Bugfix/broken pipeline v2#832
Conversation
![hyperspace-insights[bot]](https://avatars.githubusercontent.com/u/2531208?s=60&v=4){kind=small}
There was a problem hiding this comment.
The PR makes sensible improvements — making version optional with a fallback to the Maven revision, improving scan_mode documentation, and adding several missing Detect/BlackDuck arguments. Two issues were flagged: a shell injection risk from inlining the version input directly into the script, and a fragile mvn help:evaluate output parsing that could silently capture spurious Maven log lines instead of the revision value.
PR Bot Information
Version: 1.20.51
- File Content Strategy: Full file content
- Correlation ID:
ef4811c8-73c2-41fe-b660-155b125ab0b4 - Event Trigger:
pull_request.opened - LLM:
anthropic--claude-4.6-sonnet - Agent Instructions:
| run: | | ||
| if [ -n "${{ inputs.version }}" ]; then | ||
| VERSION="${{ inputs.version }}" |
There was a problem hiding this comment.
Security: Script injection via ${{ inputs.version }} interpolated directly into shell script
inputs.version is interpolated inline into the run script at lines 45–46. A malicious value containing shell metacharacters (e.g. "; malicious_cmd #) would be executed as part of the shell script. The input value should be passed through an environment variable instead.
Consider assigning the input to an env var and referencing it in the script body:
| run: | | |
| if [ -n "${{ inputs.version }}" ]; then | |
| VERSION="${{ inputs.version }}" | |
| env: | |
| INPUT_VERSION: ${{ inputs.version }} | |
| run: | | |
| if [ -n "$INPUT_VERSION" ]; then | |
| VERSION="$INPUT_VERSION" | |
| else | |
| REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout) | |
| VERSION=$(echo "$REVISION" | cut -d. -f1,2) | |
| fi | |
| echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" | |
| echo "Resolved BlackDuck project version: $VERSION" | |
Double-check suggestion before committing. Edit this comment for amendments.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
| VERSION="${{ inputs.version }}" | ||
| else | ||
| REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout) | ||
| VERSION=$(echo "$REVISION" | cut -d. -f1,2) |
There was a problem hiding this comment.
Bug: mvn help:evaluate can include spurious output even with -q
mvn help:evaluate -Dexpression=revision -q -DforceStdout occasionally emits warnings or download progress lines before the actual value, especially on first runs or when the local repository is cold. cut -d. -f1,2 applied to such output would silently produce an incorrect version string (e.g. [WARNING] → [WARNING]).
Consider using tail -1 to reliably take only the last output line (the evaluated value):
| VERSION=$(echo "$REVISION" | cut -d. -f1,2) | |
| VERSION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout | tail -1 | cut -d. -f1,2) | |
Double-check suggestion before committing. Edit this comment for amendments.
Please provide feedback on the review comment by checking the appropriate box:
- 🌟 Awesome comment, a human might have missed that.
- ✅ Helpful comment
- 🤷 Neutral
- ❌ This comment is not helpful
1 participant
Fix BlackDuck Pipeline: Optional Version Input & Scan Improvements
Bug Fix
🐛 Resolves a broken BlackDuck security scan pipeline by making the
versioninput optional and adding automatic version resolution from Maven, along with several scan stability improvements.Changes
.github/actions/scan-with-blackduck/action.yml:versioninput optional (previously required), defaulting to an empty string. When not provided, the version is automatically resolved from the Mavenrevisionproperty, reduced tomajor.minorformat.mvn help:evaluate.--detect.project.version.nameto use the dynamically resolved version from the new step.--detect.maven.excluded.scopes=test,providedto exclude test and provided dependencies from scanning.--detect.timeout=6000to prevent scan timeouts.--blackduck.signature.scanner.memory=4096to allocate more memory for the signature scanner.--blackduck.trust.cert=trueto handle certificate trust issues.scan_modeinput description for clarity (FULL vs. RAPID behavior).PR Bot Information
Version:
1.20.51ef4811c8-73c2-41fe-b660-155b125ab0b4pull_request.openedanthropic--claude-4.6-sonnet