From 5bb34a3fe0d0ac3e1d2f9e278e59e1fa56cbdf02 Mon Sep 17 00:00:00 2001
From: Typpi <20943337+Nick2bad4u@users.noreply.github.com>
Date: Wed, 27 Mar 2024 17:41:05 -0400
Subject: [PATCH] Update pysa.yml

---
 .github/workflows/pysa.yml | 221 ++++++++++++++++++++++++++++---------
 1 file changed, 170 insertions(+), 51 deletions(-)

diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml
index 178b69a..e4dfe96 100644
--- a/.github/workflows/pysa.yml
+++ b/.github/workflows/pysa.yml
@@ -1,51 +1,170 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow integrates Python Static Analyzer (Pysa) with
-# GitHub's Code Scanning feature.
-#
-# Python Static Analyzer (Pysa) is a security-focused static
-# analysis tool that tracks flows of data from where they
-# originate to where they terminate in a dangerous location.
-#
-# See https://pyre-check.org/docs/pysa-basics/
-
-name: Pysa
-
-on:
-  workflow_dispatch:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-  schedule:
-    - cron: '18 12 * * 5'
-
-permissions:
-    contents: read
-
-jobs:
-  pysa:
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    runs-on: windows-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-          python-version: '3.11'
-
-      - name: Run Pysa
-        uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b
-        with:
-          # To customize these inputs:
-          # See https://github.com/facebook/pysa-action#inputs
-          repo-directory: './'
-          requirements-path: 'requirements.txt'
-          infer-types: true
-          include-default-sapp-filters: true
+name: Pysa Action
+author: Meta
+description: Analyze data flows and detect security and privacy issues in Python code
+branding:
+  icon: 'search'
+  color: 'orange'
+
+inputs:
+  repo-directory:
+    description: Path to the python source code you want to analyze. If you want to analyze the root of your repo, use './'
+    required: true
+  requirements-path:
+    description: Path to requirements file, relative to `repo-directory`, to look for dependencies. Default will look for requirements.txt in the root of repo-directory
+    required: false
+    default: "requirements.txt"
+  use-nightly:
+    description: Use nightly (unstable) version of Pysa
+    required: false
+    type: boolean
+    default: false
+  pysa-version:
+    description: Version of pyre-check package to be used
+    required: false
+    default: 'latest'
+  infer-types:
+    description: Runs pyre infer in-place to add type annotations. Note that this will change your source code during analysis
+    required: false
+    type: boolean
+    default: false
+  # SAPP Inputs
+  sapp-version:
+    description: Version of fb-sapp package to be used
+    required: false
+    default: 'latest'
+  sapp-filters-directory:
+    description: Path to your custom SAPP filters
+    required: false
+  include-default-sapp-filters:
+    description: Use SAPP filters packaged with Pysa
+    required: false
+    default: true
+    type: boolean
+  use-poetry:
+    description: Use poetry to install dependencies
+    required: false
+    default: false
+    type: boolean
+
+runs:
+  using: "composite"
+  steps:
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '>=3.6'
+
+    - name: Validate repo-directory path
+      run: |
+        if [ ! -d "$REPO_DIR" ] || [ -ne "$(ls -A "$REPO_DIR")" ]; then
+          echo "Repository path $REPO_DIR must exist and cannot be empty"
+          exit 1
+        fi
+      shell: bash
+      env:
+        # https://github.com/actions/runner/issues/665
+        REPO_DIR: ${{inputs.repo-directory}}
+
+    - name: Install Pysa
+      # https://github.com/actions/runner/issues/1483
+      run: |
+        if [ "$USE_NIGHTLY" != 'false' ]; then
+          pip install pyre-check-nightly
+        elif [ "$PYSA_VERSION" = "latest" ]; then
+          pip install pyre-check
+        else
+          pip install pyre-check=="$PYSA_VERSION"
+        fi
+      shell: bash
+      env:
+        PYSA_VERSION: ${{inputs.pysa-version}}
+        USE_NIGHTLY: ${{inputs.use-nightly}}
+
+    - name: Install dependencies
+      working-directory: ${{inputs.repo-directory}}
+      run: |
+        if [ "$USE_POETRY" = true ]; then
+          pip install poetry
+          poetry install --no-root
+        else
+          if [ "$REQUIREMENTS_PATH" != '' ] && [ -f "$REQUIREMENTS_PATH" ]; then
+            pip install -r ${{inputs.requirements-path}}
+          else
+            echo "Path $REPO_DIR/$REQUIREMENTS_PATH does not exist"
+            exit 1
+          fi
+        fi
+      shell: bash
+      env:
+        REQUIREMENTS_PATH: ${{inputs.requirements-path}}
+        REPO_DIR: ${{inputs.repo-directory}}
+        USE_POETRY: ${{inputs.use-poetry}}
+
+    - name: Prepare SAPP filters directory
+      run: |
+        filters_path='tmp/sapp_filters'
+        mkdir -p $filters_path
+
+        if [ "$FILTERS_DIR" != '' ]; then
+          echo 'Copying custom sapp filters to temporary directory'
+          cp -r "$FILTERS_DIR"/* $filters_path
+        fi
+
+        if [ "$INCLUDE_DEFAULT_SAPP_FILTERS" == 'true' ]; then
+          echo 'Copying default sapp filters to temporary directory'
+          cp -r ${{env.LD_LIBRARY_PATH}}/pyre_check/pysa_filters/* $filters_path
+        fi
+
+        if ! [[ "$(ls -A "$filters_path")" ]]; then
+          echo 'Using neither custom sapp filters or default sapp filters'
+          echo '{
+              "name": "Pass through filter",
+              "description": "Shows all issues",
+              "paths": ["%"]
+          }' > $filters_path/empty_filter.json
+        fi
+
+        echo "SAPP_FILTERS_PATH=$filters_path" >> $GITHUB_ENV
+      shell: bash
+      env:
+        FILTERS_DIR: ${{inputs.sapp-filters-directory}}
+        INCLUDE_DEFAULT_SAPP_FILTERS: ${{inputs.include-default-sapp-filters}}
+
+    - name: Set up Pyre
+      working-directory: ${{inputs.repo-directory}}
+      run: |
+        if [ ! -f .pyre_configuration ]; then
+          echo '{
+              "source_directories": ["."],
+              "taint_models_path": "${{env.LD_LIBRARY_PATH}}"
+          }' > .pyre_configuration
+        fi
+      shell: bash
+
+    - name: Run Pyre Infer
+      working-directory: ${{inputs.repo-directory}}
+      if: ${{inputs.infer-types == 'true'}}
+      run: |
+        pyre infer
+        pyre infer -i --annotate-from-existing-stubs
+      shell: bash
+
+    - name: Run Pysa
+      working-directory: ${{inputs.repo-directory}}
+      run: |
+        pyre analyze --no-verify --save-results-to=./pysa-output
+      shell: bash
+
+    - name: Saving Pysa results for SAPP
+      uses: actions/upload-artifact@v3
+      with:
+        name: pysa-results
+        path: ${{inputs.repo-directory}}/pysa-output
+        if-no-files-found: error
+
+    - name: Postprocess Pysa results with SAPP
+      uses: facebook/sapp-action@main
+      with:
+        version: ${{inputs.sapp-version}}
+        artifact-handle: pysa-results
+        filters-directory: ${{env.SAPP_FILTERS_PATH}}