fix workflow: remove github dependency + duplicate scan
Some checks failed
SonarQube Code Quality Scan / scan (push) Failing after 14s
Some checks failed
SonarQube Code Quality Scan / scan (push) Failing after 14s
This commit is contained in:
ShaoHua
@@ -29,38 +29,63 @@ jobs:
|
|||||||
dotnet restore
|
dotnet restore
|
||||||
dotnet build --configuration Release
|
dotnet build --configuration Release
|
||||||
|
|
||||||
# 官方标准.NET扫描流程(替换原步骤)
|
# 步骤2:SonarQube 扫描(含代码+依赖漏洞)
|
||||||
- name: Run SonarQube Scan (Official .NET Flow)
|
- name: SonarQube Full Scan
|
||||||
run: |
|
run: |
|
||||||
dotnet tool install --global dotnet-sonarscanner
|
dotnet tool install --global dotnet-sonarscanner
|
||||||
dotnet sonarscanner begin `
|
dotnet sonarscanner begin `
|
||||||
/k:"sqp_28b681b0124003c4393fa03c0a336875539e22c2" `
|
/k:"${{ secrets.SONAR_TOKEN }}" `
|
||||||
/d:sonar.host.url="http://127.0.0.1:9000" `
|
/d:sonar.host.url="http://127.0.0.1:9000" `
|
||||||
/d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
|
/d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
|
||||||
/d:sonar.sources="./" `
|
/d:sonar.sources="./" `
|
||||||
/d:sonar.language="csharp" `
|
/d:sonar.language="csharp" `
|
||||||
/d:sonar.exclusions="**/obj/**,**/bin/Debug/**" `
|
/d:sonar.exclusions="**/obj/**,**/bin/Debug/**" `
|
||||||
/d:sonar.coverage.exclusions="**/Test/**,**/*.Tests.cs"
|
/d:sonar.dependencyCheck.enabled=true
|
||||||
|
|
||||||
/d:sonar.dependencyCheck.enabled=true `
|
|
||||||
/d:sonar.dependencyCheck.nuget.enabled=true `
|
|
||||||
/d:sonar.dependencyCheck.reportPath="./dependency-check-report.xml"
|
|
||||||
dotnet build --configuration Release
|
dotnet build --configuration Release
|
||||||
dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
|
||||||
# 步骤3:OWASP Dependency-Check 专业 NuGet 漏洞扫描(不变)
|
|
||||||
- name: OWASP NuGet Dependency Vulnerability Scan
|
# 步骤3:拉取 SonarQube Blocker 级问题(PowerShell 脚本)
|
||||||
|
- name: Fetch SonarQube Blocker Issues
|
||||||
|
id: fetch_issues
|
||||||
run: |
|
run: |
|
||||||
dependency-check.bat `
|
# SonarQube API 地址(获取 Blockeer 级问题)
|
||||||
--scan "./" `
|
$sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?project=${{ secrets.SONAR_TOKEN }}&severities=BLOCKER&statuses=OPEN"
|
||||||
--format HTML `
|
# 调用 API 拉取数据
|
||||||
--format XML `
|
$response = Invoke-RestMethod -Uri $sonarApiUrl -Headers @{
|
||||||
--out "./dependency-scan-results" `
|
"Authorization" = "Bearer ${{ secrets.SONAR_API_TOKEN }}"
|
||||||
--suppression "./.dependency-check-suppression.xml" `
|
}
|
||||||
--failOnCVSS 7
|
# 输出问题数量
|
||||||
# 步骤4:上传报告到 Gitea Actions(官方工具,无 404)
|
Write-Host "发现 Blocker 级问题:$($response.total) 个"
|
||||||
- name: Upload Dependency Scan Report to Gitea Actions
|
# 将问题数据存入环境变量(供下一步使用)
|
||||||
uses: gitea.com/actions/upload-artifact@v4 # Gitea 官方维护,兼容无问题
|
$issuesJson = $response.issues | ConvertTo-Json -Compress
|
||||||
with:
|
echo "ISSUES_JSON=$issuesJson" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
|
||||||
name: dependency-scan-report # 附件名称(下载时显示)
|
|
||||||
path: ./dependency-scan-results/ # 要上传的报告目录(含 HTML/XML 报告)
|
# 步骤4:自动创建 Gitea Bug 议题
|
||||||
retention-days: 30 # 报告留存 30 天(可选,默认永久)
|
- name: Create Gitea Bug Issues
|
||||||
|
if: fromJson(env.ISSUES_JSON).Count -gt 0 # 有 Blocker 问题才执行
|
||||||
|
run: |
|
||||||
|
$issues = $env:ISSUES_JSON | ConvertFrom-Json
|
||||||
|
$giteaApiUrl = "https://git.we965.cn/api/v1/repos/learning/VectorDBDemo/issues" # Gitea 仓库 API 地址
|
||||||
|
foreach ($issue in $issues) {
|
||||||
|
# 构造 Bug 内容(包含 SonarQube 问题详情)
|
||||||
|
$issueBody = @"
|
||||||
|
## SonarQube Blocker 级问题自动创建
|
||||||
|
- **问题 ID**:$($issue.key)
|
||||||
|
- **问题类型**:$($issue.type)
|
||||||
|
- **影响文件**:$($issue.component -replace '.*:', '')
|
||||||
|
- **行号**:$($issue.line)
|
||||||
|
- **问题描述**:$($issue.message)
|
||||||
|
- **修复建议**:$($issue.actions.fixNewValue ?? '无明确修复建议,请查看 SonarQube 详情')
|
||||||
|
- **SonarQube 链接**:http://127.0.0.1:9000/project/issues?id=${{ secrets.SONAR_TOKEN }}&open=$($issue.key)
|
||||||
|
"@
|
||||||
|
# 调用 Gitea API 创建议题(标签设为 Bug)
|
||||||
|
Invoke-RestMethod -Uri $giteaApiUrl -Method Post -Headers @{
|
||||||
|
"Authorization" = "token ${{ secrets.GITEAAPITOKEN }}"
|
||||||
|
"Content-Type" = "application/json"
|
||||||
|
} -Body (@{
|
||||||
|
title = "[BUG] SonarQube Blocker: $($issue.message.Substring(0, [Math]::Min(50, $issue.message.Length)))" # 标题截取前 50 字
|
||||||
|
body = $issueBody
|
||||||
|
labels = @("Bug") # 自动添加 Bug 标签
|
||||||
|
} | ConvertTo-Json)
|
||||||
|
Write-Host "已创建 Gitea Bug:$($issue.key)"
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user