From e91e18a4486bf1a1c816bde1307adb338e499d31 Mon Sep 17 00:00:00 2001 From: alvarodE <72568818+alvarodE@users.noreply.github.com> Date: Wed, 11 Dec 2024 15:48:09 +0100 Subject: [PATCH 1/5] Support npm & pnpm (with node@18) --- entrypoint.sh | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index d06dc7d..ed00a78 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -114,6 +114,35 @@ python() { upload_bom "bom.json" "." } +npm() { + echo "[*] Processing npm BoM" + curl -fsSL https://deb.nodesource.com/setup_18.x | bash - + apt-get install -y nodejs + npm install + npm audit fix --force + if [ ! $? = 0 ]; then + echo "[-] Error executing npm install. Stopping the action!" + exit 1 + fi + npx --yes cyclonedx-bom -o bom.xml + upload_bom "bom.xml" "." +} + +pnpm() { + echo "[*] Processing pnpm BoM" + curl -fsSL https://deb.nodesource.com/setup_18.x | bash - + apt-get install -y nodejs + npm install -g pnpm + pnpm install + pnpm audit --fix + if [ ! $? = 0 ]; then + echo "[-] Error executing pnpm install. Stopping the action!" + exit 1 + fi + npx --yes cyclonedx-bom -o bom.xml + upload_bom "bom.xml" "." +} + java case $LANGUAGE in @@ -124,6 +153,14 @@ case $LANGUAGE in "python") python ;; +*) +"npm") + npm + ;; +*) +"pnpm") + pnpm + ;; *) echo "[-] Unsupported language: $LANGUAGE" exit 1 From 2f3bce2195f6ea57b529a7fe0ebccffe4cffa554 Mon Sep 17 00:00:00 2001 From: alvarodE <72568818+alvarodE@users.noreply.github.com> Date: Wed, 11 Dec 2024 15:48:13 +0100 Subject: [PATCH 2/5] Update README.md --- README.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8e553b3..a1592ac 100644 --- a/README.md +++ b/README.md @@ -21,13 +21,10 @@ This action requires 3 input variables: - **riskscore**: this variable will contain the risk score calculated by OWASP Dependency Track based on the found vulnerabilities. This output can be used to make decision such as notify the developer or use it as the input of the next step of the workflow. ## Supported languages Currently this action supports the generation of upload of projects devloped in the languages as follows: -- **Node.js**: define the language variable as `nodejs`. `npm install` will be executed within the container to gather all the dependencies. -- **Python**: define the language variable as `python`. It will get the package information from requirements.txt. -- **Golang**: define the language variable as `golang`. It will get the package information from go.mod, which is typically present in the repository. -- **Ruby**: define the language variable as `ruby`. It will get the package information from Gemfile.lock. - **Maven**: define the language variable as `java`. It will get the package information from pom.xml. -- **NuGet (.NET)**: define the language variable as `dotnet`. It will get the package information from a .sln, .csproj, .vbproj, or packages.config file. -- **Php Composer**: define the language variable as `php`. It will get the package information from composer.json. +- **Python**: define the language variable as `python`. It will get the package information from requirements.txt. +- **npm**: define the language variable as `npm`. `npm install` will be executed within the container to gather all the dependencies. +- **pnpm**: define the language variable as `pnpm`. `pnpm install` will be executed within the container to gather all the dependencies. Please note that if any of the files above is not available the action will fail when trying to generate the BoM files. From 6ea164e071f7347f71cbbad07665665c6e11478e Mon Sep 17 00:00:00 2001 From: alvarodE <72568818+alvarodE@users.noreply.github.com> Date: Wed, 11 Dec 2024 15:48:20 +0100 Subject: [PATCH 3/5] Set Java as default language --- action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yaml b/action.yaml index 356a673..ed613e3 100644 --- a/action.yaml +++ b/action.yaml @@ -17,7 +17,7 @@ inputs: language: description: 'Programming language' required: true - default: 'nodejs' + default: 'java' paths: description: 'Array of paths to specific files or directories to be analyzed' required: false From dbc2884591f5b81ef27c579943583edfad4dd38c Mon Sep 17 00:00:00 2001 From: alvarodE <72568818+alvarodE@users.noreply.github.com> Date: Wed, 11 Dec 2024 16:31:23 +0100 Subject: [PATCH 4/5] Fix language switch --- entrypoint.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index ed00a78..52b7712 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -153,14 +153,15 @@ case $LANGUAGE in "python") python ;; -*) + "npm") npm ;; -*) + "pnpm") pnpm ;; + *) echo "[-] Unsupported language: $LANGUAGE" exit 1 From 90ebae147c0b9e59290d5d0386c005db89d4594b Mon Sep 17 00:00:00 2001 From: alvarodE <72568818+alvarodE@users.noreply.github.com> Date: Wed, 11 Dec 2024 16:42:38 +0100 Subject: [PATCH 5/5] Update entrypoint.sh --- entrypoint.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 52b7712..060cf6f 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -114,7 +114,7 @@ python() { upload_bom "bom.json" "." } -npm() { +process_npm() { echo "[*] Processing npm BoM" curl -fsSL https://deb.nodesource.com/setup_18.x | bash - apt-get install -y nodejs @@ -128,7 +128,7 @@ npm() { upload_bom "bom.xml" "." } -pnpm() { +process_pnpm() { echo "[*] Processing pnpm BoM" curl -fsSL https://deb.nodesource.com/setup_18.x | bash - apt-get install -y nodejs @@ -155,11 +155,11 @@ case $LANGUAGE in ;; "npm") - npm + process_npm ;; "pnpm") - pnpm + process_pnpm ;; *)