diff --git a/actions/main/action.yml b/actions/main/action.yml index df02b581..31075d52 100644 --- a/actions/main/action.yml +++ b/actions/main/action.yml @@ -125,3 +125,16 @@ runs: const script = require('${{ github.action_path }}/action.cjs') await script({github, context, inputs, actionPath, core, debug: process.env.DEBUG === 'true'}) + # execute only if the `../results` directory is not empty + - id: results-dir + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const fs = require('fs') + const path = require('path') + const resultsDir = path.join('..', 'results') + const files = fs.readdirSync(resultsDir) + return files.length > 0 + - if: ${{ steps.results-dir.outputs.result == 'true' }} + name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 diff --git a/assets/reviewdog.sh b/assets/reviewdog.sh index 9181d12f..944ec480 100755 --- a/assets/reviewdog.sh +++ b/assets/reviewdog.sh @@ -9,23 +9,20 @@ export SEC_ACTION_DEBUG=$SEC_ACTION_DEBUG export ASSIGNEES=$(echo "$ASSIGNEES" | sed 's|\([^ ]\)|@\1|' | tr -s '\n' ' ') RUNNERS="safesvg tfsec semgrep sveltegrep npm-audit pip-audit" # disabled: brakeman +# redefine RUNNERS with $1 if it is set +if [ -n "$1" ]; then + RUNNERS=$1 +fi if [ -n "${GITHUB_BASE_REF+set}" ]; then + mkdir -p ../results + for runner in $RUNNERS; do - reviewdog -reporter=local -runners=$runner -conf="$SCRIPTPATH/reviewdog/reviewdog.yml" -diff="git diff origin/$GITHUB_BASE_REF" > $runner.log 2>> reviewdog.log || true + reviewdog -reporter=sarif -runners=$runner -conf="$SCRIPTPATH/reviewdog/reviewdog.yml" -diff="git diff origin/$GITHUB_BASE_REF" > ../results/$runner.sarif 2>> reviewdog.log || true grep -H "" reviewdog.$runner.stderr.log >> reviewdog.fail.log || true [[ ${SEC_ACTION_DEBUG:-false} == 'true' ]] && grep -H "" reviewdog.$runner.stderr.log || true + find ../results/$runner.sarif -type f -empty -delete done - - for runner in $RUNNERS; do - cat $runner.log | reviewdog -reporter=github-pr-review -efm='%f:%l: %m' \ - || cat $runner.log >> reviewdog.fail.log - grep -H "" $runner.log >> reviewdog.log || true - echo -n "$runner: " - echo "${runner//-/_}_count=$(grep -c "^" $runner.log)" >> $GITHUB_OUTPUT || true - [[ ${SEC_ACTION_DEBUG:-false} == 'true' ]] && grep -H "" $runner.log || true - done - else git ls-files | tr '\n' '\0' > $SCRIPTPATH/all_changed_files.txt reviewdog \ diff --git a/assets/semgrep_rules/client/trigger.java b/assets/semgrep_rules/client/trigger.java new file mode 100644 index 00000000..95bee656 --- /dev/null +++ b/assets/semgrep_rules/client/trigger.java @@ -0,0 +1,39 @@ +import android.content.ComponentName; +import android.content.Context; +import android.content.Intent; +import android.content.pm.PackageItemInfo; +import android.content.pm.ResolveInfo; +import android.content.pm.ActivityInfo +import android.os.Bundle; + +public class MainActivity extends AppCompatActivity { + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + setContentView(R.layout.activity_main); + + Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse("http://www.example.com")); + PackageManager pm = getPackageManager(); + // ruleid: android-resolve-intent + ResolveInfo resolveInfo = pm.resolveService(intent, 0); + // ruleid: android-resolve-intent + resolveInfo = pm.resolveContentProvider(intent, 0); + // ruleid: android-resolve-intent + resolveInfo = pm.resolveActivity(intent, 0); + // ruleid: android-resolve-intent + ComponentName componentName = intent.resolveActivity(pm); + // ruleid: android-resolve-intent + ActivityInfo activityInfo = intent.resolveActivityInfo(pm); + // ruleid: android-resolve-intent + List resolveInfoList = pm.queryBroadcastReceivers(intent,0); + // ruleid: android-resolve-intent + resolveInfoList = pm.queryIntentActivities(intent,0); + // ruleid: android-resolve-intent + resolveInfoList = pm.queryIntentActivityOptions(null,null,intent,0); + // ruleid: android-resolve-intent + resolveInfoList = pm.queryIntentServices(intent,0); + // ruleid: android-resolve-intent + List providerInfoList = pm.queryIntentContentProviders(intent,0); + } +} \ No newline at end of file