opentaint/github/action.yml at main · seqra/opentaint · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
name: "OpenTaint security code analysis"
description: "Security-focused static analyzer for Java and Kotlin"

branding:
  icon: "target"
  color: "purple"

inputs:
  project-root:
    description: 'Relative path under $GITHUB_WORKSPACE to the root of the analyzed project'
    default: '.'
  upload-sarif:
    description: 'Should opentaint-action upload sarif to GitHub Code Security'
    default: 'false'
  opentaint-version:
    description: 'OpenTaint version selector: latest, v<major>, v<major>.<minor>, or exact v<major>.<minor>.<patch>'
    default: 'v0'
  rules-path:
    description: 'Paths to rules directories (comma-separated)'
    default: 'builtin'
  token:
    description: 'Token for resolving versions and downloading assets from private repositories'
    required: false
    default: ""
  artifact-name:
    description: 'Name of uploaded artifact'
    default: 'opentaint.sarif'
  upload-artifact:
    description: 'Should opentaint-action upload sarif artifact'
    default: 'true'
  debug:
    description: 'Enable debug output. Set to "true" for verbose logs.'
    default: 'false'
  timeout:
    description: 'Scan timeout'
    default: '15m'
  severity:
    description: 'Severity levels to report (comma-separated). Valid values: note, warning, error'
    default: 'warning,error'
  java-version:
    description: 'Java version for compilation (e.g., 8, 11, 17, 21, 25)'
    default: ''

runs:
  using: 'composite'
  steps:
    - name: Set globals
      id: globals
      shell: bash
      run: |
        set -euo pipefail

        UUID=$(printf '%s' "${{ inputs.artifact-name }}" | sha1sum | awk '{print $1}')
        OPENTAINT_ARTIFACTS=opentaint-artifacts/$UUID
        OPENTAINT_REPOSITORY="seqra/opentaint"
        echo "OPENTAINT_ARTIFACTS=$OPENTAINT_ARTIFACTS" >> "${GITHUB_OUTPUT}"
        echo "OPENTAINT_REPOSITORY=$OPENTAINT_REPOSITORY" >> "${GITHUB_OUTPUT}"
        echo "OPENTAINT_INSTALL_DIR=$GITHUB_WORKSPACE/$OPENTAINT_ARTIFACTS" >> "${GITHUB_OUTPUT}"
        echo "OPENTAINT_BIN=$GITHUB_WORKSPACE/$OPENTAINT_ARTIFACTS/opentaint" >> "${GITHUB_OUTPUT}"
        echo "OPENTAINT_PROJECT=$RUNNER_TEMP/$OPENTAINT_ARTIFACTS/project" >> "${GITHUB_OUTPUT}"
        echo "OPENTAINT_SARIF=$RUNNER_TEMP/$OPENTAINT_ARTIFACTS/opentaint.sarif" >> "${GITHUB_OUTPUT}"

    - name: Resolve OpenTaint version
      id: resolve-version
      shell: bash
      run: |
        set -euo pipefail

        ACTION_PATH=${{ github.action_path }}
        if [[ ! -d "$ACTION_PATH" ]]; then
          ACTION_PATH="$GITHUB_WORKSPACE"
        fi

        RESOLVER_PATH="$ACTION_PATH/../scripts/resolve_opentaint_version.py"
        if [[ ! -f "$RESOLVER_PATH" ]]; then
          RESOLVER_PATH="$GITHUB_WORKSPACE/scripts/resolve_opentaint_version.py"
        fi

        OPENTAINT_VERSION=$(python3 "$RESOLVER_PATH" \
          --selector "${{ inputs.opentaint-version }}" \
          --repository "${{ steps.globals.outputs.OPENTAINT_REPOSITORY }}" \
          --token "${{ inputs.token || github.token }}")

        echo "OPENTAINT_VERSION=$OPENTAINT_VERSION" >> "${GITHUB_OUTPUT}"

    - name: Install OpenTaint
      shell: bash
      run: |
        set -euo pipefail

        curl -fsSL "https://raw.githubusercontent.com/${{ steps.globals.outputs.OPENTAINT_REPOSITORY }}/main/scripts/install/install.sh" | \
          OPENTAINT_INSTALL_DIR="${{ steps.globals.outputs.OPENTAINT_INSTALL_DIR }}" \
          OPENTAINT_REPOSITORY="${{ steps.globals.outputs.OPENTAINT_REPOSITORY }}" \
          OPENTAINT_DOWNLOAD_BASE_URL="https://github.com/${{ steps.globals.outputs.OPENTAINT_REPOSITORY }}/releases/download/${{ steps.resolve-version.outputs.OPENTAINT_VERSION }}" \
          bash

    - name: Compile project
      shell: bash
      run: |
           set -euo pipefail

           TOKEN_ARGS=(--github-token "${{ inputs.token || github.token }}")

            COMPILE_ARGS=()
           if [ -n "${{ inputs.java-version }}" ]; then
             COMPILE_ARGS+=(--java-version "${{ inputs.java-version }}")
           fi

           DEBUG_ARGS=()
           if [ "${{ inputs.debug }}" = "true" ]; then
             DEBUG_ARGS+=(--debug)
           fi

            "${{ steps.globals.outputs.OPENTAINT_BIN }}" --quiet "${TOKEN_ARGS[@]}" compile \
              "${DEBUG_ARGS[@]}" \
              "${COMPILE_ARGS[@]}" \
              --output "${{ steps.globals.outputs.OPENTAINT_PROJECT }}" "${{ inputs.project-root }}"

    - name: Run analysis
      shell: bash
      run: |
           set -euo pipefail

           trim() {
             local value="$1"
             value="${value#"${value%%[![:space:]]*}"}"
             value="${value%"${value##*[![:space:]]}"}"
             printf '%s' "$value"
           }

           append_csv_args() {
             local flag="$1"
             local csv_value="$2"

             local values
             IFS=',' read -r -a values <<< "$csv_value"
             for value in "${values[@]}"; do
               local value_trimmed
               value_trimmed="$(trim "$value")"
               if [ -n "$value_trimmed" ]; then
                 CMD+=("--$flag" "$value_trimmed")
               fi
             done
           }

           TOKEN_ARGS=(--github-token "${{ inputs.token || github.token }}")

            CMD=("${{ steps.globals.outputs.OPENTAINT_BIN }}" --quiet "${TOKEN_ARGS[@]}" scan)

           if [ -n "${{ inputs.java-version }}" ]; then
             CMD+=(--java-version "${{ inputs.java-version }}")
           fi

           append_csv_args "ruleset" "${{ inputs.rules-path }}"

           CMD+=(--timeout "${{ inputs.timeout }}")
           if [ "${{ inputs.debug }}" = "true" ]; then
             CMD+=(--debug)
           fi

           append_csv_args "severity" "${{ inputs.severity }}"

            CMD+=(--output "${{ steps.globals.outputs.OPENTAINT_SARIF }}" --project-model "${{ steps.globals.outputs.OPENTAINT_PROJECT }}")

           "${CMD[@]}"

    - name: Upload sarif artifact
      if: ${{ inputs.upload-artifact == 'true' }}
      uses: actions/upload-artifact@v4
      with:
        name: ${{ inputs.artifact-name }}
        path: ${{ steps.globals.outputs.OPENTAINT_SARIF }}

    - name: Upload sarif to github code security
      if: ${{ inputs.upload-sarif == 'true' }}
      uses: github/codeql-action/upload-sarif@v4
      with:
        sarif_file: ${{ steps.globals.outputs.OPENTAINT_SARIF }}