Refactor and improve input options (#8)

Author: ctcampbell

.gitignore

@@ -1,3 +1,5 @@
+test-data/java-with-security-standard-tag.sarif
+
 # Dependency directory
 node_modules
 

.prettierrc.json

@@ -1,5 +1,5 @@
 {
-  "printWidth": 80,
+  "printWidth": 150,
   "tabWidth": 2,
   "useTabs": false,
   "semi": false,

.vscode/launch.json

@@ -11,10 +11,15 @@
             "skipFiles": [
                 "<node_internals>/**"
             ],
-            "preLaunchTask": "tsc: build - tsconfig.json",
+            "preLaunchTask": "Build & remove output SARIF file",
             "outFiles": ["${workspaceFolder}/lib/**/*.js"],
             "program": "${workspaceFolder}/src/main.ts",
-            "args": ["--sarifFile", "${workspaceFolder}/testdata/java.sarif", "--cweFile", "${workspaceFolder}/testdata/1344.xml"],
+            "args": [
+                "--sarifFile", "${workspaceFolder}/test-data/webgoat.sarif",
+                "--cweFile", "${workspaceFolder}/security-standards/owasp-top10-2021.xml",
+                "--securityStandardTag", "owasp-top10-2021",
+                "--outputFile", "${workspaceFolder}/test-data/webgoat-with-security-standard-tag.sarif"
+            ],
         }
     ]
 }

.vscode/tasks.json

@@ -0,0 +1,19 @@
+{
+    // See https://go.microsoft.com/fwlink/?LinkId=733558
+    // for the documentation about the tasks.json format
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Remove output SARIF file",
+            "type": "shell",
+            "command": "rm ${workspaceFolder}/test-data/java-with-security-standard-tag.sarif"
+        },
+        {
+            "label": "Build & remove output SARIF file",
+            "dependsOn": [
+                "Remove output SARIF file",
+                "tsc: build - tsconfig.json"
+            ],
+        }
+    ]
+}

README.md

@@ -1,105 +1,29 @@
-<p align="center">
-  <a href="https://github.com/actions/typescript-action/actions"><img alt="typescript-action status" src="https://github.com/actions/typescript-action/workflows/build-test/badge.svg"></a>
-</p>
+# codeql-sarif-security-standard-annotator
 
-# Create a JavaScript Action using TypeScript
+Compare a CodeQL SARIF results file to a security standard CWE list and annotate the SARIF rules with a tag to highlight results applicable to the security standard
 
-Use this template to bootstrap the creation of a TypeScript action.:rocket:
+## Usage in GitHub Actions
 
-This template includes compilation support, tests, a validation workflow, publishing, and versioning guidance.  
-
-If you are new, there's also a simpler introduction.  See the [Hello World JavaScript Action](https://github.com/actions/hello-world-javascript-action)
-
-## Create an action from this template
-
-Click the `Use this Template` and provide the new repo details for your action
-
-## Code in Main
-
-> First, you'll need to have a reasonably modern version of `node` handy. This won't work with versions older than 9, for instance.
-
-Install the dependencies  
-```bash
-$ npm install
-```
-
-Build the typescript and package it for distribution
-```bash
-$ npm run build && npm run package
-```
-
-Run the tests :heavy_check_mark:  
-```bash
-$ npm test
-
- PASS  ./index.test.js
-  ✓ throws invalid number (3ms)
-  ✓ wait 500 ms (504ms)
-  ✓ test runs (95ms)
-
-...
-```
-
-## Change action.yml
-
-The action.yml defines the inputs and output for your action.
-
-Update the action.yml with your name, description, inputs and outputs for your action.
-
-See the [documentation](https://help.github.com/en/articles/metadata-syntax-for-github-actions)
-
-## Change the Code
-
-Most toolkit and CI/CD operations involve async operations so the action is run in an async function.
-
-```javascript
-import * as core from '@actions/core';
-...
-
-async function run() {
-  try { 
-      ...
-  } 
-  catch (error) {
-    core.setFailed(error.message);
-  }
-}
-
-run()
 ```
-
-See the [toolkit documentation](https://github.com/actions/toolkit/blob/master/README.md#packages) for the various packages.
-
-## Publish to a distribution branch
-
-Actions are run from GitHub repos so we will checkin the packed dist folder. 
-
-Then run [ncc](https://github.com/zeit/ncc) and push the results:
-```bash
-$ npm run package
-$ git add dist
-$ git commit -a -m "prod dependencies"
-$ git push origin releases/v1
+- name: Annotate CodeQL SARIF with OWASP Top 10 2021 tag
+  uses: ctcampbell/codeql-sarif-security-standard-annotator@v1
 ```
 
-Note: We recommend using the `--license` option for ncc, which will create a license file for all of the production node modules used in your project.
-
-Your action is now published! :rocket: 
-
-See the [versioning documentation](https://github.com/actions/toolkit/blob/master/docs/action-versioning.md)
-
-## Validate
-
-You can now validate the action by referencing `./` in a workflow in your repo (see [test.yml](.github/workflows/test.yml))
-
-```yaml
-uses: ./
-with:
-  milliseconds: 1000
 ```
-
-See the [actions tab](https://github.com/actions/typescript-action/actions) for runs of this action! :rocket:
-
-## Usage:
-
-After testing you can [create a v1 tag](https://github.com/actions/toolkit/blob/master/docs/action-versioning.md) to reference the stable and latest V1 action
+inputs:
+  sarifFile:
+    required: true
+    description: 'The CodeQL SARIF result file'
+  cweFile:
+    required: false
+    description: 'The CWE list XML file'
+    default: '${{ github.action_path }}/security-standards/owasp-top10-2021.xml'
+  securityStandardTag:
+    required: false
+    description: 'The security standard tag to add to the SARIF file'
+    default: 'owasp-top10-2021'
+  outputFile:
+    required: false
+    description: 'The output SARIF file path, defaults to the input SARIF file path'
+    default: '${{ inputs.sarifFile }}'
+```

action.yml

@@ -1,13 +1,29 @@
-name: 'Sarif To Security Standard Report'
-description: 'Compare a SARIF results file to a security standard CWE list and produce a report'
+name: 'codeql-sarif-security-standard-annotator'
+description: 'Compare a CodeQL SARIF results file to a security standard CWE list and annotate the SARIF rules with a tag to highlight results applicable to the security standard'
 author: 'GitHub, Inc'
 inputs:
   sarifFile:
     required: true
-    description: 'The SARIF file to compare'
+    description: 'The CodeQL SARIF result file'
   cweFile:
-    required: true
-    description: 'The CWE file to compare'
+    required: false
+    description: 'The CWE list XML file'
+    default: '${{ github.action_path }}/security-standards/owasp-top10-2021.xml'
+  securityStandardTag:
+    required: false
+    description: 'The security standard tag to add to the SARIF file'
+    default: 'owasp-top10-2021'
+  outputFile:
+    required: false
+    description: 'The output SARIF file path, defaults to the input SARIF file path'
+    default: '${{ inputs.sarifFile }}'
 runs:
-  using: 'node16'
-  main: 'dist/index.js'
+  using: 'composite'
+  steps:
+    - run: |
+        node '${{ github.action_path }}/dist/index.js' \
+        --sarifFile '${{ inputs.sarifFile }}' \
+        --cweFile '${{ inputs.cweFile }}' \
+        --securityStandardTag '${{ inputs.securityStandardTag }}' \
+        --outputFile '${{ inputs.outputFile }}'
+      shell: bash