1
0
Fork 0
mirror of https://github.com/imjasonh/govulncheck-action synced 2026-07-07 00:12:55 +00:00
govulncheck-action/index.js

88 lines
3 KiB
JavaScript
Raw Permalink Normal View History

import * as core from '@actions/core';
import GovulncheckRunner from './lib/govulncheck.js';
import VulnerabilityParser from './lib/parser.js';
import AnnotationCreator from './lib/annotator.js';
import SummaryGenerator from './lib/summary.js';
import { fileURLToPath } from 'url';
async function run(dependencies = {}) {
// Allow dependency injection for testing
const coreLib = dependencies.core || core;
const govulncheck = dependencies.govulncheck || new GovulncheckRunner();
const parser = dependencies.parser || new VulnerabilityParser();
const annotator = dependencies.annotator || new AnnotationCreator(coreLib);
const summaryGenerator = dependencies.summaryGenerator || new SummaryGenerator(coreLib);
try {
const workingDirectory = coreLib.getInput('working-directory');
// Change to working directory
if (workingDirectory !== '.') {
coreLib.info(`Changing working directory to: ${workingDirectory}`);
process.chdir(workingDirectory);
}
// Install govulncheck if necessary.
await govulncheck.install();
// Run govulncheck with JSON output
coreLib.info('Running govulncheck...');
const { output, errorOutput } = await govulncheck.run();
if (errorOutput) {
coreLib.warning(`govulncheck stderr: ${errorOutput}`);
// Check for critical errors that indicate govulncheck couldn't run properly
if (
errorOutput.includes('missing go.sum entry') ||
errorOutput.includes('could not import') ||
errorOutput.includes('invalid package name')
) {
throw new Error(
`govulncheck failed due to missing dependencies. Please run 'go mod tidy' to update go.mod and go.sum files.\n\nError: ${errorOutput}`
);
}
}
// Log raw output for debugging
coreLib.info(`Raw govulncheck output length: ${output.length} characters`);
if (output.length < 5000) {
coreLib.info(`Raw output: ${output}`);
} else {
coreLib.info(`Raw output (first 1000 chars): ${output.substring(0, 1000)}...`);
}
// Parse JSON output
const vulnerabilities = parser.parse(output);
// Create annotations
Add vulnerable example and enhance action features This commit adds a comprehensive example demonstrating the govulncheck action's capabilities, along with several enhancements to improve the user experience. ## Changes ### Example Setup - Added example/main.go that uses golang.org/x/net v0.0.0-20220906165146-f3363e06e74c (vulnerable version) - Example intentionally calls html.Parse to trigger vulnerability detection - Demonstrates how the action creates annotations on vulnerable code ### Enhanced Annotations - Fixed file path handling when running in subdirectories (e.g., './example') - Added rich context to annotations including: - Vulnerability summaries and CVE numbers - Direct links to Go vulnerability database (pkg.go.dev/vuln) - Fixed version information - Clear indication of which function is vulnerable (e.g., "html.Parse" not "main") - Sorted vulnerabilities by OSV ID for consistent display ### Suggested Fixes - When vulnerable code is actually called, creates notice annotations on go.mod - Shows current vs suggested dependency versions - Lists which specific vulnerabilities have active call sites - Provides actionable upgrade recommendations ### Workflow Summary - Added comprehensive workflow summary using GitHub Actions summary API - Displays vulnerabilities in formatted tables by module - Shows vulnerable code locations organized by file - Includes links to Go vulnerability database entries - Provides clear recommendations for fixing vulnerabilities ### Bug Fixes - Fixed JSON parsing to handle both JSON lines and multi-line JSON formats - Fixed annotation file paths to be relative to repository root - Improved vulnerability function name extraction from trace data - Enhanced OSV detail parsing and storage ## Testing The example workflow demonstrates all features by intentionally using a vulnerable dependency. When run, it will: 1. Detect vulnerabilities in golang.org/x/net 2. Create warning annotations on go.mod and main.go 3. Suggest specific version updates 4. Generate a detailed workflow summary This provides a complete demonstration of the action's vulnerability detection and reporting capabilities.
2025-06-07 00:58:11 -04:00
await annotator.createAnnotations(vulnerabilities, parser, workingDirectory);
Add vulnerable example and enhance action features This commit adds a comprehensive example demonstrating the govulncheck action's capabilities, along with several enhancements to improve the user experience. ## Changes ### Example Setup - Added example/main.go that uses golang.org/x/net v0.0.0-20220906165146-f3363e06e74c (vulnerable version) - Example intentionally calls html.Parse to trigger vulnerability detection - Demonstrates how the action creates annotations on vulnerable code ### Enhanced Annotations - Fixed file path handling when running in subdirectories (e.g., './example') - Added rich context to annotations including: - Vulnerability summaries and CVE numbers - Direct links to Go vulnerability database (pkg.go.dev/vuln) - Fixed version information - Clear indication of which function is vulnerable (e.g., "html.Parse" not "main") - Sorted vulnerabilities by OSV ID for consistent display ### Suggested Fixes - When vulnerable code is actually called, creates notice annotations on go.mod - Shows current vs suggested dependency versions - Lists which specific vulnerabilities have active call sites - Provides actionable upgrade recommendations ### Workflow Summary - Added comprehensive workflow summary using GitHub Actions summary API - Displays vulnerabilities in formatted tables by module - Shows vulnerable code locations organized by file - Includes links to Go vulnerability database entries - Provides clear recommendations for fixing vulnerabilities ### Bug Fixes - Fixed JSON parsing to handle both JSON lines and multi-line JSON formats - Fixed annotation file paths to be relative to repository root - Improved vulnerability function name extraction from trace data - Enhanced OSV detail parsing and storage ## Testing The example workflow demonstrates all features by intentionally using a vulnerable dependency. When run, it will: 1. Detect vulnerabilities in golang.org/x/net 2. Create warning annotations on go.mod and main.go 3. Suggest specific version updates 4. Generate a detailed workflow summary This provides a complete demonstration of the action's vulnerability detection and reporting capabilities.
2025-06-07 00:58:11 -04:00
// Generate workflow summary
await summaryGenerator.generateSummary(vulnerabilities, parser, workingDirectory);
// Set outputs
const hasVulnerabilities = vulnerabilities.length > 0;
coreLib.setOutput('vulnerabilities-found', hasVulnerabilities.toString());
coreLib.setOutput('vulnerability-count', vulnerabilities.length.toString());
if (hasVulnerabilities) {
coreLib.warning(`Found ${vulnerabilities.length} vulnerabilities`);
} else {
coreLib.info('No vulnerabilities found');
}
return { vulnerabilities, hasVulnerabilities };
} catch (error) {
coreLib.setFailed(error.message);
throw error;
}
}
// Only run if this is the main module
if (process.argv[1] === fileURLToPath(import.meta.url)) {
run();
}
export { run };