Release: 1.1.1

README.md

@@ -10,6 +10,8 @@
 
 A set of [GitHub Actions](https://github.com/features/actions) for interacting with different [Sonatype](https://www.sonatype.com/) products.
 
+Sonatype GitHub Actions also support integration with GitHub Code Scanning, part of the [GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) feature, which displays detected vulnerabilities on the GitHub Security tab. You can use the `evaluate` or `run-iq-cli` actions in combination with the `upload-sarif-file` parameter to take advantage of this functionality. GitHub Advanced Security is available for GitHub Enterprise customers and public repositories.
+
 The action set currently contains a couple of top-level actions:
 
 - [Evaluate Action](evaluate/README.md)

action.yml

@@ -44,7 +44,7 @@ runs:
   steps:
     - name: Evaluate
       id: evaluate
-      uses: sonatype/actions/evaluate@v1.1.0
+      uses: sonatype/actions/evaluate@v1.1.1
       with:
         iq-server-url: ${{ inputs.iq-server-url }}
         username: ${{ inputs.username }}

evaluate/README.md

@@ -141,3 +141,39 @@ jobs:
 
 > **sarif-file**\
 > Name of the generated SARIF file containing all found vulnerabilities, if configured.
+
+## GitHub Advanced Security
+
+### Prerequisites
+
+In order to use the GitHub Advanced Security feature, you must grant your workflow the `security-events: write`
+permission.
+
+### Usage Example with Results in GitHub Security Tab
+
+```yaml
+name: Workflow for GitHub Advanced Security
+on: push
+jobs:
+  sonatype-cli:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      # some steps are omitted...
+      # Check out your code
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+      # Perform an evaluation
+      - name: Run evaluate  action
+        id: evaluate
+        uses: sonatype/actions/evaluate@v1
+        with:
+          iq-server-url: https://your.lifecycle.server
+          username: ${{ secrets.LIFECYCLE_USERNAME }}
+          password: ${{ secrets.LIFECYCLE_PASSWORD }}
+          application-id: lifecycle-app
+          scan-targets: package.json
+          upload-sarif-file: true
+```

evaluate/action.yml

@@ -119,7 +119,7 @@ runs:
   steps:
     - name: Setup IQ CLI Action
       id: setup-iq-cli
-      uses: sonatype/actions/setup-iq-cli@v1.1.0
+      uses: sonatype/actions/setup-iq-cli@v1.1.1
       with:
         iq-cli-version: 'latest'
 
@@ -130,7 +130,7 @@ runs:
 
     - name: Run IQ CLI Action
       id: run-iq-cli
-      uses: sonatype/actions/run-iq-cli@v1.1.0
+      uses: sonatype/actions/run-iq-cli@v1.1.1
       with:
         iq-cli-version: ${{ steps.setup-iq-cli.outputs.iq-cli-version }}
         username: ${{ inputs.username }}

fetch-sbom/README.md

@@ -8,6 +8,8 @@
 
 # Fetch SBOM Action
 
+> **_NOTE:_** The Fetch SBOM Action is not currently supported in GitHub Enterprise Server environments.
+
 A [GitHub Action](https://github.com/features/actions) for retrieving an SBOM (Software Bill of Materials) file
 associated with a previous Lifecycle evaluation. It supports both the [CycloneDX](https://cyclonedx.org/) and
 [SPDX](https://spdx.dev/) standards.

fetch-sbom/dist/index.js

@@ -143569,7 +143569,7 @@ module.exports = index;
 /***/ ((module) => {
 
 "use strict";
-module.exports = JSON.parse('{"name":"fetch-sbom","description":"GitHub Action for obtaining an SBOM","version":"1.1.0","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/fetch-sbom","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/fetch-sbom.git"},"bugs":{"url":"https://github.com/sonatype/actions/fetch-sbom/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist --source-map --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"fetch-sbom unit tests","titleTemplate":"{title}","outputName":"fetch-sbom-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/github":"^6.0.0","@actions/tool-cache":"^2.0.1","@github/dependency-submission-toolkit":"^2.0.4","axios":"^1.7.2"}}');
+module.exports = JSON.parse('{"name":"fetch-sbom","description":"GitHub Action for obtaining an SBOM","version":"1.1.1","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/fetch-sbom","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/fetch-sbom.git"},"bugs":{"url":"https://github.com/sonatype/actions/fetch-sbom/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist --source-map --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"fetch-sbom unit tests","titleTemplate":"{title}","outputName":"fetch-sbom-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/github":"^6.0.0","@actions/tool-cache":"^2.0.1","@github/dependency-submission-toolkit":"^2.0.4","axios":"^1.7.2"}}');
 
 /***/ }),
 

run-iq-cli/dist/index.js

@@ -115929,9 +115929,10 @@ class CliCommandBuilder {
     }
     async getScanTargets() {
         const patterns = this.parameters.scanTargets.trim().split(spaces);
+        const containerPatterns = patterns.filter(file => file.startsWith('container:'));
         const globber = await glob.create(patterns.join('\n'));
         const files = await globber.glob();
-        const filterFiles = files.filter(file => !file.endsWith(constants_1.IQ_CLI_JAR));
+        const filterFiles = [...files.filter(file => !file.endsWith(constants_1.IQ_CLI_JAR)), ...containerPatterns];
         if (filterFiles.length === 0) {
             throw new Error('Scan targets did not match any archives or directories to scan.');
         }
@@ -116282,6 +116283,7 @@ const get_and_validate_parameters_1 = __nccwpck_require__(6799);
 const artifact_1 = __nccwpck_require__(52101);
 const fs_1 = __nccwpck_require__(57147);
 const sarif_file_handler_1 = __importDefault(__nccwpck_require__(32629));
+const process = __importStar(__nccwpck_require__(77282));
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
@@ -116292,7 +116294,13 @@ async function run() {
         const cliCommandBuilder = new cli_command_builder_1.default(parameters);
         const cliExecutionCmd = await cliCommandBuilder.toCommandString();
         core.debug(`About to execute command: "${cliExecutionCmd}"`);
-        const executionOptions = { ignoreReturnCode: true, env: { SONATYPE_INTERNAL_CLIENT_NAME: 'Github_Actions' } };
+        const executionOptions = {
+            ignoreReturnCode: true,
+            env: {
+                SONATYPE_INTERNAL_CLIENT_NAME: 'Github_Actions',
+                ...process.env
+            }
+        };
         const cliExitCode = await exec.exec(cliExecutionCmd, [], executionOptions);
         core.debug(`Exitcode for CLI execution was ${cliExitCode}`);
         if (parameters.resultFile) {
@@ -117063,6 +117071,14 @@ module.exports = require("perf_hooks");
 
 /***/ }),
 
+/***/ 77282:
+/***/ ((module) => {
+
+"use strict";
+module.exports = require("process");
+
+/***/ }),
+
 /***/ 85477:
 /***/ ((module) => {
 
@@ -140841,7 +140857,7 @@ module.exports = JSON.parse('[[[0,44],"disallowed_STD3_valid"],[[45,46],"valid"]
 /***/ ((module) => {
 
 "use strict";
-module.exports = JSON.parse('{"name":"run-iq-cli","description":"GitHub Action to run IQ cli","version":"1.1.0","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/run-iq-cli","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/run-iq-cli.git"},"bugs":{"url":"https://github.com/sonatype/actions/run-iq-cli/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist --source-map --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"run-iq-cli unit tests","titleTemplate":"{title}","outputName":"run-iq-cli-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/exec":"^1.1.1","@actions/glob":"^0.4.0","@actions/tool-cache":"^2.0.1","axios":"^1.7.7","semver":"^7.6.3"}}');
+module.exports = JSON.parse('{"name":"run-iq-cli","description":"GitHub Action to run IQ cli","version":"1.1.1","author":"sonatype","private":true,"homepage":"https://github.com/sonatype/actions/run-iq-cli","repository":{"type":"git","url":"git+https://github.com/sonatype/actions/run-iq-cli.git"},"bugs":{"url":"https://github.com/sonatype/actions/run-iq-cli/issues"},"keywords":["actions","node","setup"],"exports":{".":"./dist/index.js"},"engines":{"node":">=20"},"scripts":{"bundle":"npm run format:write && npm run package","ci-test":"npx jest","coverage":"npx make-coverage-badge --output-path ./badges/coverage.svg","format:write":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --write .","format:check":"npx prettier --config ../.prettierrc.json --ignore-path ../.prettierignore --check .","lint":"npx eslint . -c ../.github/linters/.eslintrc.yml --ignore-path ../.eslintignore","package":"npx ncc build src/index.ts -o dist --source-map --license licenses.txt","package:watch":"npm run package -- --watch","test":"npx jest","all":"npm run format:write && npm run lint && npm run test && npm run coverage && npm run package"},"license":"SEE LICENSE IN LICENSE","jest":{"preset":"ts-jest","verbose":true,"clearMocks":true,"testEnvironment":"node","moduleFileExtensions":["js","ts"],"testMatch":["**/*.test.ts"],"testPathIgnorePatterns":["/node_modules/","/dist/"],"transform":{"^.+\\\\.ts$":"ts-jest"},"coverageReporters":["json-summary","text","lcov"],"collectCoverage":true,"collectCoverageFrom":["./src/**"],"reporters":["default",["jest-junit",{"suiteName":"run-iq-cli unit tests","titleTemplate":"{title}","outputName":"run-iq-cli-test-results.xml","ancestorSeparator":" > "}]]},"dependencies":{"@actions/artifact":"^2.1.7","@actions/exec":"^1.1.1","@actions/glob":"^0.4.0","@actions/tool-cache":"^2.0.1","axios":"^1.7.7","semver":"^7.6.3"}}');
 
 /***/ })
 

setup-iq-cli/dist/index.js

@@ -31343,7 +31343,7 @@ exports.IQ_CLI_JAR = 'sonatype-iq-cli.jar';
 exports.IQ_VERSION_TO_COMPLETE = '1.{iq-cli-version}.0-01';
 exports.DOWNLOAD_URL = 'https://download.sonatype.com/clm/scanner/nexus-iq-cli-{iq-cli-version}.jar';
 exports.MINIMUM_SUPPORTED_IQ_VERSION = 137;
-exports.LATEST_IQ_VERSION = '1.184.0-01'; // This should be updated to the latest IQ CLI version with each release
+exports.LATEST_IQ_VERSION = '1.185.0-01'; // This should be updated to the latest IQ CLI version with each release
 exports.IQ_CLI_VERSION = 'iq-cli-version';
 exports.IQ_CLI_DOWNLOAD_URL = 'iq-cli-download-url';