name: 'Evaluate'
description:
  'Evaluate action runs the latest IQ CLI (jar) with the set of parameters provided and outputs the scan id and the
  report URL'
author: 'Sonatype'

# Add your action's branding here. This will appear on the GitHub Marketplace.
branding:
  icon: 'shield'
  color: 'purple'

# Define your inputs here.
inputs:
  iq-server-url:
    description: 'Lifecycle (IQ Server) URL (e.g. http://localhost:8070).'
    required: true
  username:
    description: 'The username to authenticate with Lifecycle (IQ Server).'
    required: true
  password:
    description: 'The password to authenticate with Lifecycle (IQ Server).'
    required: true
  application-id:
    description:
      'Lifecycle (IQ Server) application ID. When Automatic Applications is enabled and the application ID has not yet
      been used, a new application will be created with the given ID.'
    required: true
  scan-targets:
    description:
      'Space-separated list of paths to specific files, directories, or docker images. Apache Ant-styled patterns are
      allowed.'
    required: true
  organization-id:
    description:
      'The ID for the Lifecycle organization to which the application belongs. When automatic application creation is
      enabled and the application does not exist, it will be created under the organization having the provided
      organization ID.'
    required: false
  stage:
    description: 'Specify the development lifecycle stage for the analysis. Defaults to the build stage.'
    required: false
    default: 'build'
  result-file:
    description:
      'If set, the analysis output (in JSON format) will be uploaded as a run artifact with the specified name.'
    required: false
  module-exclude:
    description: 'Space-separated list of module files to ignore via Apache Ant-styled patterns.'
    required: false
  fail-on-policy-warnings:
    description: 'Causes a failure of the evaluation if any warnings are encountered.'
    required: false
    default: false
  ignore-system-errors:
    description: 'Ignore system errors (e.g. IO, Network, server, etc.) to avoid unintentional build failures.'
    required: false
    default: false
  ignore-scanning-errors:
    description:
      'Ignore scanning errors (e.g. invalid files, inaccessible files, etc). It is useful when the code base contains
      invalid files for testing purposes. Scanning these files may cause unintentional build failures.'
    required: false
    default: false
  debug:
    description:
      'Enables debug logging for troubleshooting. Use with caution as this log may expose sensitive information.'
    required: false
    default: false
  keep-scan-file:
    description: 'Retains and uploads the scan file as an action artifact.'
    required: false
    default: false
  proxy:
    description:
      'Specify a proxy to use when connecting to Lifecycle (IQ Server). This property is set using the format
      host[:port], otherwise, the CLI uses the default HTTP proxy set with the JVM.'
    required: false
  proxy-user:
    description: 'Specify proxy credentials in the following format: username:password.'
    required: false
  include-sha-256:
    description: 'If set, SHA256 checksums are included in the scan file.'
    required: false
    default: false
  exclude-maven-dependency-management:
    description:
      'Enable this parameter to limit analysis to the projects dependencies section of a pom file while excluding the
      components under the dependencyManagement section.'
    required: false
    default: false
  sarif-file:
    description:
      'Generates a SARIF file with a specified name containing all identified vulnerabilities. The SARIF file extension
      must be .sarif or .json. The generated file will be uploaded as an action artifact.'
    required: false
  upload-sarif-file:
    description:
      'Enable this parameter to generate or use the generated sarif-file to update the "Code scanning" section under the
      GitHub repository''s Security tab. If sarif-file is not defined, the generated file will be named result.sarif by
      default, and it will be uploaded as an action artifact.'
    required: false
    default: false
  enable-callflow:
    description: 'Deprecated. Use enable-reachability.'
    required: false
    default: false
  callflow-namespaces:
    description: 'Deprecated. Use reachability-namespaces.'
    required: false
    default: ''
  enable-reachability:
    description:
      'Perform a reachability analysis in Java or JVM language binaries to determine the method signatures that trigger
      a security vulnerability.'
    required: false
    default: false
  reachability-namespaces:
    description:
      'Limit the reachability analysis to a specific namespace for faster, more precise results. Multiple namespaces can
      be delimited by space.'
    required: false
    default: ''
  reachability-entrypoint-strategy:
    description: 'Entrypoint strategy for Java reachability analysis.'
    required: false
  enable-reachability-js:
    description: 'Enable JavaScript reachability analysis (Default: false)'
    required: false
    default: false
  reachability-js-sources:
    description:
      'JavaScript source patterns for reachability analysis (required for JS reachability; these are app files; do not
      include tests or node_modules files here)'
    required: false
    default: ''
  reachability-js-excludes:
    description:
      'JavaScript exclude patterns for reachability analysis (e.g. tests and other source files that are not relevant
      for the analysis)'
    required: false
    default: ''
  reachability-node-path:
    description: 'Path to Node.js executable'
    required: false
  reachability-js-project-root:
    description: 'JavaScript project root directory (i.e. where the main package.json file resides)'
    required: false
  ignore-reachability-errors:
    description: 'Ignore reachability analysis errors (reachability analysis failed to run) (Default: false)'
    required: false
    default: false

# Define your outputs here.
outputs:
  scan-id:
    value: ${{ steps.run-iq-cli.outputs.scan-id }}
    description:
      'Scan id result of the run operation. It can be used to access the Lifecycle report of related artifacts.'
  report-url:
    value: ${{ steps.run-iq-cli.outputs.report-url }}
    description: 'Link to navigate directly to the analysis report in Lifecycle (IQ Server).'
  priorities-url:
    value: ${{ steps.run-iq-cli.outputs.priorities-url }}
    description: 'Link to navigate directly to the priorities report in Lifecycle (IQ Server).'
  sarif-file:
    value: ${{ steps.run-iq-cli.outputs.sarif-file }}
    description: 'Name of the generated SARIF file containing all found vulnerabilities, if configured.'

runs:
  using: 'composite'
  steps:
    - name: Setup IQ CLI Action
      id: setup-iq-cli
      uses: sonatype/actions/setup-iq-cli@v1.9.3
      with:
        iq-cli-version: 'latest'

    - uses: actions/setup-java@v4
      with:
        distribution: 'temurin'
        java-version: '17'

    - name: Run IQ CLI Action
      id: run-iq-cli
      uses: sonatype/actions/run-iq-cli@v1.9.3
      with:
        iq-cli-version: ${{ steps.setup-iq-cli.outputs.iq-cli-version }}
        username: ${{ inputs.username }}
        password: ${{ inputs.password }}
        iq-server-url: ${{ inputs.iq-server-url }}
        application-id: ${{ inputs.application-id }}
        organization-id: ${{ inputs.organization-id }}
        result-file: ${{ inputs.result-file }}
        keep-scan-file: ${{ inputs.keep-scan-file }}
        scan-targets: ${{ inputs.scan-targets }}
        stage: ${{ inputs.stage }}
        module-exclude: ${{ inputs.module-exclude }}
        fail-on-policy-warnings: ${{ inputs.fail-on-policy-warnings }}
        ignore-system-errors: ${{ inputs.ignore-system-errors }}
        debug: ${{ inputs.debug }}
        ignore-scanning-errors: ${{ inputs.ignore-scanning-errors }}
        proxy: ${{ inputs.proxy }}
        proxy-user: ${{ inputs.proxy-user }}
        include-sha-256: ${{ inputs.include-sha-256 }}
        exclude-maven-dependency-management: ${{ inputs.exclude-maven-dependency-management }}
        sarif-file: ${{ inputs.sarif-file || inputs.upload-sarif-file }}
        enable-callflow: ${{ inputs.enable-callflow }}
        callflow-namespaces: ${{ inputs.callflow-namespaces }}
        enable-reachability: ${{ inputs.enable-reachability }}
        reachability-namespaces: ${{ inputs.reachability-namespaces }}
        reachability-entrypoint-strategy: ${{ inputs.reachability-entrypoint-strategy }}
        enable-reachability-js: ${{ inputs.enable-reachability-js }}
        reachability-js-sources: ${{ inputs.reachability-js-sources }}
        reachability-js-excludes: ${{ inputs.reachability-js-excludes }}
        reachability-node-path: ${{ inputs.reachability-node-path }}
        reachability-js-project-root: ${{ inputs.reachability-js-project-root }}
        ignore-reachability-errors: ${{ inputs.ignore-reachability-errors }}

    - name: Upload result to GitHub Code Scanning
      if: ( success() || failure() ) && steps.run-iq-cli.outputs.sarif-file && inputs.upload-sarif-file == 'true'
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: ${{ steps.run-iq-cli.outputs.sarif-file }}