add report download

README.md

@@ -103,7 +103,8 @@ If the proxy requires authentication, the proxy credentials for authentication c
 | `rl-portal-server`  | **Yes** | Name of the secure.software Portal instance to use for the scan. The Portal instance name usually matches the subdirectory of `my.secure.software` in your Portal URL. For example, if your portal URL is `my.secure.software/demo`, the instance name to use with this parameter is `demo`. |
 | `rl-portal-org`     | **Yes** | The name of a secure.software Portal organization to use for the scan. The organization must exist on the Portal instance specified with `rl-portal-server`. The user account authenticated with the token must be a member of the specified organization and have the appropriate permissions to upload and scan a file. Organization names are case-sensitive. |
 | `rl-portal-group`   | **Yes** | The name of a secure.software Portal group to use for the scan. The group must exist in the Portal organization specified with `rl-portal-org`. Group names are case-sensitive. |
-| `rl-package-url`    | **Yes**  | The package URL (PURL) used to associate the build artifact with a project and package on the Portal. PURLs are unique identifiers in the format `<project></package><@version>`. When scanning a build artifact, you must assign a PURL to it, so that it can be placed into the specified project and package as a version. If the project and package you specified don't exist in the Portal, they will be automatically created.  |
+| `rl-package-url`    | **Yes** | The package URL (PURL) used to associate the build artifact with a project and package on the Portal. PURLs are unique identifiers in the format `<project></package><@version>`. When scanning a build artifact, you must assign a PURL to it, so that it can be placed into the specified project and package as a version. If the project and package you specified don't exist in the Portal, they will be automatically created.  |
+| `report-path`       | No  | The directory where the action will store analysis reports for the build artifact. The directory must be empty. Provide the directory path relative to the `github.workspace`. Default value is `MyReportDir`. If you specify an empty string ("") as the value, report downloads will be disabled and no reports will be downloaded.|
 | `rl-diff-with`      | No  | This optional parameter lets you specify a previous version against which you want to compare (diff) the artifact version you're scanning. The specified version must exist in the same project and package as the artifact you're scanning. |
 | `rl-timeout`        | No  | This optional parameter lets you specify how long to wait for analysis to complete before failing (in minutes). The parameter accepts any integer from 10 to 1440. The default timeout is 20 minutes. |
 | `rl-submit-only`    | No  | Set to `true` to skip waiting for the analysis result. The default is `false`. |
@@ -130,7 +131,7 @@ The workflow checks out your repository, builds an artifact, uses the `rl-scanne
 
 
     name: ReversingLabs rl-scanner-cloud only
-    run-name: test scanner-cloud only
+    run-name: rl-scanner-cloud-only
 
     on:
       push:
@@ -139,54 +140,48 @@ The workflow checks out your repository, builds an artifact, uses the `rl-scanne
         branches: [ "main" ]
 
     jobs:
-      checkout-build-scan-simple:
-        # runs-on: self-hosted
+      checkout-build-scan-only:
         runs-on: ubuntu-latest
         permissions:
           statuses: write
           pull-requests: write
 
         steps:
-          # -------------------------------------
-          # we will have to checkout data before we can do anything
+          # Need to check out data before we can do anything
           - uses: actions/checkout@v3
 
-          # -------------------------------------
-          # build someting, replace this with your build process
-          # produces one filename as output in scanfile=<relative file path>
-          - name: Build
+          # Replace this with your build process
+          # Produces one file as the build artifact in scanfile=<relative file path>
+          - name: Create build artifact
             id: build
 
             shell: bash
 
             run: |
-              # prepare the build process
+              # Prepare the build process
               python3 -m pip install --upgrade pip
               pip install hatchling
               python3 -m pip install --upgrade build
-              # make the actual build
+              # Run the build
               python3 -m build
-              # produce a single artifact to scan and set the scanfile output variable
+              # Produce a single artifact to scan and set the scanfile output variable
               echo "scanfile=$( ls dist/*.whl )" >> $GITHUB_OUTPUT
 
-          # -------------------------------------
-          - name: ReversingLabs apply rl-scanner to the build artifact
+          # Use the rl-scanner-cloud-only action
+          - name: Scan build artifact on the Portal
             id: rl-scan
 
             env:
               RLPORTAL_ACCESS_TOKEN: ${{ secrets.RLPORTAL_ACCESS_TOKEN }}
 
             uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1
             with:
-              rl-verbose: true
-              rl-portal-server: guidedTour
-              rl-portal-org: ReversingLabs
-              rl-portal-group: Demo
-              rl-timeout: 1
-              rl-submit-only: false
               artifact-to-scan: ${{ steps.build.outputs.scanfile }}
-              rl-package-url: project/package@v1.1.0
-              rl-diff-with: v1.0.0
+              rl-verbose: true
+              rl-portal-server: demo
+              rl-portal-org: ExampleOrg
+              rl-portal-group: demo-group
+              rl-package-url: my-project/my-package@1.0
 
           - name: report the scan status
             if: success() || failure()
@@ -211,5 +206,5 @@ Read more about [storing workflow data as artifacts](https://docs.github.com/en/
 
 - The official `reversinglabs/rl-scanner-cloud` Docker image [on Docker Hub](https://hub.docker.com/r/reversinglabs/rl-scanner-cloud)
 - The official [secure.software Portal documentation](https://docs.secure.software/portal/)
-- The [rl-scanner-composite](https://github.com/reversinglabs/gh-action-rl-scanner-composite) GitHub Action
+- The [rl-scanner-cloud-composite](https://github.com/reversinglabs/gh-action-rl-scanner-cloud-composite) GitHub Action
 - Introduction to [secure software release processes](https://www.reversinglabs.com/solutions/secure-software-release-processes) with ReversingLabs

action.yml

@@ -20,6 +20,11 @@ inputs:
     description: 'Path to the package file (artifact) you want to scan'
     required: true
     # type: string
+  report-path:
+    description: 'Path to a directory where the reports will be saved (must be a new directory, with a path relative to the github.workspace)'
+    required: false
+    default: MyReportDir
+    # type: string
 
   rl-portal-server:
     description: 'the server namespace used for your company'
@@ -98,6 +103,7 @@ runs:
       env: # we expect RLPORTAL_ACCESS_TOKEN to be set in the environment
         RL_VERBOSE: ${{ inputs.rl-verbose }}
         MY_ARTIFACT_TO_SCAN_PATH: ${{ inputs.artifact-to-scan }}
+        REPORT_PATH: ${{ inputs.report-path }}
         RL_PORTAL_SERVER: ${{ inputs.rl-portal-server }}
         RL_PORTAL_ORG: ${{ inputs.rl-portal-org }}
         RL_PORTAL_GROUP: ${{ inputs.rl-portal-group }}

run-scanner-cloud.sh

@@ -72,6 +72,7 @@ RL_DIFF_WITH:             O ${RL_DIFF_WITH:-No diff with was requested}
 
 RL_SUBMIT_ONLY:           O ${RL_SUBMIT_ONLY:-No submit-only flag was provided}
 RL_TIMEOUT:               O ${RL_TIMEOUT:-No timeout was provided}
+REPORT_PATH:              O ${REPORT_PATH:-No report path specified}
 
 RLSECURE_PROXY_SERVER:    O ${RLSECURE_PROXY_SERVER:-No proxy server was provided}
 RLSECURE_PROXY_PORT:      O ${RLSECURE_PROXY_PORT:-No proxy port was provided}
@@ -99,11 +100,13 @@ validate_mandatory_params()
         echo "::error FATAL: no 'RL_PORTAL_SERVER' provided"
         exit 101
     fi
+
     if [ -z "${RL_PORTAL_ORG}" ]
     then
         echo "::error FATAL: no 'RL_PORTAL_ORG' provided"
         exit 101
     fi
+
     if [ -z "${RL_PORTAL_GROUP}" ]
     then
         echo "::error FATAL: no 'RL_PORTAL_GROUP' provided"
@@ -117,11 +120,44 @@ validate_mandatory_params()
     fi
 }
 
+prep_report()
+{
+    if [ -z "${REPORT_PATH}" ]
+    then
+        return 0
+    fi
+
+    if [ -d "${REPORT_PATH}" ]
+    then
+        if rmdir "${REPORT_PATH}"
+        then
+            :
+        else
+            echo "::error FATAL: your current REPORT_PATH is not empty"
+            exit 101
+        fi
+    fi
+
+    mkdir -p "${REPORT_PATH}"
+
+    if [ "${RL_VERBOSE}" != "false" ]
+    then
+        ls -l "${REPORT_PATH}"
+    fi
+}
+
 prep_paths()
 {
     A_PATH=$( realpath "${MY_ARTIFACT_TO_SCAN_PATH}" )
     A_DIR=$( dirname "${A_PATH}" )
     A_FILE=$( basename "${A_PATH}" )
+
+    R_PATH=""
+    if [ ! -z "${REPORT_PATH}" ]
+    then
+        prep_report
+        R_PATH=$( realpath "${REPORT_PATH}" )
+    fi
 }
 
 makeDiffWith()
@@ -204,10 +240,19 @@ scan_with_portal()
     set +e # we do our own error handling in this func
     set -x
 
+    REPORT_VOLUME=""
+    WITH_REPORT=""
+
+    if [ "$R_PATH" != "" ]
+    then
+        REPORT_VOLUME="-v ${R_PATH}/:/reports"
+        WITH_REPORT="--report-path=/reports --report-format=all "
+    fi
+
     docker run --rm -u $(id -u):$(id -g) \
         -e "RLPORTAL_ACCESS_TOKEN=${RLPORTAL_ACCESS_TOKEN}" \
         ${PROXY_DATA} \
-        -v "${A_DIR}/:/packages:ro" \
+        -v "${A_DIR}/:/packages:ro" ${REPORT_VOLUME} \
         reversinglabs/rl-scanner-cloud:latest \
             rl-scan \
                 --rl-portal-server "${RL_PORTAL_SERVER}" \
@@ -216,7 +261,8 @@ scan_with_portal()
                 --purl=${RL_PACKAGE_URL} \
                 --file-path="/packages/${A_FILE}" \
                 --replace \
-                ${OPTIONAL_TS} ${DIFF_WITH} 1>1 2>2
+                --force \
+                ${OPTIONAL_TS} ${DIFF_WITH} ${WITH_REPORT} 1>1 2>2
     RR=$?
 
     # TODO: is there a 'Scan result' string ?
@@ -263,7 +309,6 @@ set_status_PassFail()
         echo "status=success" >> $GITHUB_OUTPUT
         echo "::notice::$STATUS"
     fi
-
 }
 
 main()