-
Notifications
You must be signed in to change notification settings - Fork 40
/
action.yml
140 lines (132 loc) · 6.34 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: CogniCrypt - Static Spplication Security Testing
description: CogniCrypt takes rules written in the specification language CrySL as input, and performs a static analysis based on the specification of the rules.
inputs:
basePath:
description: Path to relate paths in the analyzed jar and the source tree.
Class \"com.example\" is searched for at \"basePath/com/example\".
rulesDir:
description: Path to rules (in CrySL source code format)
default: "rules_98e04be6/JavaCryptographicArchitecture/src/"
appPath:
description: Path to the JAR of the application to be analyzed
required: true
cg:
description: Selection of call graph for analysis (possible values are CHA, SPARK, SPARKLIB)
sootPath:
description: Absolute path of the whole project
identifier:
description: Identifier for labeling output files
reportPath:
description: Directory Location for cryptoanalysis reports
reportFormat:
description: The format of the report. Possible values are CMD, TXT, SARIF, CSV and CSV_SUMMARY.
Multiple formats should be split with a comma (e.g. CMD,TXT,CSV).
Running this action will also implicitly enable the output as GitHub Annotations.
visualization :
description: Enables the visualization, but also requires reportPath option to be set
providerDetection :
description: Enables provider detection analysis
ignoreSections:
description: Names of packages, classes and methods to be ignored during the analysis.
This input expects path to a file containing one name per line.
For example, 'de.example.testClass' ignores the class 'testClass',
'de.example.exampleClass.exampleMethod ignores the method 'exampleMethod' in 'exampleClass',
and 'de.example.*' ignores all classes and methods in the package 'example'.
Using this option may increase the analysis performance.
Note that constructors are methods that can be specified with '<init>'.
sparseStrategy:
description: Strategy to sparsify Boomerang queries. Possible values are NONE, TYPE_BASED, and ALIAS_AWARE (default NONE)
timeout:
description: Timeout for seeds in milliseconds. If a seed exceeds this value, CryptoAnalysis aborts the
typestate and extract parameter analysis and continues with the results computed so far. (default 10000)
runs:
using: "composite"
steps:
- name: Set up Java
uses: actions/setup-java@v3
with:
distribution: 'adopt'
java-package: jdk
java-version: '11'
- name: Checkout rules
uses: actions/checkout@v4
with:
repository: CROSSINGTUD/Crypto-API-Rules
path: rules_98e04be6
- name: Checkout source code
uses: actions/checkout@v4
with:
repository: ${{ env.GH_ACTION_REPOSITORY }}
ref: ${{ env.GH_ACTION_REF }}
path: CryptoAnalysisBuild_98e04be6 # random string at the end to avoid any conflicts with the actual repo
env:
# workaround for https://github.com/actions/runner/issues/2473
GH_ACTION_REPOSITORY: ${{ github.action_repository }}
GH_ACTION_REF: ${{ github.action_ref }}
- name: Calculate cache key
id: cache-key
shell: bash
working-directory: CryptoAnalysisBuild_98e04be6
run: echo "cache-key=CryptoAnalysis-$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
- name: Restore CryptoAnalysis Cache
id: cache
uses: actions/cache/restore@v3
with:
path: CryptoAnalysisBuild_98e04be6/CryptoAnalysis.jar
key: ${{ steps.cache-key.outputs.cache-key }}
- name: Set up Maven
if: steps.cache.outputs.cache-hit != 'true'
uses: stCarolas/setup-maven@v4.5
with:
maven-version: 3.6.3
# Fetch pre-compiled JAR from the maven repository
- name: Download pre-compiled JAR
id: download
if: steps.cache.outputs.cache-hit != 'true'
continue-on-error: true
shell: bash
run: |
echo "::group::Download"
mvn dependency:copy -Dartifact=de.fraunhofer.iem:CryptoAnalysis:${{ env.GH_ACTION_REF }}:jar:jar-with-dependencies -DoutputDirectory=CryptoAnalysis/build
echo "::endgroup::"
working-directory: CryptoAnalysisBuild_98e04be6
env:
GH_ACTION_REF: ${{ github.action_ref }}
# Compile from source when no pre-compiled JAR is available.
# This also makes the action work for non-releases,
# meaning any ref that can be resolved by https://github.com/actions/checkout.
- name: Compile CryptoAnalysis
# if: steps.cache.outputs.cache-hit != 'true' && steps.download.outcome != 'success'
shell: bash
run: |
echo "::group::Compile"
mvn clean package -DskipTests=true
echo "::endgroup::"
working-directory: CryptoAnalysisBuild_98e04be6
- name: Copy JAR to convenient path
if: steps.cache.outputs.cache-hit != 'true'
shell: bash
run: cp CryptoAnalysisBuild_98e04be6/apps/HeadlessJavaScanner-*-jar-with-dependencies.jar CryptoAnalysisBuild_98e04be6/CryptoAnalysis.jar
- name: Save CryptoAnalysis Cache
uses: actions/cache/save@v3
if: steps.cache.outputs.cache-hit != 'true'
with:
path: CryptoAnalysisBuild_98e04be6/CryptoAnalysis.jar
key: ${{ steps.cache-key.outputs.cache-key }}
- run: |
java -jar CryptoAnalysisBuild_98e04be6/CryptoAnalysis.jar \
--rulesDir ${{ inputs.rulesDir }} \
--appPath ${{ inputs.appPath }} \
--reportFormat github_annotation${{ inputs.reportFormat && format(',{0}', inputs.reportFormat) || '' }} \
${{ inputs.cg && format('{0} {1}', '--cg', inputs.cg) || '' }} \
${{ inputs.sootPath && format('{0} {1}', '--sootPath', inputs.sootPath) || '' }} \
${{ inputs.identifier && format('{0} {1}', '--identifier', inputs.identifier) || '' }} \
${{ inputs.reportPath && format('{0} {1}', '--reportPath', inputs.reportPath) || '' }} \
${{ inputs.visualization == 'true' && '--visualization ' || '' }} \
${{ inputs.ignoreSections && format('{0} {1}', '--ignoreSections', inputs.ignoreSections) || '' }} \
${{ inputs.sparseStrategy && format('{0} {1}', '--sparseStrategy', inputs.sparseStrategy) || '' }} \
${{ inputs.timeout && format('{0} {1}', '--timeout', inputs.timeout) || '' }}
shell: bash
# workaround for https://github.com/actions/runner/issues/665
env:
INPUT_BASEPATH: ${{ inputs.basePath }}