Merge branch 'main' into feature/gitleaks

rtrofimenkov-ssdlc · web-flow · commit a088db3a32a4 · 2025-10-17T23:46:37.000+05:00
Signed-off-by: rtrofimenkov-ssdlc &lt;roman.trofimenkov@flant.com&gt;
diff --git a/cve_scan/action.yml b/cve_scan/action.yml
@@ -123,7 +123,6 @@ runs:
             --retry-all-errors \
             ${DD_URL}/api/v2/reimport-scan/ \
             -H "accept: application/json" \
-            -H "Content-Type: multipart/form-data"  \
             -H "Authorization: Token ${DD_TOKEN}" \
             -F "auto_create_context=True" \
             -F "minimum_severity=Info" \
diff --git a/gitleaks/action.yml b/gitleaks/action.yml
@@ -5,7 +5,7 @@ inputs:
   scan_mode:
     description: "Scan mode: full | diff"
     required: false
-    default: "full"
+    default: "diff"
   gitleaks_version:
     description: "Gitleaks version to install"
     required: false
@@ -93,7 +93,7 @@ runs:
           exit 0
         fi
 
-        mapfile -t FILES < <(git diff --name-only --diff-filter=AMR "${BASE_SHA}...${HEAD_SHA}")
+        mapfile -t FILES < <(git diff --name-only --diff-filter=AMR "${BASE_SHA}" "${HEAD_SHA}")
         if (( ${#FILES[@]} == 0 )); then
           echo "No changed files."
           echo "src_dir=" >> "$GITHUB_OUTPUT"
@@ -112,7 +112,7 @@ runs:
         echo '{}' > "$PATCH_JSON"
 
         while IFS= read -r file; do
-          HUNKS="$(git diff --unified=0 "${BASE_SHA}...${HEAD_SHA}" -- "$file" \
+          HUNKS="$(git diff --unified=0 "${BASE_SHA}" "${HEAD_SHA}" -- "$file" \
             | awk '/^@@/ {print}' \
             | sed -n 's/.*+\([0-9]\+\),\([0-9]\+\).*/\1 \2/p')"
 
@@ -163,8 +163,6 @@ runs:
     - name: Filter findings by added lines (patch)
       if: ${{ inputs.scan_mode == 'diff' }}
       shell: bash
-      env:
-        SRC_DIR: ${{ steps.prpatch.outputs.src_dir }}
       run: |
         set -euo pipefail
         PATCH_MAP_PATH="${{ steps.prpatch.outputs.patch_map }}"
@@ -176,19 +174,16 @@ runs:
         fi
 
         MAP_JSON="$(cat "${PATCH_MAP_PATH}")"
-        SRC_PREFIX="${SRC_DIR%/}/"
 
-        jq --argjson map "${MAP_JSON}" --arg src "${SRC_PREFIX}" '
+        jq --argjson map "${MAP_JSON}" '
           def arr: if type=="object" and has("findings") then .findings
                    elif type=="array" then . else [] end;
-          def strip($p; s): if s|startswith($p) then s[($p|length):] else s end;
-
           arr
           | map(
               . as $f
-              | (strip($src; ($f.File // $f.file // $f.Target // $f.Location.File // ""))) as $rel
+              | ($f.File // $f.file // $f.Target // $f.Location.File // "") as $file
               | ($f.StartLine // $f.Line // $f.Location.StartLine // 0) as $line
-              | if ($map[$rel] // []) as $ranges
+              | if ($map[$file] // empty) as $ranges
                 | any($ranges[]; $line >= .[0] and $line <= .[1])
                 then $f else empty end
             )
diff --git a/svace_analyze/action.yml b/svace_analyze/action.yml
@@ -294,8 +294,21 @@ runs:
             fi
         }
 
+        get_svace_bin() {
+            proj="${1}"
+            svace_version=$(send "cat ${proj}/.svace-dir/svace-dir.version | awk 'FNR==3{print}'")
+
+            svace_bin="/opt/svace-${svace_version}/bin/svace"
+            if [[ $(send "[[ -x ${svace_bin} ]] && echo true || echo false") == true ]]; then
+                echo "${svace_bin}"
+            else
+                echo "svace"
+                error "\"${svace_bin}\" is not executable on analyze server. Using default."
+            fi
+        }
+
         if [[ $(send "[[ -d /${SVACE_ANALYZE_DIR}/${CI_COMMIT_HASH} ]] && echo true || echo false") == false ]]; then
-          echo "::warning file=$(realpath "$0")::Specified commit directory doesn't exists on analyze server." && exit 0
+          echo "::warning file=$(realpath "$0")::Specified commit directory doesn't exists on analyze server." && exit 1
         fi
 
         projects=$(send "find /${SVACE_ANALYZE_DIR}/${CI_COMMIT_HASH} \\( -type d -iname .svace-dir -o -iname *.tar.gz \\) -exec dirname {} \\;")
@@ -312,10 +325,12 @@ runs:
 
             if [[ $(send "[[ -d ${proj}/.svace-dir ]] && echo true || echo false") == true ]]; then
                 define_import_params import_project import_branch
+                svace_bin=$(get_svace_bin "${proj}")
+                info "Using svace binary: $svace_bin"
 
                 info "Start analyzing project \"${svacer_proj}\" ..."
-                send "svace config --svace-dir ${proj} THREAD_NUMBER auto"
-                send "svace analyze --set-config SKIP_UNREACHABLE_PROCEDURE_ANALYSIS=${SKIP_UNREACHABLE_PROCEDURE_ANALYSIS} --quiet --svace-dir ${proj}"
+                send "${svace_bin} config --svace-dir ${proj} THREAD_NUMBER auto"
+                send "${svace_bin} analyze --set-config SKIP_UNREACHABLE_PROCEDURE_ANALYSIS=${SKIP_UNREACHABLE_PROCEDURE_ANALYSIS} --quiet --svace-dir ${proj}"
                 success "Analysis completed successfully!"
 
                 info "Start archiving project \"${svacer_proj}\" ..."
