diff --git a/README.md b/README.md index 9f4d82c..50906c1 100644 --- a/README.md +++ b/README.md @@ -2,29 +2,92 @@ Run [SpotBugs](https://spotbugs.readthedocs.io/en/latest/) as a Github action. +## Inputs + +### outputType + +Output type for the report. It can be 'xml', 'html', 'sarif', 'emacs' +or 'xdocs'. Default value is 'sarif' as it is the used by GitHub Advanced +Security. + +> default: 'sarif'
+> required: true + +### packages + +Comma separated list of packages to scan. It will fill the +-onlyAnalyze parameter in spotbugs. It can contain the wildcards '\*' and +'-': com.example.\* for single package or com.example.- for all +subpackages. + +> If not specified, it will scan all packages. + +See more at https://spotbugs.readthedocs.io/en/stable/running.html#text-ui-options + +### arguments + +A string with any additional command arguments to be sent to [spotbugs](https://spotbugs.readthedocs.io/en/stable/running.html#text-ui-options) + +### output + +The output filename. If not specified, it will use the default name 'results.[EXTENSION]' + +### target + +It can be a file or a directory, it is usually the ./target folder where you compiled your project. + +### dependenciesPath + +Path to the dependencies folder. For example, for Maven it is usually stored +in the `~/.m2` folder. + +### basePath + +The basePath is used as a prefix in the sarif file to help GitHub find the +right file of the issue. It is tipically something like 'src/main/java'. + +## Example usage + +This workflow would analyze a Java application that builds a set of +packages under the com.example package name and outputs the results in +sarif format to upload it to the GitHub Security tab: + ```yaml name: SpotBugs on: [push, pull_request] jobs: - spotbugs-analyze: + spotbugs-analyze: name: Analyze runs-on: ubuntu-latest - steps: + steps: + + # checkout and build the project - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v3 + + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'temurin' + cache: maven + - name: Build with Maven + run: mvn clean package -B -Dmaven.test.skip - - name: Run SpotBugs - uses: spotbugs/spotbugs-github-action@v1 + # Run SpotBugs and upload the SARIF file + - name: Run SpotBugs action + if: always() + uses: abirismyname/spotbugs-github-action@v2 with: - arguments: '-sarif' - target: './HelloWorld.jar' - output: 'results.sarif' - spotbugs-version: 'latest' + packages: com.example.- + target: ./target + dependenciesPath: ~/.m2 + basePath: src/main/java - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: ${{github.workspace}}/results.sarif ``` diff --git a/analyze.sh b/analyze.sh index 11359d8..e650610 100755 --- a/analyze.sh +++ b/analyze.sh @@ -101,7 +101,6 @@ eval ${CMD} if [ "$OUTPUT_TYPE" == "sarif" ] && [ "$BASE_PATH" != "" ]; then # prepend the pyhsical path echo "Transform sarif file to include the physical path" - cat resultspre.sarif | jq -c "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) |=\"$BASE_PATH\"+." > resultspre2.sarif - cat resultspre2.sarif | jq -c '(.runs[].invocations[].executionSuccessful)=true' > results.sarif + jq -c "(.runs[].results[].locations[].physicalLocation.artifactLocation.uri) |=\"$BASE_PATH\"+." resultspre.sarif > "$OUTPUT" fi