Scan argument will just scan folder inside the container?

[ydmk]

Looking at the scan parameter https://github.com/dependency-check/Dependency-Check_Action/blob/1b5d19fd4a32ff0ff982e8c9d8e27dbf7ac8a46c/action.yml#L27-L28

If a . is provided here (as is the default), won't it just scan the home directory inside the container? github's working directory is mounted at /github/workspace (as indicated by the out parameter in https://github.com/dependency-check/Dependency-Check_Action/blob/1b5d19fd4a32ff0ff982e8c9d8e27dbf7ac8a46c/action.yml#L31-L32)

So doesn't /github/workspace need to be prefixed to inputs.path (if it's a relative path), to scan in github's actual workspace?

additionally what do you do if someone provides absolute paths (in this case and in the case of out)?

i can do a pr if needed

[javixeneize]

I think those paths are where the code is checked out, can’t remember by heart. That’s a parameter that can be modified anyway. When you execute it, it will show the absolute path it is using

[ydmk]

• those paths are given to the docker container as is: https://github.com/dependency-check/Dependency-Check_Action/blob/1b5d19fd4a32ff0ff982e8c9d8e27dbf7ac8a46c/action.yml#L20-L34
• the container's entrypoint.sh then passes it straight to the cli sitting inside
• that's why the --out parameter requires that prefix (/github/workspace), because it needs to write back to the host filesystem, not the container's
• since the cli needs to scan the code in the host's file system (the code), it needs to look at /github/workspace also
• --scan is indeed configurable, but the discrepancy between --scan and --out is weird and inconsistent.
  • with one parameter (--out), you write in terms of your host's file system (the action prefixes it with the github workspace location inside the container itself), with the other (--scan), you write in terms of the container's file system (since the prefix isn't added by the action)
  • this is not something a normal user of this action would expect (they wouldn't even know that github action containers bind the host's workspace at /github/workspace inside the container unless they read the documentation).

[javixeneize]

Ah, i see. I think both . and /github/workspace point to the same place, isnt it?

https://github.com/dependency-check/DependencyCheck_Test/actions/runs/6136166905/job/16650728404#step:5:8

There, it is mounting this as a volume

-v "/home/runner/work/DependencyCheck_Test/DependencyCheck_Test":"/github/workspace"

Sorry, its been long time since i built this

[ydmk]

Let me clarify it further.

. in your host is the same as /github/workspace in your container. This is documented in the github actions documentation, and, as you saw in your test, happens due to mounting the . of your host to your /github/workspace of the container.

Your executable runs inside the container. The arguments provided to the executable run from the context of inside the container.

Now when someone says that their scan param is ., they mean to say that the . of their own directory (which is the host's). However, what the executable interprets is . of the container, which is some directory inside the container where the exe is running (probably /home/root). For the executable to translate . to the correct directory (the . of the host), it needs to point to /github/workspace/.

[ydmk]

you basically need to prefix line 28 with the prefix you have in line 32 (/github/workspace)

[javixeneize]

Right ;)

fancy doing a pr with the change?

thanks