diff --git a/.release.yml b/.release.yml index f7cdd27..8ecba18 100644 --- a/.release.yml +++ b/.release.yml @@ -1,6 +1,6 @@ name: "codeql-extractor-action" repository: "advanced-security/codeql-extractor-action" -version: 0.1.3 +version: 0.1.4 ecosystems: - Docs diff --git a/Cargo.lock b/Cargo.lock index 48656d9..a17a860 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -241,7 +241,7 @@ dependencies = [ [[package]] name = "codeql-extractor-action" -version = "0.1.3" +version = "0.1.4" dependencies = [ "anyhow", "dotenvy", diff --git a/Cargo.toml b/Cargo.toml index 6573d8e..02b2b0e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "codeql-extractor-action" description = "GitHub Action for CodeQL Extractors" -version = "0.1.3" +version = "0.1.4" authors = ["GeekMasher"] license = "MIT" diff --git a/README.md b/README.md index d1ebe42..e98ef4f 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ This action is designed to be used in conjunction with the [CodeQL][CodeQL] anal ```yml - name: "CodeQL Extractor Action" - uses: advanced-security/codeql-extractor-action@v0.1.3 + uses: advanced-security/codeql-extractor-action@v0.1.4 with: # Repository reference (e.g. "owner/repo", "owner/repo@ref") extractor: "advanced-security/codeql-extractor-iac" diff --git a/action.Dockerfile b/action.Dockerfile index 69d0735..a4b0803 100644 --- a/action.Dockerfile +++ b/action.Dockerfile @@ -1,3 +1,3 @@ -FROM ghcr.io/advanced-security/codeql-extractor-action:v0.1.3 +FROM ghcr.io/advanced-security/codeql-extractor-action:v0.1.4 ENTRYPOINT [ "codeql-extractor-action" ] diff --git a/src/action.rs b/src/action.rs index b84a180..5ac5fef 100644 --- a/src/action.rs +++ b/src/action.rs @@ -105,10 +105,15 @@ pub struct Action { impl Action { /// Returns the GitHub Token for the action pub fn get_token(&self) -> String { - if self.token.is_empty() { - std::env::var("GITHUB_TOKEN").unwrap_or_default() - } else { + if !self.token.is_empty() { + log::debug!("Using provided token"); self.token.clone() + } else if let Ok(gh_token) = std::env::var("GITHUB_TOKEN") { + log::debug!("No token provided, using GITHUB_TOKEN environment variable"); + gh_token + } else { + log::debug!("No token provided, and GITHUB_TOKEN environment variable not set"); + String::new() } } @@ -205,12 +210,6 @@ impl Action { fn get_codeql_directories(&self) -> Vec { let mut paths = Vec::new(); - // GITHUB_WORKSPACE - if let Ok(github_workspace) = std::env::var("GITHUB_WORKSPACE") { - log::debug!("GITHUB_WORKSPACE found: {}", github_workspace); - paths.push(PathBuf::from(github_workspace).join(".codeql")); - } - // Local CodeQL directory in the working directory if let Ok(working_dir) = self.working_directory() { if let Ok(local_codeql) = working_dir.join(".codeql").canonicalize() { @@ -219,6 +218,12 @@ impl Action { } } + // GITHUB_WORKSPACE + if let Ok(github_workspace) = std::env::var("GITHUB_WORKSPACE") { + log::debug!("GITHUB_WORKSPACE found: {}", github_workspace); + paths.push(PathBuf::from(github_workspace).join(".codeql")); + } + // Runner temp directory if let Ok(runner_temp) = std::env::var("RUNNER_TEMP") { log::debug!("RUNNER_TEMP found: {}", runner_temp); diff --git a/src/codeql.rs b/src/codeql.rs index 1dba2db..45a8060 100644 --- a/src/codeql.rs +++ b/src/codeql.rs @@ -26,7 +26,7 @@ pub async fn codeql_download(action: &Action) -> Result { // Try to install with authentication first (if token is available) if !token.is_empty() { - let octocrab_auth = action.octocrab_with_token(token)?; + let octocrab_auth = action.octocrab_with_token(&token)?; if let Ok(_) = codeql.install(&octocrab_auth, codeql_version).await { log::info!("CodeQL installed using authentication"); return Ok(codeql); @@ -35,6 +35,8 @@ pub async fn codeql_download(action: &Action) -> Result { "Failed to install CodeQL with authentication, trying without authentication..." ); } + } else { + log::debug!("No token provided, skipping authenticated installation attempt"); } // Try to install without authentication @@ -47,15 +49,17 @@ pub async fn codeql_download(action: &Action) -> Result { log::info!("Attempting to install CodeQL using GitHub CLI..."); } - let location = gh_codeql_download(codeql_version) - .await - .context("Failed to download CodeQL using GitHub CLI")?; - // Reinitialize CodeQL with the new path - codeql = CodeQL::init() - .path(location) - .build() - .await - .context("Failed to create CodeQL instance after GitHub CLI installation")?; + if !token.is_empty() { + let location = gh_codeql_download(codeql_version, &token) + .await + .context("Failed to download CodeQL using GitHub CLI")?; + // Reinitialize CodeQL with the new path + codeql = CodeQL::init() + .path(location) + .build() + .await + .context("Failed to create CodeQL instance after GitHub CLI installation")?; + } log::info!("CodeQL installed"); } else { @@ -78,15 +82,13 @@ pub async fn codeql_download(action: &Action) -> Result { /// /// # Returns /// * `Result` - Path to the installed CodeQL binary or an error -async fn gh_codeql_download(codeql_version: &str) -> Result { +async fn gh_codeql_download(codeql_version: &str, token: &String) -> Result { log::info!("Downloading CodeQL Extension for GitHub CLI..."); log::debug!("Running command: gh extensions install github/gh-codeql"); + let status = tokio::process::Command::new("gh") .args(&["extensions", "install", "github/gh-codeql"]) - .env( - "GH_TOKEN", - std::env::var("GITHUB_TOKEN").unwrap_or_default(), - ) + .env("GH_TOKEN", &token) .status() .await .context("Failed to execute `gh extensions install github/gh-codeql` command")?; @@ -107,10 +109,7 @@ async fn gh_codeql_download(codeql_version: &str) -> Result { log::debug!("Running command: gh codeql set-version {codeql_version}"); let status = tokio::process::Command::new("gh") .args(&["codeql", "set-version", codeql_version]) - .env( - "GH_TOKEN", - std::env::var("GITHUB_TOKEN").unwrap_or_default(), - ) + .env("GH_TOKEN", &token) .status() .await .context("Failed to execute `gh codeql set-version` command")?; @@ -131,10 +130,7 @@ async fn gh_codeql_download(codeql_version: &str) -> Result { log::debug!("Running command: gh codeql install-stub"); let status = tokio::process::Command::new("gh") .args(&["codeql", "install-stub"]) - .env( - "GH_TOKEN", - std::env::var("GITHUB_TOKEN").unwrap_or_default(), - ) + .env("GH_TOKEN", &token) .status() .await .context("Failed to execute `gh codeql install-stub` command")?; diff --git a/src/main.rs b/src/main.rs index 04d2bba..fcc2e9c 100644 --- a/src/main.rs +++ b/src/main.rs @@ -165,10 +165,10 @@ async fn main() -> Result<()> { log::info!("CodeQL :: {codeql:#?}"); - groupend!(); - std::fs::create_dir_all(&sarif_output).context("Failed to create results directory")?; + groupend!(); + for (extractor, reporef) in extractors { // The language is the name of the extractor let language = extractor.name.to_string(); @@ -248,7 +248,7 @@ async fn main() -> Result<()> { match codeql .database(&database) .queries(queries) - .output(sarif_path.clone()) + .sarif(sarif_path.clone()) .analyze() .await {