Skip to content

Bugfix/broken pipeline v2 #832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Schmarvinius merged 2 commits into from
May 21, 2026
Merged

Bugfix/broken pipeline v2 #832

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
989ba03
fix
Schmarvinius May 21, 2026
f9b3fab
update
Schmarvinius May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions .github/actions/scan-with-blackduck/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,11 @@ inputs:
description: The Maven version the build shall run with.
required: true
version:
description: The project version to report to Black Duck (e.g. release tag).
required: true
description: The project version to report to Black Duck (e.g. release tag). If empty, falls back to the Maven `revision` reduced to major-minor.
required: false
default: ''
scan_mode:
description: The scan mode to use (FULL or RAPID)
description: The scan mode to use (FULL uploads a report to the Black Duck server; RAPID is a fast policy gate without server upload).
default: 'FULL'
required: false

Expand All @@ -38,6 +39,19 @@ runs:
with:
maven-version: ${{ inputs.maven-version }}

- name: Resolve Project Version
id: resolve-version
run: |
if [ -n "${{ inputs.version }}" ]; then
VERSION="${{ inputs.version }}"
Comment on lines +44 to +46
Copy link
Copy Markdown
Contributor

@hyperspace-insights hyperspace-insights Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Script injection via ${{ inputs.version }} interpolated directly into shell script

inputs.version is interpolated inline into the run script at lines 45–46. A malicious value containing shell metacharacters (e.g. "; malicious_cmd #) would be executed as part of the shell script. The input value should be passed through an environment variable instead.

Consider assigning the input to an env var and referencing it in the script body:

Suggested change
run: |
if [ -n "${{ inputs.version }}" ]; then
VERSION="${{ inputs.version }}"
env:
INPUT_VERSION: ${{ inputs.version }}
run: |
if [ -n "$INPUT_VERSION" ]; then
VERSION="$INPUT_VERSION"
else
REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)
VERSION=$(echo "$REVISION" | cut -d. -f1,2)
fi
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
echo "Resolved BlackDuck project version: $VERSION"

Double-check suggestion before committing. Edit this comment for amendments.

Please provide feedback on the review comment by checking the appropriate box:

  • 🌟 Awesome comment, a human might have missed that.
  • ✅ Helpful comment
  • 🤷 Neutral
  • ❌ This comment is not helpful

else
REVISION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout)
VERSION=$(echo "$REVISION" | cut -d. -f1,2)
Copy link
Copy Markdown
Contributor

@hyperspace-insights hyperspace-insights Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: mvn help:evaluate can include spurious output even with -q

mvn help:evaluate -Dexpression=revision -q -DforceStdout occasionally emits warnings or download progress lines before the actual value, especially on first runs or when the local repository is cold. cut -d. -f1,2 applied to such output would silently produce an incorrect version string (e.g. [WARNING][WARNING]).

Consider using tail -1 to reliably take only the last output line (the evaluated value):

Suggested change
VERSION=$(echo "$REVISION" | cut -d. -f1,2)
VERSION=$(mvn help:evaluate -Dexpression=revision -q -DforceStdout | tail -1 | cut -d. -f1,2)

Double-check suggestion before committing. Edit this comment for amendments.

Please provide feedback on the review comment by checking the appropriate box:

  • 🌟 Awesome comment, a human might have missed that.
  • ✅ Helpful comment
  • 🤷 Neutral
  • ❌ This comment is not helpful

fi
echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
echo "Resolved BlackDuck project version: $VERSION"
shell: bash

- name: BlackDuck Security Scan
uses: blackduck-inc/black-duck-security-scan@659a0742e793a093377fab3117b0d90f23b04bfa # v2.9.0
with:
Expand All @@ -47,11 +61,15 @@ runs:
github_token: ${{ inputs.github_token }}
detect_args: >
--detect.project.name=com.sap.cds.feature.attachments
--detect.project.version.name=${{ inputs.version }}
--detect.project.version.name=${{ steps.resolve-version.outputs.VERSION }}
--detect.project.group.name=CDSJAVA-OPEN-SOURCE
--detect.included.detector.types=MAVEN
--detect.excluded.directories=**/*test*,**/samples/**
--detect.maven.included.modules=cds-feature-attachments,cds-feature-attachments-oss,cds-feature-attachments-fs
--detect.maven.excluded.scopes=test,provided
--detect.tools=DETECTOR,BINARY_SCAN
--detect.timeout=6000
--detect.risk.report.pdf=false
--blackduck.signature.scanner.memory=4096
--blackduck.trust.cert=true
--logging.level.detect=INFO
Loading