Merge pull request #29 from crytic/dev-new-exit-code-behavior

elopez · web-flow · commit 35510b34cfdf · 2022-09-07T11:50:10.000-03:00
Add support for new `--fail-*` behavior
diff --git a/README.md b/README.md
@@ -32,6 +32,7 @@ jobs:
 | Key              | Description
 |------------------|------------
 | `ignore-compile` | If set to true, the Slither action will not attempt to compile the project. False by default. See [Advanced compilation](#advanced-compilation).
+| `fail-on`        | Cause the action to fail if Slither finds any issue of this severity or higher. See [action fail behavior](#action-fail-behavior).
 | `node-version`   | The version of `node` to use. If this field is not set, the latest version will be used.
 | `sarif`          | If provided, the path of the SARIF file to produce, relative to the repo root (see [Github Code Scanning integration](#github-code-scanning-integration)).
 | `slither-args`   | Extra arguments to pass to Slither.
@@ -47,6 +48,24 @@ If the project requires advanced compilation settings or steps, set
 Slither. You can find an example workflow that uses this option in the
 [examples](#examples) section.
 
+### Action fail behavior
+
+The Slither action supports a `fail-on` option, based on the `--fail-*` flags
+added in Slither 0.8.4. To maintain the current action behavior, this option
+defaults to `all`. The following table summarizes the action behavior across
+different Slither versions. You may adjust this option as needed for your
+workflows. If you are setting these options on your config file, set `fail-on:
+config` to prevent the action from overriding your settings.
+
+| `fail-on`          | Slither <= 0.8.3          | Slither > 0.8.3
+|--------------------|---------------------------|----------------
+| `all` / `pedantic` | Fail on any finding       | Fail on any finding
+| `low`              | Fail on any finding       | Fail on any finding >= low
+| `medium`           | Fail on any finding       | Fail on any finding >= medium
+| `high`             | Fail on any finding       | Fail on any finding >= high
+| `none`             | Do not fail on findings   | Do not fail on findings
+| `config`           | Determined by config file | Determined by config file
+
 ### Using a different Slither version
 
 If the latest Slither release has a bug that does not let you analyze your
@@ -99,9 +118,9 @@ jobs:
       - name: Run Slither
         uses: crytic/slither-action@v0.1.1
         id: slither
-        continue-on-error: true
         with:
           sarif: results.sarif
+          fail-on: none
 
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@v2
@@ -111,7 +130,7 @@ jobs:
 
 Here:
 
-- `continue-on-error: true` is required to let the SARIF upload step run if Slither finds issues
+- `fail-on: none` is required to let the SARIF upload step run if Slither finds issues
 - `id: slither` is the name used to reference the step later on (e.g., in `steps.slither.outputs.sarif`)
 
 ## Examples
@@ -146,8 +165,8 @@ NodeJS 16.x and install project dependencies before running Slither on the
 project. Slither will output findings in SARIF format, and those will get
 uploaded to GitHub.
 
-We include `continue-on-error: true` on the Slither action to avoid failing the
-run if findings are found.
+We include `fail-on: none` on the Slither action to avoid failing the run if
+findings are found.
 
 ```yaml
 name: Slither Analysis
@@ -170,11 +189,11 @@ jobs:
 
     - name: Run Slither
       uses: crytic/slither-action@v0.1.1
-      continue-on-error: true
       id: slither
       with:
         node-version: 16
         sarif: results.sarif
+        fail-on: none
 
     - name: Upload SARIF file
       uses: github/codeql-action/upload-sarif@v2
@@ -191,8 +210,8 @@ virtual environment and install project dependencies before running Slither on
 the project. Slither will output findings in SARIF format, and those will get
 uploaded to GitHub.
 
-We also include `continue-on-error: true` on the Slither action to avoid
-failing the run if findings are found.
+We also include `fail-on: none` on the Slither action to avoid failing the run
+if findings are found.
 
 ```yaml
 name: Slither Analysis
@@ -215,10 +234,10 @@ jobs:
 
     - name: Run Slither
       uses: crytic/slither-action@v0.1.1
-      continue-on-error: true
       id: slither
       with:
         sarif: results.sarif
+        fail-on: none
 
     - name: Upload SARIF file
       uses: github/codeql-action/upload-sarif@v2
diff --git a/action.yml b/action.yml
@@ -21,6 +21,10 @@ inputs:
     description: 'Whether to ignore the compilation step when running crytic-compile and Slither.'
     default: false
     type: boolean
+  fail-on:
+    description: 'Cause the action to fail if Slither finds any findings of this severity or higher. By default it will fail if any finding is found'
+    default: all
+    type: string
   internal-github-workspace:
     # Do not set manually. This is a hacky way to pass the host workspace path to inside the action
     # This is used to improve compatibility when using `ignore-compile`.
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -6,6 +6,10 @@ get() {
     env | sed -n "s/^$1=\(.*\)/\1/;T;p"
 }
 
+version_lte() {
+    printf '%s\n%s\n' "$1" "$2" | sort -C -V
+}
+
 TARGET="$1"
 SOLCVER="$2"
 NODEVER="$3"
@@ -30,6 +34,55 @@ compatibility_link()
     fi
 }
 
+fail_on_flags()
+{
+    INSTALLED_VERSION="$(slither --version)"
+    FAIL_ON_LEVEL="$(get INPUT_FAIL-ON)"
+
+    if [ "$FAIL_ON_LEVEL" = "config" ]; then
+       return
+    fi
+
+    if version_lte "$INSTALLED_VERSION" "0.8.3"; then
+        # older behavior - fail on findings by default
+        case "$FAIL_ON_LEVEL" in
+            low|medium|high|pedantic|all)
+                echo "[!] Requested fail-on $FAIL_ON_LEVEL but it is unsupported on Slither $INSTALLED_VERSION, ignoring" >&2
+                ;;
+            none)
+                echo "--ignore-return-value"
+                ;;
+            *)
+                echo "[!] Unknown fail-on value $FAIL_ON_LEVEL, ignoring" >&2
+                ;;
+        esac
+    else
+        # newer behavior - does not fail on findings by default
+        case "$FAIL_ON_LEVEL" in
+            all|pedantic)
+                # default behavior on slither >= 0.8.4
+                echo "--fail-pedantic"
+                ;;
+            low)
+                echo "--fail-low"
+                ;;
+            medium)
+                echo "--fail-medium"
+                ;;
+            high)
+                echo "--fail-high"
+                ;;
+            none)
+                echo "--no-fail-pedantic"
+                ;;
+            *)
+                echo "[!] Unknown fail-on value $FAIL_ON_LEVEL, ignoring" >&2
+                ;;
+        esac
+
+    fi
+}
+
 install_solc()
 {
     if [[ -z "$SOLCVER" ]]; then
@@ -202,9 +255,11 @@ if [[ -n "$SLITHERCONF" ]]; then
     CONFIGFLAG="--config-file=$SLITHERCONF"
 fi
 
+FAILONFLAG="$(fail_on_flags)"
+
 if [[ -z "$SLITHERARGS" ]]; then
-    slither "$TARGET" $SARIFFLAG $IGNORECOMPILEFLAG $CONFIGFLAG
+    slither "$TARGET" $SARIFFLAG $IGNORECOMPILEFLAG $FAILONFLAG $CONFIGFLAG
 else
     echo "[-] SLITHERARGS provided. Running slither with extra arguments"
-    printf "%s\n" "$SLITHERARGS" | xargs slither "$TARGET" $SARIFFLAG $IGNORECOMPILEFLAG $CONFIGFLAG
+    printf "%s\n" "$SLITHERARGS" | xargs slither "$TARGET" $SARIFFLAG $IGNORECOMPILEFLAG $FAILONFLAG $CONFIGFLAG
 fi
