Skip to content

Commit

Permalink
fix: download grype on windows runners
Browse files Browse the repository at this point in the history 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
  • Loading branch information
@kzantow
kzantow committed May 17, 2024
1 parent 04171b1 commit 9ade014
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 29 deletions.
29 changes: 14 additions & 15 deletions dist/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ const fs = __nccwpck_require__(7147);
const stream = __nccwpck_require__(2781);
const { GRYPE_VERSION } = __nccwpck_require__(6244);

const grypeBinary = "grype";
const exeSuffix = process.platform == "win32" ? ".exe" : "";
const grypeBinary = "grype" + exeSuffix;
const grypeVersion = core.getInput("grype-version") || GRYPE_VERSION;

async function downloadGrype(version) {
Expand All @@ -30,15 +31,13 @@ async function downloadGrype(version) {
// TODO: when grype starts supporting unreleased versions, support it here
// Download the installer, and run
const installPath = await cache.downloadTool(url);
// Make sure the tool's executable bit is set
await exec.exec(`chmod +x ${installPath}`);

let cmd = `${installPath} -b ${installPath}_grype ${version}`;
let cmd = `sh ${installPath} -d -b ${installPath}_grype ${version}`;
await exec.exec(cmd);
let grypePath = `${installPath}_grype/grype`;
let grypePath = `${installPath}_grype/${grypeBinary}`;

// Cache the downloaded file
return cache.cacheFile(grypePath, `grype`, `grype`, version);
return cache.cacheFile(grypePath, grypeBinary, grypeBinary, version);
}

async function installGrype(version) {
Expand Down Expand Up @@ -74,7 +73,7 @@ function sourceInput() {

if (multipleDefined(image, path, sbom)) {
throw new Error(
"The following options are mutually exclusive: image, path, sbom",
"The following options are mutually exclusive: image, path, sbom"
);
}

Expand Down Expand Up @@ -150,7 +149,7 @@ async function runScan({
env.GRYPE_REGISTRY_AUTH_PASSWORD = registryPass;
if (!registryUser || !registryPass) {
core.warning(
"WARNING: registry-username and registry-password must be specified together",
"WARNING: registry-username and registry-password must be specified together"
);
}
}
Expand All @@ -174,22 +173,22 @@ async function runScan({
!SEVERITY_LIST.some(
(item) =>
typeof severityCutoff.toLowerCase() === "string" &&
item === severityCutoff.toLowerCase(),
item === severityCutoff.toLowerCase()
)
) {
throw new Error(
`Invalid severity-cutoff value is set to ${severityCutoff} - please ensure you are choosing either negligible, low, medium, high, or critical`,
`Invalid severity-cutoff value is set to ${severityCutoff} - please ensure you are choosing either negligible, low, medium, high, or critical`
);
}
if (
!FORMAT_LIST.some(
(item) =>
typeof outputFormat.toLowerCase() === "string" &&
item === outputFormat.toLowerCase(),
item === outputFormat.toLowerCase()
)
) {
throw new Error(
`Invalid output-format value is set to ${outputFormat} - please ensure you are choosing either json or sarif`,
`Invalid output-format value is set to ${outputFormat} - please ensure you are choosing either json or sarif`
);
}

Expand Down Expand Up @@ -288,14 +287,14 @@ async function runScan({
core.warning("grype had a non-zero exit status when running");
} else if (failBuild === true) {
core.setFailed(
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`,
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
);
} else {
// There is a non-zero exit status code with severity cut off, although there is still a chance this is grype
// that is broken, it will most probably be a failed severity. Using warning here will make it bubble up in the
// Actions UI
core.warning(
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`,
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
);
}
}
Expand Down Expand Up @@ -885,7 +884,7 @@ class OidcClient {
.catch(error => {
throw new Error(`Failed to get ID Token. \n
Error Code : ${error.statusCode}\n
Error Message: ${error.message}`);
Error Message: ${error.result.message}`);
});
const id_token = (_a = res.result) === null || _a === void 0 ? void 0 : _a.value;
if (!id_token) {
Expand Down
27 changes: 13 additions & 14 deletions index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ const fs = require("fs");
const stream = require("stream");
const { GRYPE_VERSION } = require("./GrypeVersion");

const grypeBinary = "grype";
const exeSuffix = process.platform == "win32" ? ".exe" : "";
const grypeBinary = "grype" + exeSuffix;
const grypeVersion = core.getInput("grype-version") || GRYPE_VERSION;

async function downloadGrype(version) {
Expand All @@ -16,15 +17,13 @@ async function downloadGrype(version) {
// TODO: when grype starts supporting unreleased versions, support it here
// Download the installer, and run
const installPath = await cache.downloadTool(url);
// Make sure the tool's executable bit is set
await exec.exec(`chmod +x ${installPath}`);

let cmd = `${installPath} -b ${installPath}_grype ${version}`;
let cmd = `sh ${installPath} -d -b ${installPath}_grype ${version}`;
await exec.exec(cmd);
let grypePath = `${installPath}_grype/grype`;
let grypePath = `${installPath}_grype/${grypeBinary}`;

// Cache the downloaded file
return cache.cacheFile(grypePath, `grype`, `grype`, version);
return cache.cacheFile(grypePath, grypeBinary, grypeBinary, version);
}

async function installGrype(version) {
Expand Down Expand Up @@ -60,7 +59,7 @@ function sourceInput() {

if (multipleDefined(image, path, sbom)) {
throw new Error(
"The following options are mutually exclusive: image, path, sbom",
"The following options are mutually exclusive: image, path, sbom"
);
}

Expand Down Expand Up @@ -136,7 +135,7 @@ async function runScan({
env.GRYPE_REGISTRY_AUTH_PASSWORD = registryPass;
if (!registryUser || !registryPass) {
core.warning(
"WARNING: registry-username and registry-password must be specified together",
"WARNING: registry-username and registry-password must be specified together"
);
}
}
Expand All @@ -160,22 +159,22 @@ async function runScan({
!SEVERITY_LIST.some(
(item) =>
typeof severityCutoff.toLowerCase() === "string" &&
item === severityCutoff.toLowerCase(),
item === severityCutoff.toLowerCase()
)
) {
throw new Error(
`Invalid severity-cutoff value is set to ${severityCutoff} - please ensure you are choosing either negligible, low, medium, high, or critical`,
`Invalid severity-cutoff value is set to ${severityCutoff} - please ensure you are choosing either negligible, low, medium, high, or critical`
);
}
if (
!FORMAT_LIST.some(
(item) =>
typeof outputFormat.toLowerCase() === "string" &&
item === outputFormat.toLowerCase(),
item === outputFormat.toLowerCase()
)
) {
throw new Error(
`Invalid output-format value is set to ${outputFormat} - please ensure you are choosing either json or sarif`,
`Invalid output-format value is set to ${outputFormat} - please ensure you are choosing either json or sarif`
);
}

Expand Down Expand Up @@ -274,14 +273,14 @@ async function runScan({
core.warning("grype had a non-zero exit status when running");
} else if (failBuild === true) {
core.setFailed(
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`,
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
);
} else {
// There is a non-zero exit status code with severity cut off, although there is still a chance this is grype
// that is broken, it will most probably be a failed severity. Using warning here will make it bubble up in the
// Actions UI
core.warning(
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`,
`Failed minimum severity level. Found vulnerabilities with level '${severityCutoff}' or higher`
);
}
}
Expand Down

0 comments on commit 9ade014

Please sign in to comment.