I get this error when the action runs. I am attaching all the logs here.

2_Run [email protected] 3_Install SFDX CLI and Scanner.txt 8_Post Run [email protected] 9_Complete job.txt 1_Set up job.txt

I get the feeling that it doesn't like my PMD rules. Eslint seems to dislike them too, but this is a tool that I'd expect to get it. I don't know what the diffBetweenCurrentAndParentBranch.txt file is - are you able to support incremental vs full scans?

Is it hurting because I have no Apex code and basically no metadata? It's a base project template so I have all the things I like set up the way I like them for new projects.

This is my workflow job:

pmd-spano-scanner:
    runs-on: ubuntu-latest
    needs: format-lint-lwc-tests
    if: ${{ github.actor != 'dependabot[bot]' }}
    steps:
      # Checkout the source code
      - name: 'Checkout source code'
        uses: actions/checkout@v3

      - name: Install SFDX CLI and Scanner
        run: |
          npm install sfdx-cli
          node_modules/sfdx-cli/bin/run plugins:install @salesforce/sfdx-scanner
      - name: Run SFDX Scanner - Report findings as comments
        uses: mitchspano/[email protected]
        with:
          pmdconfig: 'pmd/deployRules.xml'
          severity-threshold: 1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Error message:

Run mitchspano/[email protected]
  with:
    pmdconfig: pmd/deployRules.xml
    severity-threshold: 1
  env:
    GITHUB_TOKEN: ***
  
Getting difference within the pull request...
fatal: ambiguous argument 'origin/undefined...origin/undefined': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
node:child_process:8[2](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:2)6
    err = new Error(msg);
          ^

Error: Command failed: git diff origin/undefined...origin/undefined > diffBetweenCurrentAndParentBranch.txt
fatal: ambiguous argument 'origin/undefined...origin/undefined': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'

    at checkExecSyncError (node:child_process:826:11)
    at execSync (node:child_process:900:15)
    at getDiffInPullRequest (/home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1.[3](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:3)/index.js:78:3)
    at main (/home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1.3/index.js:280:3)
    at Object.<anonymous> (/home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1.3/index.js:287:1)
    at Module._compile (node:internal/modules/cjs/loader:1101:1[4](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:4))
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:11[5](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:5)3:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12) {
  status: 128,
  signal: null,
  output: [
    null,
    Buffer(0) [Uint8Array] [],
    Buffer(21[6](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:6)) [Uint8Array] [
      102,  9[7](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:7), 116,  9[7](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:8), 10[8](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:9),  58,  32,  [9](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:10)7, [10](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:11)9,  98, 105, 103,
      [11](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:12)7, 111, 117, 115,  32,  97, 114, 103, 117, 109, 101, 110,
      116,  32,  39, 111, 114, 105, 103, 105, 110,  47, 117, 110,
      100, 101, 102, 105, 110, 101, 100,  46,  46,  46, 111, 114,
      105, 103, 105, 110,  47, 117, 110, 100, 101, 102, 105, 110,
      101, 100,  39,  58,  32, 117, 110, 107, 110, 111, 119, 110,
       32, 114, 101, 118, 105, 115, 105, 111, 110,  32, 111, 114,
       32, 1[12](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:13),  97, 116, 104,  32, 110, 111, 116,  32, 105, 110,
       32, 116, 104, 101,
      ... 116 more items
    ]
  ],
  pid: 1949,
  stdout: Buffer(0) [Uint8Array] [],
  stderr: Buffer(216) [Uint8Array] [
    102,  97, 116,  97, 108,  58,  32,  97, 109,  98, 105, 103,
    117, 111, 117, 115,  32,  97, 1[14](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:15), 103, 117, 109, 101, 110,
    116,  32,  39, 111, 114, 105, 103, 105, 110,  47, 117, 110,
    100, 101, 102, 105, 110, 101, 100,  46,  46,  46, 111, 114,
    105, 103, 105, 110,  47, 117, 110, 100, 101, 102, 105, 110,
    101, 100,  39,  58,  32, 117, 110, 107, 110, 111, 119, 110,
     32, 114, 101, 118, 105, 1[15](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:16), 105, 111, 110,  32, 111, 114,
     32, 112,  97, 1[16](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:17), 104,  [32](https://github.com/dschach/BaseSFDXProject/actions/runs/3454017819/jobs/5765037153#step:4:33), 110, 111, 116,  32, 105, 110,
     32, 116, 104, 101,
    ... 116 more items
  ]
}

Scanner tries to comment the lines which are not part of the diff, and the action fails:

data: {
     message: 'Validation Failed',
     errors: [
       {
         resource: 'PullRequestReviewComment',
         code: 'custom',
         field: 'pull_request_review_thread.line',
         message: 'pull_request_review_thread.line must be part of the diff'
       },
       {
         resource: 'PullRequestReviewComment',
         code: 'custom',
         field: 'pull_request_review_thread.start_line',
         message: 'pull_request_review_thread.start_line must be part of the same hunk as the line.'
       },
       {
         resource: 'PullRequestReviewComment',
         code: 'missing_field',
         field: 'pull_request_review_thread.diff_hunk'
       }
     ],
     documentation_url: 'https://docs.github.com/rest'
   }
 },

Scanner actions:

          - name: 'Install Salesforce CLI and Scanner'
             run: |
                 npm install sfdx-cli
                 node_modules/sfdx-cli/bin/run plugins:install @salesforce/sfdx-scanner
                 
           - name: SFDX Scan Pull Request
             uses: mitchspano/[email protected]
             with:
               severity-threshold: 4
               strictly-enforced-rules: '[{ "engine": "pmd", "category": "Design,Best Practices,Performance"}]'
             env:
               GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

For example:

1. there is a long class in a main branch, let's say 50 lines of the code, which was added to this branch before using scanner in a pipeline
2. you add a small change in a middle of the class, let's say in a line 30
3. scanner tries to add a comment to line 2, but it is not part of the diff, so it fails.

When the scan is initiated on a fork of the repository, the scan will fail with the following error:

fatal: ambiguous argument 'origin/master...origin/fork-branch-name': unknown revision or path not in the working tree.

Enable Diffs on Fork PRs - Fixes #23

Enables the git diff to be calculated when the pull request is initiated from a forked repository by defining a new remote for the destination repository.

Validate Pull Request Context

• Fixes issue #20
• Throws an error and prematurely exits if the action was not invoked from the context of a pull request.

Using any of the scanner command line arguments which specify a path to a file seem to break the scan.

I believe this is an issue with the relative path of the supplied filename, or perhaps missing quotes.

WARNING: No rules found. Maybe you misspelled a rule name? (ruleset.xml)

node:child_process:826
    err = new Error(msg);
          ^

Error: Command failed: node_modules/sfdx-cli/bin/run scanner:run     --pmdconfig=ruleset.xml      --format json     --target "temporary"     --outfile "sfdx-scanner-findings.json"
WARNING: We're constantly improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA.

Fixes the following error when findings only span one line:

"message":"pull_request_review_thread.start_line must precede the end line."

• Rename getDiffSinceLastCommit to getDiffInPullRequest#2
• Support additional attributes passed into the scan command #3
• Gracefully exit is there are no applicable files found in the git difference between the branches in the pull request #5
• Get rid of vercel created dist folder - use node_modules instead

If the scope of the pull request does not generate any files to be moved into the temporary folder, the scan crashes.

This can happen if the PR only contains modifications to the .github folder, and potentially other scenarios as well.

The system should gracefully exit if there is nothing in temporary.

Getting difference since Last commit...
Recursively moving all files to the temp folder...
(node:1[8](https://github.com/rsoesemann/salesforce-recipes/runs/7617039009?check_suite_focus=true#step:4:9)31) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
Performing static code analysis on all of the files in the difference...
WARNING: We're constantly improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA.
WARNING: In September 2022, v3.x of the Salesforce Code Analyzer will become the default version,
         and older versions, including your currently installed version, will no longer be supported.
         You can manually update to v3.x earlier for a smoother transition.
WARNING: As of April 27, 2022, v3.x of the Salesforce Code Analyzer is available as an open pilot.
         To update to v3.x and try out our pilot features, run these commands:
         > sfdx plugins:uninstall @salesforce/sfdx-scanner
         > sfdx plugins:install @salesforce/sfdx-scanner@latest-pilot
WARNING: Target: 'temporary' was not processed by any engines.
node:fs:585
  handleErrorFromBinding(ctx);
  ^

Error: ENOENT: no such file or directory, open '/home/runner/work/salesforce-recipes/salesforce-recipes/sfdx-scanner-findings.json'
    at Object.openSync (node:fs:585:3)
    at Object.readFileSync (node:fs:453:35)
    at performStaticCodeAnalysisOnFilesInDiff (/home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1/dist/index.js:7[15](https://github.com/rsoesemann/salesforce-recipes/runs/7617039009?check_suite_focus=true#step:4:16)64:33)
    at main (/home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1/dist/index.js:717[16](https://github.com/rsoesemann/salesforce-recipes/runs/7617039009?check_suite_focus=true#step:4:17):3) {
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/home/runner/work/salesforce-recipes/salesforce-recipes/sfdx-scanner-findings.json'
}

The getDiffSinceLastCommit function in index.js should be called getDiffInPullRequest - that's a more accurate representation of what it's actually performing.

Hey @mitchspano - This is a cool ci action. Would you be open to converting this to a Docker action and adding support for GitLab? If so, I'm happy to do it.

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

When using a PMD ruleset file which contains a custom rule, sfdx scanner requires the registration of the rules before they can be picked up by the scan. For each file, we need to call sfdx scanner:rule:add with the appropriate --language and --path arguments.

The sfdx-scan-pull-request action should enable users to define the languages and paths that they want to register before scan execution.

For additional context, see this comment.

SARIF is an acronym for the Static Analysis Results Interchange Format, which is a standard, JSON-based format for the output of static analysis tools.

Instead of using the GitHub REST API to publish the findings as comments, we should use the SARIF format to standardize the way findings are reported.

Here is some documentation for usage of the SARIF format within GitHub.

If running the scan on every commit to a Pull Request, you may create many duplicative comments.

It would be great if the system could accept a boolean input parameter to determine if previously generated auto-comments should be deleted of resolve.

I am still not certain if Delete or Resolve would make more sense.

The scan has no protection against blowing through the GitHub REST API rate limit when many many comments are to be generated.

Writing comments using GitHub REST API...
WARNING: In September 2022, v3.x of the Salesforce Code Analyzer will become the default version,
         and older versions, including your currently installed version, will no longer be supported.
         You can manually update to v3.x earlier for a smoother transition.
WARNING: As of April 27, 2022, v3.x of the Salesforce Code Analyzer is available as an open pilot.
         To update to v3.x and try out our pilot features, run these commands:
         > sfdx plugins:uninstall @salesforce/sfdx-scanner
         > sfdx plugins:install @salesforce/sfdx-scanner@latest-pilot
/home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1/dist/index.js:6544
      const error = new requestError.RequestError(toErrorMessage(data), status, {
                    ^

RequestError [HttpError]: Validation Failed: {"resource":"PullRequestReviewComment","code":"abuse","field":"base"}
    at /home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1/dist/index.js:6544:21
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async writeComments (/home/runner/work/_actions/mitchspano/sfdx-scan-pull-request/v0.1/dist/index.js:7[17](https://github.com/rsoesemann/salesforce-recipes/runs/7617457933?check_suite_focus=true#step:4:18)01:7) {
  status: 4[22](https://github.com/rsoesemann/salesforce-recipes/runs/7617457933?check_suite_focus=true#step:4:23),
  response: {
    url: 'https://api.github.com/repos/rsoesemann/salesforce-recipes/pulls/2/comments',
    status: 422,
    
    ...
    
    data: {
      message: 'Validation Failed',
      errors: [
        {
          resource: 'PullRequestReviewComment',
          code: 'abuse',
          field: 'base'
        }
      ],
      documentation_url: 'https://docs.github.com/rest'
    }
  },
  request: {
    method: 'POST',
    url: 'https://api.github.com/repos/rsoesemann/salesforce-recipes/pulls/2/comments',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'octokit-action.js/4.0.4 octokit-core.js/4.0.4 Node.js/16.13.0 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-8'
    },
    body: `{"commit_id":"7e02f10a68b649d3de0042b5e328[59](https://github.com/rsoesemann/salesforce-recipes/runs/7617457933?check_suite_focus=true#step:4:60)315ee38c33","path":"force-app/main/apex-domainbuilder/classes/Voldemort.cls","start_line":80,"start_side":"RIGHT","side":"RIGHT","line":81,"body":"| Engine | Category | Rule | Severity | Type |\\n| --- | --- | --- | --- | --- |\\n| pmd | Best Practices | UnusedLocalVariable | 5 | Error |\\n\\n[\\nVariable 'space' defined but not used\\n](https://pmd.github.io/pmd-6.47.0/pmd_rules_apex_bestpractices.html#unusedlocalvariable)"}`,
    request: {
      agent: ProxyAgent { promisifiedCallback: [Function (anonymous)] },
      hook: [Function: bound bound register]
    }
  }
}

https://docs.github.com/en/rest/rate-limit