action.yml

name: SpotBugs with FindSecBugs

author: GitHub Field Security
description: Run SpotBugs with FindSecBugs on your build results, and upload the results to GitHub Code Scanning
branding:
  icon: 'shield'
  color: 'blue'

inputs:
  spotbugs_version:
    description: 'The version of SpotBugs to use'
    required: false
    default: '4.7.3'
  findsecbugs_version:
    description: 'The version of FindSecBugs to use'
    required: false
    default: '1.12.0'
  spotbugs_target:
    description: 'The target directory to run SpotBugs against'
    required: false
    default: 'target/'
  spotbugs_filename_glob:
    description: 'The filenames to locate for SpotBugs, e.g. *.class, *.jar'
    default: '*.jar'
  upload_sarif:
    description: 'Whether to upload the SARIF file to GitHub Code Scanning'
    required: false
    type: boolean
    default: 'true'
  java_distribution:
    description: 'The Java distribution to use'
    required: false
    default: 'microsoft'
  java_version:
    description: 'The Java version to use'
    required: false
    default: '11'
  no_cache:
    description: 'Do not use cached versions of the Spotbugs and FindSecBugs tools'
    required: false
    type: boolean
    default: 'false'
  path_prefix:
    description: 'Add this path prefix to the start of file locations'
    required: false
  ram:
    description: 'The amount of RAM to use for SpotBugs (in MB)'
    required: false
    default: '768'

  # Allows for a custom runner home directory to be specified for self-hosted runners
  base_path:
    description: 'The home directory of the runner'
    required: false
    default: '/home/runner/work'


runs:
  using: "composite"
  steps:
    - name: Setup Java
      uses: actions/setup-java@v3
      with:
        distribution: ${{ inputs.java_distribution }}
        java-version: ${{ inputs.java_version }}
    - name: Cache SpotBugs
      if: inputs.no_cache == 'false'
      id: cache-spotbugs
      uses: actions/cache@v3
      with:
        path: ${{ inputs.base_path }}/spotbugs+/spotbugs-${{ inputs.spotbugs_version }}
        key: ${{ runner.os }}-spotbugs-${{ inputs.spotbugs_version }}
    - name: Cache FindSecBugs
      if: inputs.no_cache == 'false'
      id: cache-findsecbugs
      uses: actions/cache@v3
      with:
        path: ${{ inputs.base_path }}/findsecbugs+/findsecbugs-plugin-${{ inputs.findsecbugs_version }}.jar
        key: ${{ runner.os }}-findsecbugs-${{ inputs.findsecbugs_version }}
    - name: Get SpotBugs
      if: inputs.no_cache == 'true' || steps.cache-spotbugs.outputs.cache-hit != 'true'
      env:
        INPUT_SPOTBUGS_VERSION: ${{ inputs.spotbugs_version }}
        SPOTBUGS_HOME: ${{ inputs.base_path }}/spotbugs+/
      run: |
        mkdir -p "${SPOTBUGS_HOME}"
        cd "${SPOTBUGS_HOME}"
        wget -q -O spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz "https://github.com/spotbugs/spotbugs/releases/download/${INPUT_SPOTBUGS_VERSION}/spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
        tar -xzf spotbugs-"${INPUT_SPOTBUGS_VERSION}".tgz
        chmod +x spotbugs-"${INPUT_SPOTBUGS_VERSION}"/bin/spotbugs
        ls "spotbugs-${INPUT_SPOTBUGS_VERSION}.tgz"
        echo "Got spotbugs"
      shell: bash
    - name: Get FindSecBugs
      if: inputs.no_cache == 'true' || steps.cache-findsecbugs.outputs.cache-hit != 'true'
      env:
        INPUT_FINDSECBUGS_VERSION: ${{ inputs.findsecbugs_version }}
        FINDSECBUGS_HOME: ${{ inputs.base_path }}/findsecbugs+/
      run: |
        mkdir -p "${FINDSECBUGS_HOME}"
        cd "${FINDSECBUGS_HOME}"
        wget -q -O "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" "https://search.maven.org/remotecontent?filepath=com/h3xstream/findsecbugs/findsecbugs-plugin/${INPUT_FINDSECBUGS_VERSION}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
        ls "findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar"
        echo "Got findsecbugs"
      shell: bash
    - name: Run SpotBugs
      env:
        INPUT_FINDSECBUGS_VERSION: ${{ inputs.findsecbugs_version }}
        INPUT_SPOTBUGS_TARGET: ${{ inputs.spotbugs_target }}
        INPUT_SPOTBUGS_GLOB: ${{ inputs.spotbugs_filename_glob }}
        INPUT_RAM: ${{ inputs.ram }}
        SPOTBUGS_HOME: ${{ inputs.base_path }}/spotbugs+/spotbugs-${{ inputs.spotbugs_version }}
        FINDSECBUGS_HOME: ${{ inputs.base_path }}/findsecbugs+/
        SPOTBUGS_WORKING: ${{ inputs.base_path }}/spotbugs_working+/
      run: |
        mkdir -p "${SPOTBUGS_WORKING}"
        cd "${SPOTBUGS_WORKING}"
        SPOTBUGS_FILES=$(find "${GITHUB_WORKSPACE}/${INPUT_SPOTBUGS_TARGET}" -type f -name "${INPUT_SPOTBUGS_GLOB}" -exec echo -n {} \+)
        "${SPOTBUGS_HOME}/bin/spotbugs" -maxHeap "${INPUT_RAM}" -textui -quiet -effort:max -low -bugCategories SECURITY -pluginList "${FINDSECBUGS_HOME}/findsecbugs-plugin-${INPUT_FINDSECBUGS_VERSION}.jar" -sarif=spotbugs.sarif ${SPOTBUGS_FILES}
      shell: bash
    - name: Adjust file paths
      if: inputs.path_prefix != ''
      env:
        INPUT_PATH_PREFIX: ${{ inputs.path_prefix }}
        SPOTBUGS_WORKING: ${{ inputs.base_path }}/spotbugs_working+/
      run: |
        cd "${SPOTBUGS_WORKING}"
        jq --arg prefix "${INPUT_PATH_PREFIX}" '.runs[].results[].locations[].physicalLocation.artifactLocation.uri |= $prefix + .' < spotbugs.sarif > spotbugs_edited.sarif
        mv spotbugs.sarif spotbugs_orig.sarif
        mv spotbugs_edited.sarif spotbugs.sarif
      shell: bash
    - name: Upload SARIF file
      if: inputs.upload_sarif == 'true'
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: ${{ inputs.base_path }}/spotbugs_working+/spotbugs.sarif