search

checkmarx-ts / checkmarx-cxflow-github-action

Checkmarx CxFlow GitHub Action with SARIF output
GNU General Public License v3.0
52 stars 53 forks source link

Update README.md #42

Closed nirw closed 2 years ago

nirw commented 2 years ago

adding 2 documentation updates:

  1. Importance of excluding .git and .github folders
  2. Providing an example for using a recursive pattern for excluding all files under folders which are called tests
james-bostock-cx commented 2 years ago

Hi @nirw,

I think that your regular expressions are wrong. In fact, just testing with:

--cx-flow.zip-exclude="\\.git\\/.\*"

As I suspected, the .git folder is not excluded. You see, the backslash before the asterisk quotes the asterisk, causing it to be treated literally. Also, the forward slash character does not need to be quoted. So, the following has the desired effect:

--cx-flow.zip-exclude="\\.git/.*"
james-bostock-cx commented 2 years ago

Hi @nirw,

I think that your regular expressions are wrong. In fact, just testing with:

--cx-flow.zip-exclude="\\.git\\/.\*"

As I suspected, the .git folder is not excluded. You see, the backslash before the asterisk quotes the asterisk, causing it to be treated literally. Also, the forward slash character does not need to be quoted. So, the following has the desired effect:

--cx-flow.zip-exclude="\\.git/.*"
nirw commented 2 years ago

Hi @james-bostock-cx my regular expression for what the users should actually write in their yml file is the following: is actually --cx-flow.zip-exclude=.git\/.,.github\/.,tests\/.,.+\/tests\/. I think what's confusing you is the GitHub markdown

You can look for example at the same file in the original example for .github and .git folders look like - it's exactly the same. I've 'tested' it at the very bottomof this page here: https://github.com/NirCheckmarx/vems/blob/master/README.md

james-bostock-cx commented 2 years ago

Hi @nirw The example you gave is for the command line where, due to having to deal with the shell's own handling of special characters, extra escaping is needed (note that, inside double quotes, the shell will not do file expansion which is why it is unnecessary to escape the asterisk in your original version).

In the yml file, you should just need (again, only giving a single directory for simplicity's sake):

cx-flow:
  ...
  zip-exclude: \.git/.*
  ...

Note that you need to escape the first full stop (period) as otherwise it matches any character. Sure, it is unlikely that there will be a directory other than .git that is ever matched but that is no reason to not do the right thing.