Recreated Github Action PR (#432)

This PR features:

- Refactors the format flag's internal logic so that we can don't need
to repeat the format types so much, and we can test when we add a new
format entry if we forgot anything.
- Adds a new format "sarif", which returns a SARIF report (closes #216 )
- Adds a Github Action `action.yaml` and it's specialized dockerfile
`action.dockerfile`. This docker image runs a bash script wrapping
osv-scanner, first by preprocessing the input so the last argument will
be split by new line, allowing the workflow user to pass in multiple
directories/files they wish to scan. The script also changes exit codes
127 and 128 to 0 as they contain errors that the user can't really do
anything about.
- Adds two reusable workflows using this new github action for this repo
- Reusable PR workflow, for using to check if PRs introduce new
vulnerabilities.
- Reusable Scheduled workflow, for use to regularly check for new vulns
applying to your existing vulns.
- Adds an experimental flag: `--experimental-diff`, which will only
output the difference between a previous run and this run of the
osv-scanner. This is for use in the PR workflow.
- Sorts the grouped ID output.

Closes #57 

Currently the reusable workflow has to point to a specific action which
cannot be relative (otherwise it would point to the wrong action when
reused in another repo). This means right now it's pointed to this
fork/branch instead of the master branch, this will need to be updated
once this PR is merged.

Example of what workflow sarif output looks like:

![image](https://github.com/google/osv-scanner/assets/106129829/fc7a0ac4-f3d8-4524-93ba-7b03dd0313cd)

Here is an example of the PR reusable workflow working:

another-rex/scorecard-check-osv-e2e#1

That PR adds an additional vulnerability, which causes it to fail. You
can see that only the new vuln is showing up in the code scanning
report:
https://github.com/another-rex/scorecard-check-osv-e2e/security/code-scanning/1


TODO after this PR is merged:
- Change links that point to this PR branch to point to main (and/or a
tagged commit of main)
- Add support for annotations
- Add documentation (this is for later, as we want to dogfood it in our
own repos first before broadcasting this widely)

---------

Signed-off-by: Rex P <[email protected]>

.github/workflows/osv-scanner-pr.yml

@@ -0,0 +1,29 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: osv-scanner
+
+on:
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  merge_group:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scan-pr-attempt:
+    uses: "./.github/workflows/osv-scanner-reusable-pr.yml"

.github/workflows/osv-scanner-reusable-pr.yml

@@ -0,0 +1,82 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: OSV-Scanner PR scanning
+
+on:
+  workflow_call:
+
+jobs:
+  scan-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          # Do persist credentials, as we need it for the git checkout later
+      - name: "Checkout target branch"
+        run: git checkout $GITHUB_BASE_REF
+      - name: "Run scanner on existing code"
+        uses: another-rex/osv-scanner/actions/scanner@markdown-output
+        continue-on-error: true
+        with:
+          results-format: json
+          results-file: old-results.json
+          to-scan: .
+      - name: "Checkout current branch"
+        run: git checkout $GITHUB_SHA
+      - name: "Run scanner on new code"
+        uses: another-rex/osv-scanner/actions/scanner@markdown-output
+        with:
+          results-format: json
+          results-file: new-results.json
+          to-scan: .
+        continue-on-error: true
+      - name: "Run osv-diff"
+        uses: another-rex/osv-scanner/actions/diff@markdown-output
+        with:
+          results-format: sarif
+          output-file: final-results.sarif
+          old-results: old-results.json
+          new-results: new-results.json
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        if: '!cancelled()'
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: final-results.sarif
+          retention-days: 5
+      - name: "Upload old scan json results"
+        if: '!cancelled()'
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: old-json-results
+          path: old-results.json
+          retention-days: 5
+      - name: "Upload new scan json results"
+        if: '!cancelled()'
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: new-json-results
+          path: new-results.json
+          retention-days: 5
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        if: '!cancelled()'
+        uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
+        with:
+          sarif_file: final-results.sarif
+

.github/workflows/osv-scanner-reusable-scheduled.yml

@@ -0,0 +1,47 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: OSV-Scanner PR scanning
+
+on:
+  workflow_call:
+
+jobs:
+  scan-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: "Run scanner"
+        uses: another-rex/osv-scanner/actions/scanner@markdown-output
+        with:
+          results-format: sarif
+          results-file: results.sarif
+          to-scan: .
+          recursive-scan: true
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        if: '!cancelled()'
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        if: '!cancelled()'
+        uses: github/codeql-action/upload-sarif@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e # v2.20.0
+        with:
+          sarif_file: results.sarif
+

.github/workflows/osv-scanner-scheduled.yml

@@ -0,0 +1,28 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: osv-scanner
+
+on:
+  schedule:
+    - cron: '12 12 * * 1'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  scan-pr-attempt:
+    uses: "./.github/workflows/osv-scanner-reusable-scheduled.yml"

action.dockerfile

@@ -0,0 +1,44 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:alpine@sha256:fd9d9d7194ec40a9a6ae89fcaef3e47c47de7746dd5848ab5343695dbbd09f8c
+
+RUN mkdir /src
+WORKDIR /src
+
+COPY ./go.mod /src/go.mod
+COPY ./go.sum /src/go.sum
+RUN go mod download
+
+COPY ./ /src/
+RUN go build -o osv-scanner ./cmd/osv-scanner/
+RUN go build -o osv-diff ./cmd/osv-diff/
+
+FROM alpine:3.17@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
+RUN apk --no-cache add \
+    ca-certificates \
+    git \
+    bash
+
+# Allow git to run on mounted directories
+RUN git config --global --add safe.directory '*'
+
+WORKDIR /root/
+COPY --from=0 /src/osv-scanner ./
+COPY --from=0 /src/osv-diff ./
+COPY ./exit_code_redirect.sh ./
+
+ENV PATH="${PATH}:/root"
+
+ENTRYPOINT ["bash", "/root/exit_code_redirect.sh"]

actions/diff/action.yml

@@ -0,0 +1,25 @@
+# Currently experimental.
+name: 'osv-scanner-diff'
+description: 'Finds the difference between two osv-scanner json results'
+inputs:
+  output-file:
+    description: 'Output path'
+    required: true
+  results-format:
+    description: 'Output result format'
+    default: 'sarif'
+  old-results:
+    description: 'Old results to get the difference against'
+    required: true
+  new-results:
+    description: 'New results to get the difference against'
+    required: true
+runs:
+  using: 'docker'
+  image: '../../action.dockerfile'
+  entrypoint: /root/osv-diff
+  args:
+    - '--output=${{ inputs.output-file }}'
+    - '--format=${{ inputs.results-format }}'
+    - '--old=${{ inputs.old-results }}'
+    - '--new=${{ inputs.new-results }}'

actions/scanner/action.yml

@@ -0,0 +1,26 @@
+# Currently experimental.
+name: 'osv-scanner'
+description: 'Scans your directory against the OSV database (Experimental)'
+inputs:
+  to-scan:
+    description: 'Directories to scan'
+    default: "./"
+  results-file:
+    description: 'Output path'
+    required: true
+  results-format:
+    description: 'Output result format'
+    default: 'sarif'
+  recursive-scan:
+    description: 'Recursively scan though subdirectories'
+    required: false
+    default: true
+runs:
+  using: 'docker'
+  image: '../../action.dockerfile'
+  args:
+    - '--skip-git'
+    - '--output=${{ inputs.results-file }}'
+    - '--format=${{ inputs.results-format }}'
+    - '--recursive=${{ inputs.recursive-scan }}'
+    - ${{ inputs.to-scan }}