advanced-security
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 17 additions & 6 deletions b/‎README.md‎
Lines changed: 17 additions & 6 deletions
diff --git a/‎action.yml‎
Lines changed: 11 additions & 3 deletions b/‎action.yml‎
Lines changed: 11 additions & 3 deletions
diff --git a/‎component-detection‎
68.7 MB b/‎component-detection‎
68.7 MB
diff --git a/‎componentDetection.test.ts‎
Lines changed: 17 additions & 0 deletions b/‎componentDetection.test.ts‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎componentDetection.ts‎
Lines changed: 173 additions & 0 deletions b/‎componentDetection.ts‎
Lines changed: 173 additions & 0 deletions
@@ -65,3 +65,6 @@ typings/
 
 # next.js build output
 .next
+
+# Output from scanning 
+output.json
@@ -1,13 +1,12 @@
-# Conda dependency submission action
-
-This repository scans Conda environment.yaml files and uploads the results to the dependency graph. While GitHub does not support alerting on OS-level dependencies, it will alert on any PyPI dependencies that are defined in the environment.yaml. 
+# Component detection action
 
+This GitHub Action runs the [microsoft/component-detection](https://github.com/microsoft/component-detection) library to automate dependency extraction at build time. It uses a combination of static and dynamic scanning to build a dependency tree and then uploads that to GitHub's dependency graph via the dependency submission API. This gives you more accurate Dependabot alerts, and support for a bunch of additional ecosystems. 
 
 ### Example workflow
 
 ```yaml
 
-name: Conda dependency submission
+name: Component Detection
 
 on:
   workflow_dispatch:
@@ -22,6 +21,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - name: Conda dependency scanning
-        uses: jhutchings1/conda-dependency-submission-action@v0.0.2
+      - name: Component detection 
+        uses: jhutchings1/component-detection-action@v0.0.1
 ```        
+
+### Configuration options
+
+| Parameter | Description | Example | 
+| --- | --- | 
+filePath | The path to the directory containing the environment files to upload. Defaults to Actions working directory. | `'.'`
+directoryExclusionList | Filters out specific directories following a minimatch pattern. | `test`
+detectorArgs | Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff. | `Pip=EnableIfDefaultOff`
+dockerImagesToScan |Comma separated list of docker image names or hashes to execute container scanning on |  ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab | 
+detectorsFilter | A comma separated list with the identifiers of the specific detectors to be used. | `Pip, RustCrateDetector`
+
+For more information: https://github.com/microsoft/component-detection
@@ -9,10 +9,18 @@ inputs:
     description: 'The path to the directory containing the environment files to upload. Defaults to Actions working directory.'
     required: false
     default: '.'
-  filePattern:
-    description: 'The file name pattern for environment files to upload'
+  directoryExclusionList:
+    description: 'Filters out specific directories following a minimatch pattern.'
+    required: false
+  detectorArgs:
+    description: 'Comma separated list of properties that can affect the detectors execution, like EnableIfDefaultOff that allows a specific detector that is in beta to run, the format for this property is DetectorId=EnableIfDefaultOff, for example Pip=EnableIfDefaultOff.'
+    required: false
+  dockerImagesToScan:
+    description: 'Comma separated list of docker image names or hashes to execute container scanning on, ex: ubuntu:16.04,56bab49eef2ef07505f6a1b0d5bd3a601dfc3c76ad4460f24c91d6fa298369ab'
+    required: false
+  detectorsFilter: 
+    description: 'A comma separated list with the identifiers of the specific detectors to be used. This is meant to be used for testing purposes only.'
     required: false
-    default: 'environment.yaml'
 runs:
   using: 'node16'
   main: 'dist/index.js'
 
@@ -0,0 +1,17 @@
+import ComponentDetection from './componentDetection';
+import fs from 'fs';
+
+test('Downloads CLI', async () => {
+  ComponentDetection.downloadLatestRelease();
+  expect(fs.existsSync(ComponentDetection.componentDetectionPath));
+});
+
+test('Runs CLI', async () => {
+   await ComponentDetection.runComponentDetection('./test');
+   expect(fs.existsSync(ComponentDetection.outputPath));
+});
+
+test('Parses CLI output', async () => {
+  var manifests = await ComponentDetection.getManifestsFromResults();
+  expect(manifests?.length == 2);
+});
@@ -0,0 +1,173 @@
+import * as github from '@actions/github'
+import * as core from '@actions/core'
+import {
+  PackageCache,
+  BuildTarget,
+  Package,
+  Snapshot,
+  Manifest,
+  submitSnapshot
+} from '@github/dependency-submission-toolkit'
+import fetch from 'cross-fetch'
+import tar from 'tar'
+import fs from 'fs'
+import * as exec from '@actions/exec';
+import dotenv from 'dotenv'
+import { Context } from '@actions/github/lib/context'
+import { unmockedModulePathPatterns } from './jest.config'
+dotenv.config();
+
+export default class ComponentDetection {
+  public static componentDetectionPath = './component-detection';
+  public static outputPath = './output.json';
+
+  // This is the default entry point for this class. 
+  static async scanAndGetManifests(path: string): Promise<Manifest[] | undefined> {
+    await this.downloadLatestRelease();
+    await this.runComponentDetection(path);
+    return await this.getManifestsFromResults();
+  }
+  // Get the latest release from the component-detection repo, download the tarball, and extract it
+  public static async downloadLatestRelease() {
+    try {
+      core.debug("Downloading latest release");
+      const downloadURL = await this.getLatestReleaseURL();
+      const blob = await (await fetch(new URL(downloadURL))).blob();
+      const arrayBuffer = await blob.arrayBuffer();
+      const buffer = Buffer.from(arrayBuffer);
+
+      // Write the blob to a file
+      core.debug("Writing binary to file");
+      await fs.writeFileSync(this.componentDetectionPath, buffer, {mode: 0o777, flag: 'w'});
+    } catch (error: any) {
+      core.error(error);
+    } 
+  }
+
+  // Run the component-detection CLI on the path specified
+  public static async runComponentDetection(path: string) {
+    core.info("Running component-detection");
+
+    try {
+      await exec.exec(`${this.componentDetectionPath} scan --SourceDirectory ${path} --ManifestFile ${this.outputPath} ${this.getComponentDetectionParameters()}`);
+    } catch (error: any) {
+      core.error(error);
+    }
+  }
+
+  private static getComponentDetectionParameters(): string {
+    var parameters = "";
+    parameters += (core.getInput('directoryExclusionList')) ? ` --DirectoryExclusionList ${core.getInput('directoryExclusionList')}` : "";
+    parameters += (core.getInput('detectorArgs')) ? ` --DetectorArgs ${core.getInput('detectorArgs')}` : "";
+    parameters += (core.getInput('detectorsFilter')) ? ` --DetectorsFilter ${core.getInput('detectorsFilter')}` : "";
+    parameters += (core.getInput('dockerImagesToScan')) ? ` --DockerImagesToScan ${core.getInput('dockerImagesToScan')}` : "";
+    return parameters;
+  }
+
+  public static async getManifestsFromResults(): Promise<Manifest[]| undefined> {
+    core.info("Getting manifests from results");
+    // Parse the result file and add the packages to the package cache
+    const packageCache = new PackageCache();
+    const packages: Array<ComponentDetectionPackage>= [];
+    
+    const results = await fs.readFileSync(this.outputPath, 'utf8');
+    
+    var json: any = JSON.parse(results);
+    json.componentsFound.forEach(async (component: any) => {
+      const packageUrl = ComponentDetection.makePackageUrl(component.component.packageUrl);
+      
+      if (!packageCache.hasPackage(packageUrl)) {
+          const pkg = new ComponentDetectionPackage(packageUrl, component.component.id, 
+          component.isDevelopmentDependency,component.topLevelReferrers,component.locationsFoundAt, component.containerDetailIds, component.containerLayerIds);
+        packageCache.addPackage(pkg);
+        packages.push(pkg);
+      }
+    });
+
+    // Set the transitive dependencies
+    core.debug("Sorting out transitive dependencies");
+    packages.forEach(async (pkg: ComponentDetectionPackage) => {
+      pkg.topLevelReferrers.forEach(async (referrer: any) => {
+        const referrerPackage = packageCache.lookupPackage(ComponentDetection.makePackageUrl(referrer.packageUrl));
+        if (referrerPackage) {
+          referrerPackage.dependsOn(pkg);
+        }
+      });
+    });
+
+    // Create manifests
+    const manifests: Array<Manifest> = [];
+
+    // Check the locationsFoundAt for every package and add each as a manifest
+    packages.forEach(async (pkg: ComponentDetectionPackage) => {
+      pkg.locationsFoundAt.forEach(async (location: any) => {
+        if (!manifests.find((manifest: Manifest) => manifest.name == location)) {
+          const manifest = new Manifest(location, location);
+          manifests.push(manifest);
+        }
+        if (pkg.topLevelReferrers.length == 0) {
+          manifests.find((manifest: Manifest) => manifest.name == location)?.addDirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
+        } else {
+          manifests.find((manifest: Manifest) => manifest.name == location)?.addIndirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));        }
+      });
+    });
+    return manifests;
+  }
+
+  private static getDependencyScope(pkg: ComponentDetectionPackage) {
+    return pkg.isDevelopmentDependency ? 'development' : 'runtime'
+  }
+
+  private static makePackageUrl(packageUrlJson: any): string {
+    var packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
+    if (packageUrlJson.Namespace) {
+      packageUrl += `${packageUrlJson.Namespace.replaceAll("@", "%40")}/`;
+    }
+    packageUrl += `${packageUrlJson.Name.replaceAll("@", "%40")}`;
+    if (packageUrlJson.Version) {
+      packageUrl += `@${packageUrlJson.Version}`;
+    }
+    if (packageUrlJson.Qualifiers) {
+      packageUrl += `?${packageUrlJson.Qualifiers}`;
+    }
+    return packageUrl;
+  }
+
+  private static async getLatestReleaseURL(): Promise<string> {
+    const githubToken  = core.getInput('token') || process.env.GITHUB_TOKEN2 || "";  
+    const octokit = github.getOctokit(githubToken);
+    const owner = "microsoft";
+    const repo = "component-detection";
+
+    const latestRelease = await octokit.rest.repos.getLatestRelease({
+      owner, repo
+    });
+
+    var downloadURL: string = "";
+    latestRelease.data.assets.forEach((asset: any) => {
+      if (asset.name === "component-detection-linux-x64") {
+        downloadURL = asset.browser_download_url;
+      }
+    });
+
+    return downloadURL;
+  }
+}
+
+class ComponentDetectionPackage extends Package {
+  
+  constructor(packageUrl: string, public id: string, public isDevelopmentDependency:boolean, public topLevelReferrers: [], 
+    public locationsFoundAt: [], public containerDetailIds: [], public containerLayerIds: []) {
+    super(packageUrl);
+  }
+}
+
+
+
+
+
+
+
+
+
+