Improve documentation for github actions (google#575)

Attempt at the 3 remaining items mentioned in google#516. Feel free to do any rewording or rearranging @hayleycd to make things clearer! Also fix the SARIF test since it was still calling `createTextFixture` instead of `assertTextFixture`
hayleycd · Oct 10, 2023 · 8da35f0 · 8da35f0
1 parent b683547
commit 8da35f0
Show file tree

Hide file tree

Showing 6 changed files with 276 additions and 35 deletions.
diff --git a/.github/workflows/osv-scanner-reusable-pr.yml b/.github/workflows/osv-scanner-reusable-pr.yml
@@ -24,6 +24,10 @@ on:
           -r
           --skip-git
           ./
+      results-file-name:
+        description: "File name of the result SARIF file"
+        type: string
+        default: results.sarif
 
 jobs:
   scan-pr:
@@ -57,7 +61,7 @@ jobs:
         uses: google/osv-scanner/actions/reporter@main
         with:
           scan-args: |-
-            --output=final-results.sarif
+            --output=${{ inputs.results-file-name }}
             --old=old-results.json
             --new=new-results.json
             --gh-annotations=true
@@ -68,7 +72,7 @@ jobs:
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
-          path: final-results.sarif
+          path: ${{ inputs.results-file-name }}
           retention-days: 5
       - name: "Upload old scan json results"
         if: '!cancelled()'
@@ -89,4 +93,4 @@ jobs:
         if: '!cancelled()'
         uses: github/codeql-action/upload-sarif@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
         with:
-          sarif_file: final-results.sarif
+          sarif_file: ${{ inputs.results-file-name }}
diff --git a/.github/workflows/osv-scanner-reusable.yml b/.github/workflows/osv-scanner-reusable.yml
@@ -30,7 +30,7 @@ on:
         default: results.sarif
 
 jobs:
-  scan-scheduled:
+  osv-scan:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

diff --git a/docs/github-action.md b/docs/github-action.md
@@ -11,9 +11,81 @@ nav_order: 6
 
 OSV-Scanner is offered as a GitHub Action. We currently have two different GitHub Actions:
 
-1. An action that performs a vulnerability scan on a [regular schedule](./github-action.md#scheduled-scans).
+1. An action that performs a single vulnerability scan, which can be configured to scan on a [regular schedule](./github-action.md#scheduled-scans), or used as a check [on releases](./github-action.md#scan-on-release) to prevent releasing with known vulnerabilities in dependencies.
 2. An action that triggers a scan with each [pull request](./github-action.md#scans-on-prs) and will only check for new vulnerabilities introduced through the pull request.
 
+## Scans on PRs
+
+Scanning your project on each pull request can help you keep vulnerabilities out of your project. This GitHub Action compares a vulnerability scan of the main branch to a vulnerability scan of the feature branch. You will be notified of any new vulnerabilities introduced through the feature branch. You can also choose to [prevent merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) if new vulnerabilities are introduced through the feature branch.
+
+### Instructions
+
+In your project repository, create a new file `.github/workflows/osv-scanner-pr.yml`.
+
+Include the following in the [`osv-scanner-pr.yml`](https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-pr.yml) file:
+
+```yml
+name: OSV-Scanner PR Scan
+
+# Change "main" to your default branch if you use a different name, i.e. "master"
+on:
+  pull_request:
+    branches: [ main ]
+  merge_group:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable-pr.yml@main"
+```
+
+### View results
+
+Results may be viewed by clicking on the details of the failed action, either from your project's actions tab or directly on the PR. Results are also included in GitHub annotations on the "Files changed" tab for the PR.
+
+### Customization
+
+`osv-scanner-reusable.yml` takes two optional inputs:
+
+- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage]()./usage) page for the available options.
+  Importantly `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.
+  Default:
+  ```
+    --recursive # Recursively scan subdirectories
+    --skip-git=true # Skip commit scanning to focus on dependencies
+    ./ # Start the scan from the root of the repository
+  ```
+- `results-file-name`: This is the name of the final SARIF file uploaded to Github.
+  Default: `results.sarif`
+
+#### Examples
+```yml
+# Scan specific lockfiles
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml"
+    with:
+      scan-args: |-
+        ./path/to/lockfile1
+        ./path/to/lockfile2
+```
+
+```yml
+# Default arguments
+jobs:
+  scan-pr:
+    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml"
+    with:
+      scan-args: |-
+        --recursive
+        --skip-git=true
+        ./
+```
+
+
 ## Scheduled scans
 
 Regularly scanning your project for vulnerabilities can alert you to new vulnerabilities in your dependency tree. This GitHub Action will scan your project on a set schedule and report all known vulnerabilities.
@@ -47,40 +119,55 @@ jobs:
 
 As written, the scanner will run on 12:12 pm UTC every Monday. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).
 
-### View results
+### Customization
 
-Maintainers can review results of the scan by navigating to their project's security > code scanning tab. Vulnerability details can also be viewed by clicking on the details of the failed action.
+`osv-scanner-reusable-pr.yml` has the same customization options as `osv-scanner-reusable.yml`, which is described [here](./github-action.md#customization).
 
-## Scans on PRs
+### View results
 
-Scanning your project on each pull request can help you keep vulnerabilities out of your project. This GitHub Action compares a vulnerability scan of the main branch to a vulnerability scan of the feature branch. You will be notified of any new vulnerabilities introduced through the feature branch. You can also choose to [prevent merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) if new vulnerabilities are introduced through the feature branch.
+Maintainers can review results of the scan by navigating to their project's `security > code scanning` tab. Vulnerability details can also be viewed by clicking on the details of the failed action.
 
-### Instructions
 
-In your project repository, create a new file `.github/workflows/osv-scanner-pr.yml`.
+## Scan on release
 
-Include the following in the [`osv-scanner-pr.yml`](https://github.com/google/osv-scanner/blob/main/.github/workflows/osv-scanner-pr.yml) file:
+Here is a example of blocking on release, though the actual implementation will heavily depend on your specific release process.
 
 ```yml
-name: OSV-Scanner PR Scan
+name: Go Release Process
 
-# Change "main" to your default branch if you use a different name, i.e. "master"
 on:
-  pull_request:
-    branches: [ main ]
-  merge_group:
-    branches: [ main ]
+  push:
+    tags:
+      - "*" # triggers only if push new tag version, like `0.8.4` or else
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read # to fetch code (actions/checkout)
 
 jobs:
-  scan-pr:
-    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable-pr.yml@main"
+  osv-scan:
+    uses: google/osv-scanner/.github/workflows/osv-scanner-reusable.yml
+    with:
+      # Only scan the top level go.mod file without recursively scanning directories since
+      # this is pipeline is about releasing the go module and binary
+      scan-args: |-
+        --skip-git
+        ./
+    permissions:
+      # Require writing security events to upload SARIF file to security tab
+      security-events: write
+  tests:
+    name: Run unit tests
+    ...
+  release:
+    needs: # Needs both tests and osv-scan to pass
+      - tests
+      - osv-scan
+    # Your actual release steps
+    steps:
+      ...
 ```
 
 ### View results
 
-Results may be viewed by clicking on the details of the failed action, either from your project's actions tab or directly on the PR. Results are also included in GitHub annotations on the "Files changed" tab for the PR.
+Results may be viewed by clicking on the details of the failed release action from the action tab.
 
-Results are also available to maintainers by navigating to their project's security > code scanning tab.
diff --git a/docs/output.md b/docs/output.md
@@ -196,6 +196,156 @@ osv-scanner --format json -L path/to/lockfile > /path/to/file.json
 </details>
 
 
+---
+
+### SARIF
+
+```bash
+osv-scanner --format sarif your/project/dir
+```
+
+Outputs the result in the [SARIF](https://sarifweb.azurewebsites.net/) v2.1.0 format. Each vulnerability (grouped by aliases) is a separate rule, and each package containing a vulnerable dependency is a rule violation. The help text within the SARIF report contains detailed information about the vulnerability and remediation instructions for how to resolve it.
+
+<details markdown="1">
+<summary><b>Sample SARIF output</b></summary>
+
+```json
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "informationUri": "https://github.com/google/osv-scanner",
+          "name": "osv-scanner",
+          "rules": [
+            {
+              "id": "CVE-2022-24713",
+              "shortDescription": {
+                "text": "CVE-2022-24713: <advisory summary>"
+              },
+              "fullDescription": {
+                "text": "<Full advisory details>...",
+                "markdown": "<Full advisory details>..."
+              },
+              // Deprecated IDs field contains all alias IDs
+              "deprecatedIds": [
+                "CVE-2022-24713",
+                "RUSTSEC-2022-0013",
+                "GHSA-m5pq-gvj9-9vr8"
+              ],
+              "help": {
+                "text": "<Markdown help text>...",
+                "markdown": "<Markdown help text>..."
+              }
+            },
+          ],
+          "version": "1.4.1"
+        }
+      },
+      "artifacts": [
+        {
+          "location": {
+            "uri": "file:///path/to/sub-rust-project/Cargo.lock"
+          },
+          "length": -1
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "CVE-2022-24713",
+          "ruleIndex": 0,
+          "level": "warning",
+          "message": {
+            "text": "Package '[email protected]' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8')."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "file:///path/to/sub-rust-project/Cargo.lock"
+                }
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
+```
+
+</details>
+
+<details markdown="1">
+<summary><b>Sample SARIF Help Text</b></summary>
+
+
+> **Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)**
+> (Also published as:  [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013),  [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ).
+>
+>
+> ## [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013)
+>
+> <details>
+> <summary>Details</summary>
+>
+> > Full advisory details...
+>
+> </details>
+>
+>
+>
+> ## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8)
+>
+> <details>
+> <summary>Details</summary>
+>
+> > Full advisory details...
+>
+> </details>
+>
+>
+> ---
+>
+> ### Affected Packages
+> | Source | Package Name | Package Version |
+> | --- | --- | --- |
+> | lockfile:/path/to/rust-project/Cargo.lock | regex | 1.5.1 |
+>
+> ## Remediation
+>
+>
+>
+> To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.
+>
+> ### Fixed Versions
+> | Vulnerability ID | Package Name | Fixed Version |
+> | --- | --- | --- |
+> | GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |
+> | RUSTSEC-2022-0013 | regex | 1.5.5 |
+>
+>
+> If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an
+> `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.
+>
+> See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/
+>
+> Add or append these values to the following config files to ignore this vulnerability:
+>
+>
+> `/path/to/rust-project/osv-scanner.toml`
+> ```
+> [[IgnoredVulns]]
+> id = "CVE-2022-24713"
+> reason = "Your reason for ignoring this vulnerability"
+> ```
+
+</details>
+
+---
+
 ## Call analysis
 
 With `--experimental-call-analysis` flag enabled, call information will be included in the output.
@@ -367,12 +517,12 @@ osv-scanner --format json --experimental-call-analysis -L path/to/lockfile > /pa
 
 ## Return Codes
 
-|----- 
-| Exit Code |Reason| 
-|:---------------:|------------| 
-| `0` | Packages were found when scanning, but does not match any known vulnerabilities. | 
-| `1` | Packages were found when scanning, and there are vulnerabilities. | 
-| `1-126` | Reserved for vulnerability result related errors. | 
-| `127` | General Error. | 
-| `128` | No packages found (likely caused by the scanning format not picking up any files to scan). | 
-| `129-255` | Reserved for non result related errors. | 
+|-----
+| Exit Code |Reason|
+|:---------------:|------------|
+| `0` | Packages were found when scanning, but does not match any known vulnerabilities. |
+| `1` | Packages were found when scanning, and there are vulnerabilities. |
+| `1-126` | Reserved for vulnerability result related errors. |
+| `127` | General Error. |
+| `128` | No packages found (likely caused by the scanning format not picking up any files to scan). |
+| `129-255` | Reserved for non result related errors. |
diff --git a/internal/output/fixtures/test-vuln-results-a.sarif b/internal/output/fixtures/test-vuln-results-a.sarif
@@ -47,7 +47,7 @@
               }
             }
           ],
-          "version": "1.4.0"
+          "version": "1.4.1"
         }
       },
       "artifacts": [

diff --git a/internal/output/sarif_test.go b/internal/output/sarif_test.go
@@ -67,7 +67,7 @@ func TestPrintSARIFReport(t *testing.T) {
 			if err != nil {
 				t.Errorf("Error writing SARIF output: %s", err)
 			}
-			testutility.CreateTextFixture(t, tt.wantPath, bufOut.String())
+			testutility.AssertMatchFixtureText(t, tt.wantPath, bufOut.String())
 		})
 	}
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -47,7 +47,7 @@ @@
                   }
                 }
               ],
-              "version": "1.4.0"
+              "version": "1.4.1"
             }
           },
           "artifacts": [
@@ Expand Down @@