Add coverage junit input runid output (#45)

* Added `junit-output`, `coverage-output`
* added logic in main for junit + coverage
* added ci for the mcode action
* added test for new functionality
* Add Mayhemfile for testing
* added run output
* Create dependabot.yml

---------

Co-authored-by: Benjamin Gutierrez <ben.gutierrez@forallsecure.com>

Author: vlussenburg

.github/dependabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: 'npm'
+    # Look for `package.json` and `lock` files in the `root` directory
+    directory: '/'
+    # Check the npm registry for updates every day (weekdays)
+    schedule:
+      interval: 'daily'

.github/workflows/main.yml

@@ -0,0 +1,108 @@
+name: 'build-test'
+on:
+  push
+
+jobs:
+  build: # make sure build/ci work properly
+    runs-on: ubuntu-latest
+    env:
+      MAYHEM_TOKEN: ${{ secrets.MAYHEM_TOKEN }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # fetch entire history to compute diffs between jobs
+          fetch-depth: 0
+      - run: |
+          npm install
+      - run: |
+          npm run all
+
+  test-some-outputs: # make sure the action works on a clean machine without building
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # fetch entire history to compute diffs between jobs
+          fetch-depth: 0
+
+      - uses: ./
+        id: mcode-action
+        with:
+          mayhem-url: https://demo.forallsecure.com
+          mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          sarif-output: out/sarif/
+          args: --image forallsecure/lighttpd:vulnerable --file __tests__/Mayhemfile --duration 60
+          
+      - name: Upload SARIF file(s)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: out/sarif
+
+      - name: Print runId (${{ steps.mcode-action.outputs.runId }}) and test it's non-empty
+        run: |
+          [ -z "${{ steps.mcode-action.outputs.runId }}" ] && echo "runId was blank!" && exit 1;
+          echo "The run id was: ${{ steps.mcode-action.outputs.runId }}"
+
+  test-all-outputs: # make sure the action works on a clean machine without building
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # fetch entire history to compute diffs between jobs
+          fetch-depth: 0
+
+      - uses: ./
+        id: mcode-action
+        with:
+          mayhem-url: https://demo.forallsecure.com
+          mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          junit-output: out/junit/
+          sarif-output: out/sarif/
+          coverage-output: out/coverage/
+          args: --image forallsecure/lighttpd:vulnerable --file __tests__/Mayhemfile --duration 60
+
+      - name: Archive Coverage report
+        uses: actions/upload-artifact@v3
+        with:
+          name: coverage-report
+          path: out/coverage/
+
+      - name: Archive JUnit results
+        uses: actions/upload-artifact@v3
+        with:
+          name: mcode-junit
+          path: out/junit/
+          
+      - name: Upload SARIF file(s)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: out/sarif
+
+      - name: Print runId (${{ steps.mcode-action.outputs.runId }}) and test it's non-empty
+        run: |
+          [ -z "${{ steps.mcode-action.outputs.runId }}" ] && echo "runId was blank!" && exit 1;
+          echo "The run id was: ${{ steps.mcode-action.outputs.runId }}"
+
+  test-no-outputs: # make sure the action works on a clean machine without building
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # fetch entire history to compute diffs between jobs
+          fetch-depth: 0
+
+      - uses: ./
+        id: mcode-action
+        with:
+          mayhem-url: https://demo.forallsecure.com
+          mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          args: --image forallsecure/lighttpd:vulnerable --file __tests__/Mayhemfile --duration 60
+
+      - name: Print runId (${{ steps.mcode-action.outputs.runId }}) and test it's non-empty
+        run: |
+          [ -z "${{ steps.mcode-action.outputs.runId }}" ] && echo "runId was blank!" && exit 1;
+          echo "The run id was: ${{ steps.mcode-action.outputs.runId }}"

README.md

@@ -122,11 +122,30 @@ jobs:
           mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
           args: --image ${{ needs.build.outputs.image }} --file ${{ matrix.mayhemfile }} --duration 300
           sarif-output: sarif
+          junit-output: junit
+          coverage-output: coverage
 
       - name: Upload SARIF file(s)
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: sarif
+          
+      - name: Archive Coverage report
+        uses: actions/upload-artifact@v3
+        with:
+          name: coverage-report
+          path: coverage
+
+      - name: Archive JUnit results
+        uses: actions/upload-artifact@v3
+        with:
+          name: mcode-junit
+          path: junit
+          
+      - name: Upload SARIF file(s)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif
 ```
 
 The mCode Action accepts the following inputs:
@@ -137,6 +156,14 @@ The mCode Action accepts the following inputs:
 |   | `mayhem-token` | string | Mayhem for Code account token. **Only required within** `mayhem.yml` **if overriding** `mayhem-url`. |
 |   | `args` | string | Additional CLI override [arguments](https://mayhem.forallsecure.com/docs/mayhem-cli/getting-started/mayhem-cli-commands/#run) such as specifying the `--testsuite` directory path for a seed test suite. |
 |   | `sarif-output` | string | Path for generating a SARIF report output file. |
+|   | `junit-output` | string | Path for generating a jUnit report output file. |
+|   | `coverage-output` | string | Path for generating a coverage report output files. |
+
+The mCode Action provides the following outputs:
+| Output Name | Type | Description | Default
+| --- | --- | --- | ---
+| `runId` | string | The identifier of the run that this action triggered in Mayhem. |
+
 
 📖 See the [CI/CD](https://mayhem.forallsecure.com/docs/mayhem-ci-cd/fuzzing-in-your-pipeline/) docs for more information and guides on using the mCode GitHub Action!
 
@@ -146,14 +173,7 @@ Mayhem for Code generates [SARIF reports](https://sarifweb.azurewebsites.net/#:~
 
 SARIF reports are generated using the `sarif-output` parameter, which specifies an output file path.
 
-To upload the SARIF report to GitHub, use the `github/codeql-action/upload-sarif@v2` action with the `sarif_file` parameter to specify the location of a path containing SARIF results to upload to GitHub.
-
-```yaml
-- name: Upload SARIF file(s)
-  uses: github/codeql-action/upload-sarif@v2
-  with:
-    sarif_file: sarif
-```
+To upload the SARIF report to GitHub, see the `Upload SARIF file(s)` step in the `mayhem.yml` example above.
 
 Once uploaded to GitHub, you can view test results in the `Security` tab of your repository as well as for your individual pull requests.
 

__tests__/Mayhemfile

@@ -0,0 +1,16 @@
+image: forallsecure/lighttpd:vulnerable        # fields are unnecessary
+duration: 60                                   # since they will
+project: forallsecure/lighttpd                 # be filled at
+target: lighttpd                               # run creation time
+advanced_triage: true
+tasks:
+  - name: exploitability_factors
+  - name: regression_testing
+  - name: behavior_testing
+  - name: coverage_analysis
+cmds:
+  - cmd: /usr/local/sbin/lighttpd -D -f /usr/local/etc/lighttpd.conf
+    network:
+      url: tcp://localhost:80
+      timeout: 2
+      client: false

__tests__/events.json

@@ -0,0 +1,11 @@
+{
+    "pull_request": {
+        "head": {
+            "ref": "sample-head-ref",
+            "sha": "abcdef1234567890"
+        },
+        "base": {
+            "ref": "sample-base-ref"
+        }
+    }
+}

__tests__/main.test.ts

@@ -1,38 +1,46 @@
 import * as process from "process";
 import { ExecFileSyncOptions, execFileSync } from "child_process";
 import * as path from "path";
+import fs from "fs";
 
 // shows how the runner will run a javascript action with env / stdout protocol
 test("test runs", () => {
-  process.env["GITHUB_REPOSITORY"] = "ForAllSecure/mapi-action";
+  process.env["GITHUB_REPOSITORY"] = "ForAllSecure/mcode-action";
+  process.env["GITHUB_SERVER_URL"] = "https://github.com";
+  process.env["GITHUB_RUN_ID"] = "14";
+  process.env["GITHUB_EVENT_PATH"] = "__tests__/events.json";
   process.env["RUNNER_TEMP"] = "/tmp";
   process.env["RUNNER_TOOL_CACHE"] = "/tmp";
-  process.env["INPUT_MAPI-TOKEN"] = process.env.MAPI_TOKEN;
+
+  process.env["INPUT_MAYHEM-TOKEN"] = process.env.MAYHEM_TOKEN;
   process.env["INPUT_DURATION"] = "10";
-  process.env["INPUT_API-URL"] =
-    "https://demo-api.mayhem4api.forallsecure.com/api/v3";
-  process.env["INPUT_API-SPEC"] =
-    "https://demo-api.mayhem4api.forallsecure.com/api/v3/openapi.json";
+  process.env["INPUT_GITHUB-TOKEN"] = "12123123321312";
+
+  process.env["INPUT_JUNIT-OUTPUT"] = "junit-output";
+  process.env["INPUT_SARIF-OUTPUT"] = "sarif-output";
+  process.env["INPUT_COVERAGE-OUTPUT"] = "coverage-output";
+
   const np = process.execPath;
   const ip = path.join(__dirname, "..", "lib", "main.js");
   const options: ExecFileSyncOptions = {
     env: process.env,
   };
   try {
-    execFileSync(np, [ip], options);
-    throw new Error("Actions should have failed due to finding a bug");
+    console.log(execFileSync(np, [ip], options).toString());
   } catch (error: any) {
-    if (error.stdout === undefined) {
-      throw error;
-    }
-    expect(error.stdout.toString()).toEqual(
-      expect.stringContaining("Fuzzing complete!,")
-    );
-    expect(error.stdout.toString()).toEqual(
-      expect.stringContaining("Found internal-server-error!")
-    );
-    expect(error.stdout.toString()).toEqual(
-      expect.stringContaining("The Mayhem for API scan found issues in the API")
-    );
+    // Ignore the error. We known the Mayhemfile doesn't exists right now, so the bash script fails.
+    //console.log(error);
+  }
+
+  if (!fs.existsSync("junit-output")) {
+    throw new Error("Output dir should exist but didn't");
+  }
+
+  if (!fs.existsSync("sarif-output")) {
+    throw new Error("Output dir should exist but didn't");
+  }
+
+  if (!fs.existsSync("coverage-output")) {
+    throw new Error("Output dir should exist but didn't");
   }
 });

action.yml

@@ -13,7 +13,13 @@ inputs:
     required: false
     default: ${{ github.token }}
   sarif-output:
-    description: SARIF output directory. You can upload to to GitHub using the 'github/codeql-action/upload-sarif@v1' action
+    description: SARIF output path (must be a directory, doesn't have to exist yet). You can upload to to GitHub using the 'github/codeql-action/upload-sarif@v1' action
+    required: false
+  junit-output:
+    description: jUnit output path (must be a directory, doesn't have to exist yet). You can upload the artifact to GitHub using the 'actions/upload-artifact' action
+    required: false
+  coverage-output:
+    description: coverage report output path (must be a directory, doesn't have to exist yet). You can upload the artifacts to GitHub using the 'actions/upload-artifact' action
     required: false
   verbosity:
     description: verbosity level for starting runs
@@ -24,6 +30,9 @@ inputs:
 runs:
   using: "node16"
   main: "dist/index.js"
+outputs:
+  runId:
+    description: The identifier of the run that this action triggered in Mayhem
 branding:
   icon: "shield"
   color: "red"