Update readme and simplify jq usage

jmservera · Oct 20, 2022 · 87124df · 87124df
1 parent 850705f
commit 87124df
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -2,29 +2,92 @@
 
 Run [SpotBugs](https://spotbugs.readthedocs.io/en/latest/) as a Github action.
 
+## Inputs
+
+### outputType
+
+Output type for the report. It can be 'xml', 'html', 'sarif', 'emacs'
+or 'xdocs'. Default value is 'sarif' as it is the used by GitHub Advanced
+Security.
+
+> default: 'sarif' <br/>
+> required: true
+
+### packages
+
+Comma separated list of packages to scan. It will fill the 
+-onlyAnalyze parameter in spotbugs. It can contain the wildcards '\*' and
+'-': com.example.\* for single package or com.example.- for all
+subpackages.
+
+> If not specified, it will scan all packages.
+
+See more at https://spotbugs.readthedocs.io/en/stable/running.html#text-ui-options
+
+### arguments
+
+A string with any additional command arguments to be sent to [spotbugs](https://spotbugs.readthedocs.io/en/stable/running.html#text-ui-options)
+
+### output
+
+The output filename. If not specified, it will use the default name 'results.[EXTENSION]'
+
+### target
+
+It can be a file or a directory, it is usually the ./target folder where you compiled your project.      
+
+### dependenciesPath
+
+Path to the dependencies folder. For example, for Maven it is usually stored
+in the `~/.m2`  folder.
+
+### basePath
+
+The basePath is used as a prefix in the sarif file to help GitHub find the
+right file of the issue. It is tipically something like 'src/main/java'.
+
+## Example usage
+
+This workflow would analyze a Java application that builds a set of
+packages under the com.example package name and outputs the results in
+sarif format to upload it to the GitHub Security tab:
+
 ```yaml
 name: SpotBugs
 
 on: [push, pull_request]
 
 jobs:
-  spotbugs-analyze:
+  spotbugs-analyze:   
     name: Analyze
     runs-on: ubuntu-latest
-    steps:
+    steps:      
+
+      # checkout and build the project
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v3
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+      - name: Build with Maven
+        run: mvn clean package -B -Dmaven.test.skip 
 
-      - name: Run SpotBugs
-        uses: spotbugs/spotbugs-github-action@v1
+      # Run SpotBugs and upload the SARIF file
+      - name: Run SpotBugs action
+        if: always()
+        uses: abirismyname/spotbugs-github-action@v2
         with:
-          arguments: '-sarif'
-          target: './HelloWorld.jar'
-          output: 'results.sarif'
-          spotbugs-version: 'latest'
+          packages: com.example.-
+          target: ./target
+          dependenciesPath: ~/.m2
+          basePath: src/main/java         
 
       - name: Upload analysis results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{github.workspace}}/results.sarif
 ```
diff --git a/analyze.sh b/analyze.sh
@@ -101,7 +101,6 @@ eval ${CMD}
 if [ "$OUTPUT_TYPE" == "sarif" ] && [ "$BASE_PATH" != "" ]; then
     # prepend the pyhsical path
     echo "Transform sarif file to include the physical path"
-    cat resultspre.sarif | jq -c "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) |=\"$BASE_PATH\"+." > resultspre2.sarif
-    cat resultspre2.sarif | jq -c '(.runs[].invocations[].executionSuccessful)=true' > results.sarif
+    jq -c "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) |=\"$BASE_PATH\"+." resultspre.sarif > "$OUTPUT"
 fi