search

fortify / github-action

Fortify GitHub Actions
Other
10 stars 8 forks source link

The `fod-export` and `ssc-export` actions do not cater for Application/Release names with spaces in. #15

Closed kadraman closed 10 months ago

kadraman commented 10 months ago

Given the following:

    - name: Export FoD vulnerability data to GitHub
      uses: fortify/github-action/fod-export@v1
      env:
        FOD_URL: ${{ inputs.fod_url }}
        FOD_CLIENT_ID: ${{ inputs.fod_client_id }}
        FOD_CLIENT_SECRET: ${{ inputs.fod_client_secret }}
        FOD_RELEASE: ${{ format('{0}:{1}', inputs.fod_app_name, inputs.fod_release_name) }}

if inpus.fod_app_name is "IWA-Java [KAL]" and inputs.fod_release_name is "main" the resultant FOD_RELEASE will be 'IWA-Java [KAL}:main' (including single quotes). This should work fine.

However, the fod-export action doesn't see this and ends up trying to export all of the vulnerabilities for each release under "IWA-Java [KAL]".

Workaround is to use FOD_RELEASE with release id - the value of which can be retrieved using "fcli":

RELID=$(fcli fod release get "IWA-Java [KAL]:main" -o expr="{releaseId}")
echo "release_id=${RELID}" >> $GITHUB_OUTPUT

Note: the ssc-export as well as fod-sast-scan and sc-sast-scan might exhibit the same behaviour.

kadraman commented 10 months ago

Traced this done to fod-export\action.yml. It is not quoting the app:release name for --fod.release.name:

...
 ''|*[!0-9]*) echo '_RELEASE_OPT="--fod.release.name=${FOD_RELEASE}"' >> $GITHUB_ENV ;;
...

This should probably be:

...
 ''|*[!0-9]*) echo '_RELEASE_OPT=--fod.release.name="'${FOD_RELEASE}'"' >> $GITHUB_ENV ;;
...

The same applies to ssc-export\action.yml

kadraman commented 10 months ago

Turns out that the GitHub @actions\exec code being used swallows up any double quotes, so replaced with triple single quotes ''' and it now works.

''|*[!0-9]*) echo '_RELEASE_OPT=--fod.release.name='''${FOD_RELEASE}'''' >> $GITHUB_ENV ;;

and similar for SSC.

Note: behaviour of FortifyVulnerabilityExport when application name has spaces in should be looked at. It should be failing not really trying to export the data for all releases (unless an explicit option to do this is set).

rsenden commented 10 months ago

Fixed in c04ac28398685799fb76a7b02acbcb18af034231