Updates to Code Dx GitHub Action (#3)

* Added support for specifying branch during analysis

* Naming changes: Renamed "Code Dx" -> "SRM"

* Test: Update main.yml

* Test: Update upload name in main.yml

* Update README.md and revert test commit

* Addressing review comments

* Added `project-name` config support

Also addressing previous review comments

* Minor update to README and error log message

* Added `dist` folder changes

* Minor update to log message and dist files

Author: bkundu929

.github/workflows/main.yml

@@ -30,7 +30,7 @@ jobs:
           unzip pmd-bin-6.38.0.zip
           ./pmd-bin-6.38.0/bin/run.sh pmd -d webgoat -f sarif -R rulesets/java/quickstart.xml -r pmd-sarif.json -failOnViolation false
       
-      - name: Code Dx Upload
+      - name: SRM Upload
         uses: './codedx-action'
         with:
           server-url: ${{ secrets.CDX_SERVER_URL }}

README.md

@@ -1,6 +1,6 @@
-# GitHub Action for Code Dx
+# GitHub Action for SRM
 
-This GitHub action can be used to push source code, binaries, and scan results to a [Code Dx](https://codedx.com) instance from within a GitHub workflow; source and binaries are automatically scanned by Code Dx using its built-in analysis tools.
+This GitHub action can be used to push source code, binaries, and scan results to an [SRM](https://www.synopsys.com/software-integrity/software-risk-manager.html) instance from within a GitHub workflow; source and binaries are automatically scanned by SRM using its built-in analysis tools.
 
 ## Features and Behavior
 
@@ -11,28 +11,35 @@ The Action can optionally wait for analysis completion, writing the final status
 The workflow will be set to fail if:
 
 - The source/binaries glob(s) fail to match any files
-- There are any errors when contacting your Code Dx server
+- There are any errors when contacting your SRM server
 - The analysis ends in failure
 
 ## Requirements
 
-- A deployed, licensed instance of Code Dx (any license)
-- Access from GitHub to Code Dx via HTTP, or via HTTPS with a recognizable certificate (use the `ca-cert` param if not using a public CA)
-- A Project in Code Dx to store results
+- A deployed, licensed instance of SRM (any license)
+- Access from GitHub to SRM via HTTP, or via HTTPS with a recognizable certificate (use the `ca-cert` param if not using a public CA)
+- A Project in SRM to store results
 - An API Key or Personal Access Token with "Create" permissions for the Project
 
 ## Action Inputs
 
-| Input Name                 | Description                                                                                              | Default Value | Required |
-|----------------------------|----------------------------------------------------------------------------------------------------------|---------------|----------|
-| `server-url`               | The URL for the Code Dx server (typically ends with `/codedx`)                                           |               | Yes      |
-| `api-key`                  | An API Key or Personal Access Token to use when connecting to Code Dx                                    |               | Yes      |
-| `project-id`               | The ID of a project (an integer) created in Code Dx                                                      |               | Yes      |
-| `source-and-binaries-glob` | A comma-separated-list of file globs matching source and binary files to be packaged and sent to Code Dx | `undefined`   | No       |
-| `tool-outputs-glob`        | A comma-separated list of file globs matching tool output/scan result files                              | `undefined`   | No       |
-| `wait-for-completion`      | Whether to wait for the analysis to complete before exiting                                              | `false`       | No       |
-| `ca-cert`                  | A custom CA cert to use for HTTPS connections to Code Dx                                                 | `undefined`   | No       |
-| `dry-run`                  | Whether to submit an analysis (false/undefined) or only test the connection and credentials (true)       | `undefined`   | No       |
+| Input Name                 | Description                                                                                                                                                                                       | Default Value | Required        |
+|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|-----------------|
+| `server-url`               | The URL for the SRM server (typically ends with `/srm`)                                                                                                                                           |               | Yes             |
+| `api-key`                  | An API Key or Personal Access Token to use when connecting to SRM                                                                                                                                 |               | Yes             |
+| `project-id`               | The ID of a project (an integer) created in SRM                                                                                                                                                               | `undefined`   | Yes<sup>1</sup> |
+| `project-name`             | The name of a project created in SRM                                                                                                                                                              | `undefined`   | Yes<sup>1</sup> |
+| `base-branch-name`         | The parent branch name of a project created in SRM                                                                                                                                                | `undefined`   | No<sup>2</sup>  |
+| `target-branch-name`       | The target branch name of a project created in SRM. <br/>SRM automatically creates the branch if it does not exist yet in the project, and the new branch will be created from `base-branch-name` | `undefined`   | No              |
+| `source-and-binaries-glob` | A comma-separated-list of file globs matching source and binary files to be packaged and sent to SRM                                                                                              | `undefined`   | No              |
+| `tool-outputs-glob`        | A comma-separated list of file globs matching tool output/scan result files                                                                                                                       | `undefined`   | No              |
+| `wait-for-completion`      | Whether to wait for the analysis to complete before exiting                                                                                                                                       | `false`       | No              |
+| `ca-cert`                  | A custom CA cert to use for HTTPS connections to SRM                                                                                                                                              | `undefined`   | No              |
+| `dry-run`                  | Whether to submit an analysis (false/undefined) or only test the connection and credentials (true)                                                                                                | `undefined`   | No              |
+
+**Notes**
+1. Either `project-id` or `project-name` is required. An error will be thrown if neither is specified or both are specified.
+2. `base-branch-name` is required if `target-branch-name` is specified and doesn't exist yet in the project.
 
 ## Sample Workflow
 
@@ -45,7 +52,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - name: Code Dx Upload
+      - name: SRM Upload
         uses: 'codedx/codedx-github-action@v1.1'
         with:
           server-url: ${{ secrets.CDX_SERVER_URL }}

action.yml

@@ -1,18 +1,27 @@
-name: 'Code Dx Analysis'
-description: 'Analyze your source code and binaries with Code Dx'
+name: 'SRM Analysis'
+description: 'Analyze your source code and binaries with SRM'
 inputs:
   # main config options
   server-url:
-    description: 'the URL for the Code Dx server (typically ends with `/codedx`)'
+    description: 'the URL for the SRM server (typically ends with `/srm`)'
     required: true
   api-key:
-    description: 'an API key or Personal Access Token (PAT) to use when connecting to Code Dx'
+    description: 'an API key or Personal Access Token (PAT) to use when connecting to SRM'
     required: true
   project-id:
-    description: 'the ID of a project (an integer) created in Code Dx'
-    required: true
+    description: 'the ID of a project (an integer) created in SRM. This is required if `project-name` is not specified.'
+    required: false
+  project-name:
+    description: 'the name of a project created in SRM. This is required if `project-id` is not specified.'
+    required: false
+  base-branch-name:
+    description: 'the parent branch name of a project created in SRM'
+    required: false
+  target-branch-name:
+    description: 'the target branch name of a project created in SRM. SRM automatically creates the branch if it does not exist yet in the project, and the new branch will be created from `base-branch-name`'
+    required: false
   source-and-binaries-glob:
-    description: 'a file glob matching source and binary files (accepts multiple comma-separated globs). if not set, no source/binary files will be sent to Code Dx'
+    description: 'a file glob matching source and binary files (accepts multiple comma-separated globs). if not set, no source/binary files will be sent to SRM'
     required: true
   tool-outputs-glob:
     description: 'a file glob matching output files (ie scan results) from an analysis tool (accepts multiple comma-separated globs)'  
@@ -24,7 +33,7 @@ inputs:
     required: false
     default: false
   ca-cert:
-    description: 'a custom CA cert to use for HTTPS requests to Code Dx'
+    description: 'a custom CA cert to use for HTTPS requests to SRM'
     required: false
   dry-run:
     description: 'whether to submit an analysis (false/undefined), or only test the connection and credentials (true). an error in validation will fail the build.'

analyze.js

@@ -4,7 +4,7 @@ const _ = require('underscore')
 const archiver = require('archiver')
 const fs = require('fs')
 const FormData = require('form-data')
-const CodeDxApiClient = require('./codedx')
+const { SrmApiClient, checkIfBranchPresent } = require('./srm')
 const path = require('path')
 
 const getConfig = require('./config').get
@@ -74,7 +74,7 @@ async function prepareInputsZip(inputsGlob, targetFile) {
 }
 
 async function attachInputsZip(inputGlobs, formData, tmpDir) {
-  const zipTarget = path.join(tmpDir, "codedx-inputfiles.zip")
+  const zipTarget = path.join(tmpDir, "srm-inputfiles.zip")
   const numFiles = await prepareInputsZip(inputGlobs, zipTarget)
   if (numFiles == 0) {
     core.warning("No files were matched by the 'source-and-binaries-glob' values, skipping source/binaries ZIP attachment")
@@ -104,19 +104,100 @@ async function attachScanFiles(scanGlobs, formData) {
   }
 }
 
+async function validateBranches(branches, config) {
+  const baseBranchPresent = checkIfBranchPresent(branches, config.baseBranchName)
+  const targetBranchPresent = checkIfBranchPresent(branches, config.targetBranchName)
+
+  if (targetBranchPresent) {
+    core.info("Using existing SRM branch: " + config.targetBranchName);
+    // Not necessary, base branch is currently ignored in the backend if the target
+    // branch already exists. just setting to null to safeguard in case of future changes
+    config.baseBranchName = null
+  } else {
+    // Base branch is not defined; throw error
+    if (!config.baseBranchName) {
+      throw new Error("A parent branch must be specified when using a new target branch");
+    }
+
+    // Base branch is defined but is not present; cannot create target branch, so throw error
+    if (!baseBranchPresent) {
+      throw new Error("The specified parent branch does not exist: " + config.baseBranchName);
+    }
+
+    // If base branch is defined and present, create the target branch off the base
+    core.info(`Analysis will create a new branch named '${config.targetBranchName}' based on the branch '${config.baseBranchName}'`);
+  }
+}
+
+async function getProjectId(config, client) {
+  // If projectId is defined and not name, simply return the id
+  if (config.projectId && !config.projectName) {
+    return config.projectId
+  } else if (!config.projectId && config.projectName) {
+    // If project name is defined, retrieve the corresponding project id first.
+    // If multiple projects with the same name exist, throw an error since it is ambiguous which project the user wants.
+    const projects = await client.getSrmProjects()
+    const matchedProjectIds = projects.filter(project => project.name == config.projectName).map(project => project.id)
+
+    if (matchedProjectIds.length == 1) {
+      return matchedProjectIds[0]
+    } else if (matchedProjectIds.length == 0) {
+      throw new Error(`No projects with the name '${config.projectName}'.`)
+    } else {
+      throw new Error(`Multiple projects with the name '${config.projectName}'. Unable to determine which project to use. Try specifying with 'project-id' instead.`)
+    }
+  } else if (!config.projectId && !config.projectName) {
+    // If neither is defined, throw error
+    throw new Error(`No projects specified. Make sure to specify either 'project-id' or 'project-name'.`)
+  } else {
+    // If both are defined, throw error
+    throw new Error(`Both 'project-id' and 'project-name' are specified. Unable to determine which project to use. Make sure to specify either 'project-id' or 'project-name'.`)
+  }
+}
+
 // most @actions toolkit packages have async methods
 module.exports = async function run() {
   const config = getConfig()
+  const MinimumVersionForBranching = '2022.4.3'
+
+  const client = new SrmApiClient(config.serverUrl, config.apiKey, config.caCert)
+  core.info("Checking connection to SRM...")
 
-  const client = new CodeDxApiClient(config.serverUrl, config.apiKey, config.caCert)
-  core.info("Checking connection to Code Dx...")
+  const srmVersion = await client.testConnection()
+  core.info("Confirmed - using SRM " + srmVersion)
 
-  const codedxVersion = await client.testConnection()
-  core.info("Confirmed - using Code Dx " + codedxVersion)
+  const projectId = await getProjectId(config, client)
 
   core.info("Checking API key permissions...")
-  await client.validatePermissions(config.projectId)
-  core.info("Connection to Code Dx server is OK.")
+  await client.validatePermissions(projectId)
+  core.info("Connection to SRM server is OK.")
+
+  const branches = await client.getProjectBranches(projectId)
+  if (config.targetBranchName) {
+    core.info("Validating branch selection...")
+    // First check if the SRM version being used supports branching
+    if (srmVersion.localeCompare(MinimumVersionForBranching, undefined, { numeric: true }) < 0) {
+      core.info(
+          "The connected SRM server with version " + srmVersion + " does not support project branches. " +
+          "The minimum required version is " + MinimumVersionForBranching + ". The target branch and base " +
+          "branch options will be ignored."
+      )
+      // Set both branch configs to null since we will be ignoring them
+      config.baseBranchName = null
+      config.targetBranchName = null
+    } else {
+      await validateBranches(branches, config)
+      core.info("Branch selection is OK.")
+    }
+  } else {
+    // If target branch is not defined, use the default branch. This also ensures even if
+    // base branch is defined, the default branch is not created as a child of the base branch
+    const defaultBranch = branches.filter(branch => branch.isDefault)[0].name
+
+    core.info(`No target branch was defined. Using default target branch '${defaultBranch}'`)
+    config.targetBranchName = defaultBranch
+    config.baseBranchName = null
+  }
 
   if (config.dryRun) {
     core.info("dry-run is enabled, exiting without analysis")
@@ -139,8 +220,8 @@ module.exports = async function run() {
     core.info("Scan files glob not specified, skipping scan file attachment")
   }
 
-  core.info("Uploading to Code Dx...")
-  const { analysisId, jobId } = await client.runAnalysis(config.projectId, formData)
+  core.info("Uploading to SRM...")
+  const { analysisId, jobId } = await client.runAnalysis(projectId, config.baseBranchName, config.targetBranchName, formData)
 
   core.info("Started analysis #" + analysisId)
 
@@ -155,7 +236,7 @@ module.exports = async function run() {
     if (lastStatus == JobStatus.COMPLETED) {
       core.info("Analysis finished! Completed with status: " + lastStatus)
     } else {
-      throw new Error(`Analysis finished with non-complete status: ${lastStatus}. See Code Dx server logs/visual log for more details.`)
+      throw new Error(`Analysis finished with non-complete status: ${lastStatus}. See SRM server logs/visual log for more details.`)
     }
   }
 }

config.js

@@ -16,7 +16,10 @@ class Config {
     constructor() {
         this.serverUrl = core.getInput('server-url', { required: true })
         this.apiKey = core.getInput('api-key', { required: true })
-        this.projectId = core.getInput('project-id', { required: true })
+        this.projectId = core.getInput('project-id')
+        this.projectName = core.getInput('project-name')
+        this.baseBranchName = core.getInput('base-branch-name')
+        this.targetBranchName = core.getInput('target-branch-name')
         this.inputGlobs = core.getInput('source-and-binaries-glob')
         this.scanGlobs = core.getInput('tool-outputs-glob')
 
@@ -42,6 +45,8 @@ class Config {
                 throw new Error("Invalid value for projectId, expected a number but got a " + (typeof this.projectId))
             }
         }
+
+        this.projectName = this.projectName.trim()
     }
 }