stdout += buffer.toString(); }, stderr(buffer) { - core.info(buffer.toString()); + stderr += buffer.toString(); }, debug(message) { core.debug(message); @@ -279,7 +285,7 @@ async function runCommand(cmd, cmdArgs, env) { core.debug(stdout); - return { stdout, exitCode }; + return { stdout, stderr, exitCode }; } async function runScan({ diff --git a/package-lock.json b/package-lock.json index 9b45bb71..cd9403bb 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,7 +10,7 @@ "license": "MIT", "dependencies": { "@actions/cache": "^4.0.0", - "@actions/core": "^1.11.0", + "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/tool-cache": "^2.0.1", "lodash": "^4.17.21" @@ -22,7 +22,7 @@ "eslint": "^9.17.0", "husky": "^9.1.7", "jest": "^29.7.0", - "lint-staged": "^15.2.11", + "lint-staged": "^15.3.0", "prettier": "^3.4.2", "tar": "^7.4.3", "tslib": "^2.8.1" @@ -4520,12 +4520,13 @@ "dev": true }, "node_modules/lint-staged": { - "version": "15.2.11", - "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.2.11.tgz", - "integrity": "sha512-Ev6ivCTYRTGs9ychvpVw35m/bcNDuBN+mnTeObCL5h+boS5WzBEC6LHI4I9F/++sZm1m+J2LEiy0gxL/R9TBqQ==", + "version": "15.3.0", + "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.3.0.tgz", + "integrity": "sha512-vHFahytLoF2enJklgtOtCtIjZrKD/LoxlaUusd5nh7dWv/dkKQJY74ndFSzxCdv7g0ueGg1ORgTSt4Y9LPZn9A==", "dev": true, + "license": "MIT", "dependencies": { - "chalk": "~5.3.0", + "chalk": "~5.4.1", "commander": "~12.1.0", "debug": "~4.4.0", "execa": "~8.0.1", @@ -4547,10 +4548,11 @@ } }, "node_modules/lint-staged/node_modules/chalk": { - "version": "5.3.0", - "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.3.0.tgz", - "integrity": "sha512-dLitG79d+GV1Nb/VYcCDFivJeK1hiukt9QjRNVOsUtTy1rR1YJsmpGGTZ3qJos+uw7WmWF4wUwBd9jxjocFC2w==", + "version": "5.4.1", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.4.1.tgz", + "integrity": "sha512-zgVZuo2WcZgfUEmsn6eO3kINexW8RAE4maiQ8QNs8CtpPCSyMiYsULR3HQYkm3w8FIA3SberyMJMSldGsW+U3w==", "dev": true, + "license": "MIT", "engines": { "node": "^12.17.0 || ^14.13 || >=16.0.0" }, @@ -9808,12 +9810,12 @@ "dev": true }, "lint-staged": { - "version": "15.2.11", - "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.2.11.tgz", - "integrity": "sha512-Ev6ivCTYRTGs9ychvpVw35m/bcNDuBN+mnTeObCL5h+boS5WzBEC6LHI4I9F/++sZm1m+J2LEiy0gxL/R9TBqQ==", + "version": "15.3.0", + "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-15.3.0.tgz", + "integrity": "sha512-vHFahytLoF2enJklgtOtCtIjZrKD/LoxlaUusd5nh7dWv/dkKQJY74ndFSzxCdv7g0ueGg1ORgTSt4Y9LPZn9A==", "dev": true, "requires": { - "chalk": "~5.3.0", + "chalk": "~5.4.1", "commander": "~12.1.0", "debug": "~4.4.0", "execa": "~8.0.1", @@ -9826,9 +9828,9 @@ }, "dependencies": { "chalk": { - "version": "5.3.0", - "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.3.0.tgz", - "integrity": "sha512-dLitG79d+GV1Nb/VYcCDFivJeK1hiukt9QjRNVOsUtTy1rR1YJsmpGGTZ3qJos+uw7WmWF4wUwBd9jxjocFC2w==", + "version": "5.4.1", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.4.1.tgz", + "integrity": "sha512-zgVZuo2WcZgfUEmsn6eO3kINexW8RAE4maiQ8QNs8CtpPCSyMiYsULR3HQYkm3w8FIA3SberyMJMSldGsW+U3w==", "dev": true }, "commander": { diff --git a/package.json b/package.json index 63728153..fb17ef3f 100644 --- a/package.json +++ b/package.json @@ -35,7 +35,7 @@ "homepage": "https://github.com/anchore/anchore-scan-action#readme", "dependencies": { "@actions/cache": "^4.0.0", - "@actions/core": "^1.11.0", + "@actions/core": "^1.11.1", "@actions/exec": "^1.1.1", "@actions/tool-cache": "^2.0.1", "lodash": "^4.17.21" @@ -47,7 +47,7 @@ "eslint": "^9.17.0", "husky": "^9.1.7", "jest": "^29.7.0", - "lint-staged": "^15.2.11", + "lint-staged": "^15.3.0", "prettier": "^3.4.2", "tar": "^7.4.3", "tslib": "^2.8.1" diff --git a/tests/action.test.js b/tests/action.test.js index 2bfa97a5..8384f762 100644 --- a/tests/action.test.js +++ b/tests/action.test.js @@ -33,6 +33,8 @@ describe("Github action", () => { requestedInputs[name] = true; return expectedInputs[name]; }, + // ignore setFailed calls that set process.exitCode due to https://github.com/jestjs/jest/issues/14501 + setFailed() {}, }); await run(); diff --git a/tests/mocks.js b/tests/mocks.js index 21ac04c2..9e7b002b 100644 --- a/tests/mocks.js +++ b/tests/mocks.js @@ -1,4 +1,4 @@ -const core = require("@actions/core"); +const githubActionsCore = require("@actions/core"); const fs = require("fs"); const path = require("path"); const os = require("os"); @@ -28,13 +28,15 @@ module.exports = { mockIO(inputs) { const outputs = {}; - module.exports.mock(core, { + module.exports.mock(githubActionsCore, { getInput(name) { return inputs[name]; }, setOutput(name, value) { outputs[name] = value; }, + // ignore setFailed calls that set process.exitCode due to https://github.com/jestjs/jest/issues/14501 + setFailed() {}, }); return outputs; }, @@ -62,7 +64,7 @@ module.exports = { const dir = fs.mkdtempSync(path.join(os.tmpdir(), "scan-action-test-")); module.exports.onCleanup(() => { if (fs.existsSync(dir)) { - fs.rmdirSync(dir, { recursive: true }); + fs.rmSync(dir, { recursive: true }); } }); return dir; @@ -88,7 +90,7 @@ module.exports = { GRYPE_DB_CACHE_DIR: path.join(path.dirname(__dirname), "grype-db"), }); - module.exports.mock(core, { + module.exports.mock(githubActionsCore, { error: append, info: append, debug: append,