SIGINT-1763: Ability to upload and scan with Polaris (#223)

Author: maksudur-rahman-maruf

action.yml

@@ -92,6 +92,21 @@ inputs:
   polaris_upload_sarif_report:
     description: 'Flag to enable/disable uploading of Polaris SARIF report to GitHub Advanced Security'
     required: false
+  polaris_assessment_mode:
+    description: 'The test mode type of this scan'
+    required: false
+  project_directory:
+    description: 'The project source directory. Defaults to repository root directory. Set this to specify a custom folder that is other than repository root'
+    required: false
+  project_source_archive:
+    description: 'The zipped source file path. It overrides the project directory setting'
+    required: false
+  project_source_preserveSymLinks:
+    description: 'Flag indicating whether to preserve symlinks in the source zip'
+    required: false
+  project_source_excludes:
+    description: 'A list of git ignore pattern strings that indicate the files need to be excluded from the zip file'
+    required: false
   synopsys_bridge_install_directory:
     description: 'Synopsys Bridge Install Directory'
     required: false

dist/index.js

@@ -68,6 +68,11 @@ export const POLARIS_REPORTS_SARIF_SEVERITIES_KEY = 'polaris_reports_sarif_sever
 export const POLARIS_REPORTS_SARIF_GROUP_SCA_ISSUES_KEY = 'polaris_reports_sarif_groupSCAIssues'
 export const POLARIS_REPORTS_SARIF_ISSUE_TYPES_KEY = 'polaris_reports_sarif_issue_types'
 export const POLARIS_UPLOAD_SARIF_REPORT_KEY = 'polaris_upload_sarif_report'
+export const POLARIS_ASSESSMENT_MODE_KEY = 'polaris_assessment_mode'
+export const PROJECT_SOURCE_ARCHIVE_KEY = 'project_source_archive'
+export const PROJECT_SOURCE_PRESERVESYMLINKS_KEY = 'project_source_preserveSymLinks'
+export const PROJECT_SOURCE_EXCLUDES_KEY = 'project_source_excludes'
+export const PROJECT_DIRECTORY_KEY = 'project_directory'
 
 // Blackduck
 export const BLACKDUCK_URL_KEY = 'blackduck_url'

dist/index.js.map

@@ -14,6 +14,7 @@ export enum BLACKDUCK_SCAN_FAILURE_SEVERITIES {
 
 export interface Blackduck {
   blackduck: BlackduckData
+  project?: ProjectData
   github?: GithubData
   network?: NetworkAirGap
 }
@@ -28,6 +29,10 @@ export interface BlackduckData {
   reports?: Reports
 }
 
+export interface ProjectData {
+  directory?: string
+}
+
 export interface Branch {
   name: string
 }

src/application-constants.ts

@@ -10,6 +10,7 @@ export interface Coverity {
 export interface ProjectData {
   repository?: {name: string}
   branch?: {name: string}
+  directory?: string
 }
 
 export interface AutomationData {

src/synopsys-action/input-data/blackduck.ts

@@ -3,6 +3,7 @@ import {Reports} from './reports'
 
 export interface Polaris {
   polaris: PolarisData
+  project?: ProjectData
   github?: GithubData
 }
 
@@ -19,6 +20,15 @@ export interface PolarisData {
   reports?: Reports
 }
 
+export interface ProjectData {
+  directory?: string
+  source?: {
+    archive?: string
+    preserveSymLinks?: boolean
+    excludes?: string[]
+  }
+}
+
 export interface PrComment {
   enabled?: boolean
   severities?: string[]

src/synopsys-action/input-data/coverity.ts

@@ -26,6 +26,11 @@ export const POLARIS_REPORTS_SARIF_SEVERITIES = getInput(constants.POLARIS_REPOR
 export const POLARIS_REPORTS_SARIF_GROUP_SCA_ISSUES = getInput(constants.POLARIS_REPORTS_SARIF_GROUP_SCA_ISSUES_KEY)?.trim() || ''
 export const POLARIS_REPORTS_SARIF_ISSUE_TYPES = getInput(constants.POLARIS_REPORTS_SARIF_ISSUE_TYPES_KEY)?.trim() || ''
 export const POLARIS_UPLOAD_SARIF_REPORT = getInput(constants.POLARIS_UPLOAD_SARIF_REPORT_KEY)?.trim() || ''
+export const POLARIS_ASSESSMENT_MODE = getInput(constants.POLARIS_ASSESSMENT_MODE_KEY)?.trim() || ''
+export const PROJECT_DIRECTORY = getInput(constants.PROJECT_DIRECTORY_KEY)?.trim() || ''
+export const PROJECT_SOURCE_ARCHIVE = getInput(constants.PROJECT_SOURCE_ARCHIVE_KEY)?.trim() || ''
+export const PROJECT_SOURCE_PRESERVESYMLINKS = getInput(constants.PROJECT_SOURCE_PRESERVESYMLINKS_KEY)?.trim() || ''
+export const PROJECT_SOURCE_EXCLUDES = getInput(constants.PROJECT_SOURCE_EXCLUDES_KEY)?.trim() || ''
 
 // Coverity related inputs
 export const COVERITY_URL = getInput(constants.COVERITY_URL_KEY)?.trim() || ''

src/synopsys-action/input-data/polaris.ts

@@ -64,7 +64,12 @@ export class SynopsysToolsParameter {
           serverUrl: inputs.POLARIS_SERVER_URL,
           application: {name: applicationName},
           project: {name: projectName},
-          assessment: {types: assessmentTypeArray}
+          assessment: {
+            types: assessmentTypeArray,
+            ...(inputs.POLARIS_ASSESSMENT_MODE && {
+              mode: inputs.POLARIS_ASSESSMENT_MODE
+            })
+          }
         }
       }
     }
@@ -82,6 +87,32 @@ export class SynopsysToolsParameter {
         }
       }
     }
+
+    if (inputs.PROJECT_DIRECTORY || inputs.PROJECT_SOURCE_ARCHIVE || inputs.PROJECT_SOURCE_EXCLUDES || inputs.PROJECT_SOURCE_PRESERVESYMLINKS) {
+      polData.data.project = {}
+
+      if (inputs.PROJECT_DIRECTORY) {
+        polData.data.project.directory = inputs.PROJECT_DIRECTORY
+      }
+
+      if (inputs.PROJECT_SOURCE_ARCHIVE || inputs.PROJECT_SOURCE_EXCLUDES || inputs.PROJECT_SOURCE_PRESERVESYMLINKS) {
+        polData.data.project.source = {}
+
+        if (inputs.PROJECT_SOURCE_ARCHIVE) {
+          polData.data.project.source.archive = inputs.PROJECT_SOURCE_ARCHIVE
+        }
+
+        if (inputs.PROJECT_SOURCE_PRESERVESYMLINKS) {
+          polData.data.project.source.preserveSymLinks = parseToBoolean(inputs.PROJECT_SOURCE_PRESERVESYMLINKS)
+        }
+
+        if (inputs.PROJECT_SOURCE_EXCLUDES) {
+          const sourceExcludesList: string[] = inputs.PROJECT_SOURCE_EXCLUDES.split(',').map(sourceExclude => sourceExclude.trim())
+          polData.data.project.source.excludes = sourceExcludesList
+        }
+      }
+    }
+
     const isPrEvent = isPullRequestEvent()
     if (parseToBoolean(inputs.POLARIS_PRCOMMENT_ENABLED)) {
       if (isPrEvent) {
@@ -224,7 +255,7 @@ export class SynopsysToolsParameter {
       covData.data.coverity.connect.policy = {view: inputs.COVERITY_POLICY_VIEW}
     }
 
-    if (inputs.COVERITY_REPOSITORY_NAME || inputs.COVERITY_BRANCH_NAME) {
+    if (inputs.COVERITY_REPOSITORY_NAME || inputs.COVERITY_BRANCH_NAME || inputs.PROJECT_DIRECTORY) {
       covData.data.project = {
         ...(inputs.COVERITY_REPOSITORY_NAME && {
           repository: {
@@ -235,6 +266,9 @@ export class SynopsysToolsParameter {
           branch: {
             name: inputs.COVERITY_BRANCH_NAME
           }
+        }),
+        ...(inputs.PROJECT_DIRECTORY && {
+          directory: inputs.PROJECT_DIRECTORY
         })
       }
     }
@@ -330,6 +364,12 @@ export class SynopsysToolsParameter {
       }
     }
 
+    if (inputs.PROJECT_DIRECTORY) {
+      blackduckData.data.project = {
+        directory: inputs.PROJECT_DIRECTORY
+      }
+    }
+
     const isPrEvent = isPullRequestEvent()
     if (parseToBoolean(inputs.BLACKDUCK_PRCOMMENT_ENABLED)) {
       if (isPrEvent) {

src/synopsys-action/inputs.ts

@@ -722,6 +722,72 @@ test('Test getFormattedCommandForBlackduck with sarif params', () => {
   expect(resp).toContain('--stage blackduck')
 })
 
+it('should pass polaris source upload fields to bridge', () => {
+  Object.defineProperty(inputs, 'POLARIS_SERVER_URL', {value: 'server_url'})
+  Object.defineProperty(inputs, 'POLARIS_ACCESS_TOKEN', {value: 'access_token'})
+  Object.defineProperty(inputs, 'POLARIS_APPLICATION_NAME', {value: 'POLARIS_APPLICATION_NAME'})
+  Object.defineProperty(inputs, 'POLARIS_PROJECT_NAME', {value: 'POLARIS_PROJECT_NAME'})
+  Object.defineProperty(inputs, 'POLARIS_ASSESSMENT_TYPES', {value: 'SCA, SAST'})
+  Object.defineProperty(inputs, 'POLARIS_BRANCH_NAME', {value: 'feature1'})
+  Object.defineProperty(inputs, 'POLARIS_ASSESSMENT_MODE', {value: 'assessment_mode'})
+  Object.defineProperty(inputs, 'PROJECT_DIRECTORY', {value: 'polaris_project_directory'})
+  Object.defineProperty(inputs, 'PROJECT_SOURCE_ARCHIVE', {value: 'source_archive'})
+  Object.defineProperty(inputs, 'PROJECT_SOURCE_PRESERVESYMLINKS', {value: true})
+  Object.defineProperty(inputs, 'PROJECT_SOURCE_EXCLUDES', {value: 'source_exclude1,  source_exclude2'})
+  const stp: SynopsysToolsParameter = new SynopsysToolsParameter(tempPath)
+  const resp = stp.getFormattedCommandForPolaris('synopsys-action')
+
+  const jsonString = fs.readFileSync(tempPath.concat(polaris_input_file), 'utf-8')
+  const jsonData = JSON.parse(jsonString)
+  expect(resp).not.toBeNull()
+  expect(resp).toContain('--stage polaris')
+  expect(jsonData.data.polaris.serverUrl).toContain('server_url')
+  expect(jsonData.data.polaris.accesstoken).toContain('access_token')
+  expect(jsonData.data.polaris.application.name).toContain('POLARIS_APPLICATION_NAME')
+  expect(jsonData.data.polaris.project.name).toContain('POLARIS_PROJECT_NAME')
+  expect(jsonData.data.polaris.branch.name).toContain('feature1')
+  expect(jsonData.data.polaris.assessment.mode).toContain('assessment_mode')
+  expect(jsonData.data.polaris.assessment.types).toEqual(['SCA', 'SAST'])
+  expect(jsonData.data.project.directory).toContain('polaris_project_directory')
+  expect(jsonData.data.project.source.archive).toContain('source_archive')
+  expect(jsonData.data.project.source.preserveSymLinks).toBe(true)
+  expect(jsonData.data.project.source.excludes).toEqual(['source_exclude1', 'source_exclude2'])
+})
+
+it('should pass black duck fields and project directory field to bridge', () => {
+  Object.defineProperty(inputs, 'BLACKDUCK_URL', {value: 'BLACKDUCK_URL'})
+  Object.defineProperty(inputs, 'BLACKDUCK_API_TOKEN', {value: 'BLACKDUCK_API_TOKEN'})
+  Object.defineProperty(inputs, 'PROJECT_DIRECTORY', {value: 'BLACKDUCK_PROJECT_DIRECTORY'})
+
+  const stp: SynopsysToolsParameter = new SynopsysToolsParameter(tempPath)
+  const resp = stp.getFormattedCommandForBlackduck()
+
+  const jsonString = fs.readFileSync(tempPath.concat(blackduck_input_file), 'utf-8')
+  const jsonData = JSON.parse(jsonString)
+  expect(resp).not.toBeNull()
+  expect(resp).toContain('--stage blackduck')
+  expect(jsonData.data.blackduck.url).toBe('BLACKDUCK_URL')
+  expect(jsonData.data.blackduck.token).toBe('BLACKDUCK_API_TOKEN')
+  expect(jsonData.data.project.directory).toBe('BLACKDUCK_PROJECT_DIRECTORY')
+})
+
+it('should pass coverity fields and project directory field to bridge', () => {
+  Object.defineProperty(inputs, 'COVERITY_URL', {value: 'COVERITY_URL'})
+  Object.defineProperty(inputs, 'COVERITY_USER', {value: 'COVERITY_USER'})
+  Object.defineProperty(inputs, 'COVERITY_PASSPHRASE', {value: 'COVERITY_PASSPHRASE'})
+
+  const stp: SynopsysToolsParameter = new SynopsysToolsParameter(tempPath)
+  const resp = stp.getFormattedCommandForCoverity('synopsys-action')
+
+  const jsonString = fs.readFileSync(tempPath.concat(coverity_input_file), 'utf-8')
+  const jsonData = JSON.parse(jsonString)
+  expect(resp).not.toBeNull()
+  expect(resp).toContain('--stage connect')
+  expect(jsonData.data.coverity.connect.url).toBe('COVERITY_URL')
+  expect(jsonData.data.coverity.connect.user.name).toBe('COVERITY_USER')
+  expect(jsonData.data.coverity.connect.user.password).toBe('COVERITY_PASSPHRASE')
+})
+
 process.env['GITHUB_SERVER_URL'] = 'https://custom.com'
 describe('test black duck values passed correctly to bridge for workflow simplification', () => {
   it('should pass black duck pr comment fields to bridge in pr context', () => {