SCP-65 SBOM Ingestion

scanoss · Jan 25, 2024 · 3834797 · 3834797
1 parent 9771699
commit 3834797
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 18 deletions.
diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
@@ -9,15 +9,12 @@ on:
 permissions:
   contents: read
   pull-requests: write
-  checks: write 
+  checks: write
 
 jobs:
   test-action:
     name: GitHub Actions Test
-    strategy:
-      matrix:
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
@@ -28,6 +25,7 @@ jobs:
         id: test-action
         uses: ./
         with:
+#          sbom-ignore: 'scanoss-ignore.json'
            github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Print output command

diff --git a/action.yml b/action.yml
@@ -14,6 +14,21 @@ inputs:
     required: true
   scanner-parameters:  
     description: 'Parameters to run a scan'
+  output-path:
+    description: 'Output result file name'
+    required: false
+    default: 'result.json'
+  sbom-identify:
+    description: 'Scan and identify components in SBOM file'
+    required: false
+  sbom-ignore:
+    description: 'Ignore components specified in the SBOM file'
+    required: false
+  api-key:
+    description: 'SCANOSS API Key token (optional - not required for default OSSKB URL)'
+    required: false
+  api-url:
+    description: 'SCANOSS API URL (optional - default: https://osskb.org/api/scan/direct)'
     required: false
 
 # Define your outputs here.

diff --git a/dist/index.js b/dist/index.js
diff --git a/src/input.ts b/src/input.ts
@@ -0,0 +1,37 @@
+import * as core from '@actions/core';
+
+export interface ActionParameters {
+  repoDir: string;
+  outputPath: string;
+  sbomIdentify: string;
+  sbomIgnore: string;
+  apiKey: string;
+  apiUrl: string;
+}
+
+export function readInputs(): ActionParameters {
+  return {
+    repoDir: process.env.GITHUB_WORKSPACE as string,
+    outputPath: core.getInput('output-path'),
+    sbomIdentify: core.getInput('sbom-identify'),
+    sbomIgnore: core.getInput('sbom-ignore'),
+    apiKey: core.getInput('api-key'),
+    apiUrl: core.getInput('api-url')
+  };
+}
+
+export function commandBuilder(): string {
+  const ap = readInputs();
+  console.log(ap);
+  // prettier-ignore
+  const command =
+          `docker run -v "${ap.repoDir}":"/scanoss" ghcr.io/scanoss/scanoss-py:v1.9.0 scan . ` +
+                `--output ${ap.outputPath} ` +
+                (ap.sbomIdentify ? `--identify ${ap.sbomIdentify} ` : '') +
+                (ap.sbomIgnore ? `--ignore ${ap.sbomIgnore} ` : '')  +
+                (ap.apiUrl  ? `--apiurl ${ap.apiUrl} ` : '') +
+                (ap.apiKey  ? `--key ${ap.apiKey} ` : '')
+
+  console.log(command);
+  return command;
+}
diff --git a/src/main.ts b/src/main.ts
@@ -1,9 +1,10 @@
-import * as core from '@actions/core';
-import * as exec from '@actions/exec';
 import { getLicenses, readResult } from './services/result.service';
 import { createCommentOnPR, isPullRequest } from './utils/github.utils';
 import { CopyleftPolicyCheck } from './policies/copyleft-policy-check';
 import { getLicensesReport } from './services/report.service';
+import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+import { commandBuilder, readInputs } from './input';
 
 /**
  * The main function for the action.
@@ -22,12 +23,9 @@ export async function run(): Promise<void> {
     policies.forEach(async policy => policy.start());
 
     // run scan
-    const { stdout, stderr } = await exec.getExecOutput(
-      `docker run -v "${repoDir}":"/scanoss" ghcr.io/scanoss/scanoss-py:v1.9.0 scan . --output ${outputPath}`,
-      []
-    );
+    const { stdout, stderr } = await exec.getExecOutput(commandBuilder(), []);
 
-    const scannerResults = await readResult(outputPath);
+    const scannerResults = await readResult(readInputs().outputPath);
 
     // run policies // TODO: define run action for each policy
     policies.forEach(async policy => await policy.run(scannerResults));
@@ -40,8 +38,8 @@ export async function run(): Promise<void> {
     }
 
     // set outputs for other workflow steps to use
+    core.setOutput('result-filepath', readInputs().outputPath);
     core.setOutput('output-command', stdout);
-    core.setOutput('result-filepath', outputPath);
   } catch (error) {
     // fail the workflow run if an error occurs
     if (error instanceof Error) core.setFailed(error.message);