Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: download grype on windows runners #315

Merged
merged 17 commits into from
May 23, 2024
Merged

fix: download grype on windows runners #315

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
b13c331
fix: download grype on windows runners
kzantow May 17, 2024
01125b8
chore: add windows runner demo
kzantow May 17, 2024
9b3285b
chore: add windows runner demo
kzantow May 17, 2024
9aed9bf
Merge remote-tracking branch 'upstream/main' into fix/execute-on-windows
kzantow May 20, 2024
e0a00e3
chore: consolidate test workflows in test.yml
kzantow May 20, 2024
c96a0d5
chore: actually fail if output not specified
kzantow May 20, 2024
338f9a7
chore: reformat
kzantow May 20, 2024
a3d82a6
chore: correct versions
kzantow May 20, 2024
add3316
chore: add more validations
kzantow May 20, 2024
3c398f9
chore: add more validations
kzantow May 20, 2024
47ac6a5
chore: fail windows
kzantow May 21, 2024
ff87f3f
chore: use matrix
kzantow May 21, 2024
2e2320a
chore: don't use matrix
kzantow May 21, 2024
1d25ef9
chore: use matrix
kzantow May 21, 2024
a1707e8
chore: use matrix
kzantow May 21, 2024
0d36653
chore: use correct matrix
kzantow May 21, 2024
039f0d1
chore: undo some changes
kzantow May 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 0 additions & 32 deletions .github/workflows/demo.yml
View file
Open in desktop

This file was deleted.

49 changes: 0 additions & 49 deletions .github/workflows/sarifdemo.yml
View file
Open in desktop

This file was deleted.

142 changes: 136 additions & 6 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,28 +44,158 @@ jobs:
- run: npm run audit
- run: npm test

test-as-action: # run actions to test some scenarios
test-download-action:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
path: ./

- name: "Donwload Grype v0.54.0"
- name: Download Grype v0.54.0
uses: ./download-grype # anchore/scan-action/download-grype
with:
grype-version: v0.54.0

- name: "Check Grype version before scan-action"
- name: Check Grype version before scan-action
run: grype version | egrep "^Version:.*0.54.0$"

- name: "Scan test image"
- name: Scan test image
uses: ./
with:
image: "alpine:latest"
image: alpine:latest
grype-version: v0.54.0 # set the same version to test that current Grype binary wasn't overwritten by the latest version
fail-build: false # to prevent fail due to vuln:s on test image

- name: "Check Grype version after scan-action"
- name: Check Grype version after scan-action
run: grype version | egrep "^Version:.*0.54.0$"

test-image-input:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
image: alpine:latest
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.sarif }}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to double-check up the return code of ls if passed a non-existent file. On Linux, I think test -f might be a cleaner test (though test isn't available on Windows).

Not blocking though - this works.


test-directory-input:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
path: tests/fixtures/npm-project
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.sarif }}'

test-sbom-input:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
sbom: tests/fixtures/test_sbom.spdx.json
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.sarif }}'

test-table-output:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
output-format: table
image: alpine:latest
fail-build: false

test-windows-image:
runs-on: windows-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
image: alpine:latest
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.sarif }}'

test-windows-path:
runs-on: windows-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
path: tests/fixtures/npm-project
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.sarif }}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just want to double-check that this way of checking whether a file exists works on Windows - don't have a windows machine in front of me to check myself.

Specifically, can you make sure that ls some-non-existent-file on Windows exits non-zero?


test-windows-json:
runs-on: windows-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
output-format: json
path: tests/fixtures/npm-project
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.json }}'

test-sarif-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
image: debian:8
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.sarif }}'

test-sarif-directory:
kzantow marked this conversation as resolved.
Show resolved Hide resolved
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
path: tests/fixtures/npm-project
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.sarif }}'

test-json-directory:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: ./
id: scan
with:
output-format: json
path: tests/fixtures/npm-project
fail-build: false

- name: Validate file exists
run: ls '${{ steps.scan.outputs.json }}'
11 changes: 5 additions & 6 deletions dist/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ const fs = __nccwpck_require__(7147);
const stream = __nccwpck_require__(2781);
const { GRYPE_VERSION } = __nccwpck_require__(6244);

const grypeBinary = "grype";
const exeSuffix = process.platform == "win32" ? ".exe" : "";
const grypeBinary = "grype" + exeSuffix;
const grypeVersion = core.getInput("grype-version") || GRYPE_VERSION;

async function downloadGrype(version) {
Expand All @@ -30,15 +31,13 @@ async function downloadGrype(version) {
// TODO: when grype starts supporting unreleased versions, support it here
// Download the installer, and run
const installPath = await cache.downloadTool(url);
// Make sure the tool's executable bit is set
await exec.exec(`chmod +x ${installPath}`);

let cmd = `${installPath} -b ${installPath}_grype ${version}`;
let cmd = `sh ${installPath} -d -b ${installPath}_grype ${version}`;
await exec.exec(cmd);
let grypePath = `${installPath}_grype/grype`;
let grypePath = `${installPath}_grype/${grypeBinary}`;

// Cache the downloaded file
return cache.cacheFile(grypePath, `grype`, `grype`, version);
return cache.cacheFile(grypePath, grypeBinary, grypeBinary, version);
}

async function installGrype(version) {
Expand Down
11 changes: 5 additions & 6 deletions index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ const fs = require("fs");
const stream = require("stream");
const { GRYPE_VERSION } = require("./GrypeVersion");

const grypeBinary = "grype";
const exeSuffix = process.platform == "win32" ? ".exe" : "";
const grypeBinary = "grype" + exeSuffix;
const grypeVersion = core.getInput("grype-version") || GRYPE_VERSION;

async function downloadGrype(version) {
Expand All @@ -16,15 +17,13 @@ async function downloadGrype(version) {
// TODO: when grype starts supporting unreleased versions, support it here
// Download the installer, and run
const installPath = await cache.downloadTool(url);
// Make sure the tool's executable bit is set
await exec.exec(`chmod +x ${installPath}`);

let cmd = `${installPath} -b ${installPath}_grype ${version}`;
let cmd = `sh ${installPath} -d -b ${installPath}_grype ${version}`;
willmurphyscode marked this conversation as resolved.
Show resolved Hide resolved
await exec.exec(cmd);
let grypePath = `${installPath}_grype/grype`;
let grypePath = `${installPath}_grype/${grypeBinary}`;

// Cache the downloaded file
return cache.cacheFile(grypePath, `grype`, `grype`, version);
return cache.cacheFile(grypePath, grypeBinary, grypeBinary, version);
}

async function installGrype(version) {
Expand Down
Loading