Add GitHub Enterprise Server support

[aegilops]

The Action uses Octokit to download microsoft/component-detection but does not specify that it should be from github.com. This means use on GitHub Enterprise Server leads to trying to resolve that org/repo on the local server, which fails with a 404.

You can work around this by manually downloading the appropriate release binary in the Actions workflow before running this Action, e.g. with wget.

It then attempts to submit using the Dependency Submission Toolkit. I haven't worked out precisely why, but this fails with a Cannot read properties of null (reading 'toString') error in the toolkit.

[jhutchings1]

@advanced-security/advanced-security-dependency-graph Can you have a look?

[jonjanego]

@jhutchings1 afaict the dependency graph team has never contributed to this project but i've asked FR to take a look

[nihalraghuraj-assent]

Getting the same error: Cannot read properties of null (reading 'toString') on GHE version: 3.13.3
Any updates on this issue?

[jhutchings1]

I opened #67 to fix this. Need to get it reviewed and merged.

[nihalraghuraj-assent]

@jhutchings1 Thank you for your prompt response! Will test it once its merged.

[nihalraghuraj-assent]

@jhutchings1, any updates on the GHE support, Apologies for being persistent but this is quite urgent.

[jhutchings1]

Still waiting on the PR to be approved and merged. I'm the interim, you're welcome to use it by referencing tht action with @ghes-fix as the version. Let me know if that works for you.

[nihalraghuraj-assent]

I tested it with @ghes-fix:
Resulted in:

Error: HttpError: Must authenticate to access this API. - https://docs.github.com/[email protected]/rest Error: Error: Failed to download latest release

Error: Cannot read properties of null (reading 'toString') Error: TypeError: Cannot read properties of null (reading 'toString')

Pls find my script below, I am still manually downloading the binary:

name: Dependency Submission

on:
  push:
    branches: [ master, develop ]
  pull_request:
    branches: [ develop ]
  workflow_dispatch:

jobs:
  Component-Detection-Dependency:
    runs-on: windows-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Execute restore
        run: dotnet restore ./Assent.Party.Api.sln      

      - name: Download component-detection.exe
        run: |
          $output = "${env:GITHUB_WORKSPACE}\component-detection.exe"
          if (Test-Path $output) {
            Write-Output "Component Detection file already exists at $output"
          } else {
            $url = "https://github.com/microsoft/component-detection/releases/download/v4.9.5/component-detection-win-x64.exe"
            Invoke-WebRequest -Uri $url -OutFile $output
            Write-Output "Component Detection file downloaded to $output"
          }
      - name: List files in the current directory and check if component-detection.exe exists
        run: |
          Get-ChildItem -Path "${env:GITHUB_WORKSPACE}" | Format-Table Name, Length, LastWriteTime
          $filePath = "${env:GITHUB_WORKSPACE}\component-detection.exe"
          if (Test-Path -Path $filePath) {
              Write-Output "Component Detection file exists"
          } else {
              Write-Output "Component Detection file does not exist"
              exit 1
          }

      - name: Component Detection dependency submission action
        uses: advanced-security/component-detection-dependency-submission-action@ghes-fix

Am I missing something here?

[jhutchings1]

@nihalraghuraj-assent Interesting. I didn't see that error on my test instance. I'll spin up a new instance and have a look. Your workaround is a good one, though, and definitely something folks should look at to unblock themselves in the interim.

[jhutchings1]

FYI, I am currently blocked on validating additional changes here while I figure out an issue with my GHES test instance. I should be able to loop back in the coming days.

[nihalraghuraj-assent]

Any updates on the issue @jhutchings1 ?

[jhutchings1]

I'm blocked on a gnarly testing environment issue. Suggest following the workaround above. That's long term supportable and mirrors what I'm trying to do in the action itself

[nihalraghuraj-assent]

@jhutchings1 even with this workaround, I get the errors as mentioned here: Error-http

Any advice on how to get around this?

[jhutchings1]

name: Dependency Submission

on:
  push:
    branches: [ master, develop ]
  pull_request:
    branches: [ develop ]
  workflow_dispatch:

jobs:
  Component-Detection-Dependency:
    runs-on: windows-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Execute restore
        run: dotnet restore ./Assent.Party.Api.sln      

      - name: Download component-detection.exe
        run: |
          $output = "${env:GITHUB_WORKSPACE}\component-detection.exe"
          if (Test-Path $output) {
            Write-Output "Component Detection file already exists at $output"
          } else {
            $url = "https://github.com/microsoft/component-detection/releases/download/v4.9.5/component-detection-win-x64.exe"
            Invoke-WebRequest -Uri $url -OutFile $output
            Write-Output "Component Detection file downloaded to $output"
          }
      - name: List files in the current directory and check if component-detection.exe exists
        run: |
          Get-ChildItem -Path "${env:GITHUB_WORKSPACE}" | Format-Table Name, Length, LastWriteTime
          $filePath = "${env:GITHUB_WORKSPACE}\component-detection.exe"
          if (Test-Path -Path $filePath) {
              Write-Output "Component Detection file exists"
          } else {
              Write-Output "Component Detection file does not exist"
              exit 1
          }

      - name: Component Detection dependency submission action
        uses: advanced-security/[email protected]

The workaround was still listing the @ghes-fix step, so my guess is that it was failing in the same place. Does it work if you do this? If not, can you provide more details about where specifically you're seeing that error? I assumed it was in the new code that tries to connect to download the component-detection binary.

[nihalraghuraj-assent]

I did try the same workaround pointing to v0.0.2
But get the same error in the last step after the binary is downloaded and when the detection-submission-action is run. Please find the complete error log below:

Run advanced-security/[email protected]
  with:
    token: ***
    filePath: .
  
Error: HttpError: Not Found
Running component-detection
C:\actions-runner-3\_work\usvc-party\usvc-party\component-detection.exe scan --SourceDirectory . --ManifestFile ./output.json
[17:56:0[2](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:2) INF] Finding components...
[17:56:0[3](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:3) INF] No instructions received to scan docker images.
[17:56:03 INF] Starting enumeration of C:\actions-runner-3\_work\usvc-party\usvc-party
[17:56:03 INF] PipReport: No pip found on system. Pip installation report detection will not run.
[17:56:03 INF] Enumerated [4](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:4)54 files and 62 directories in 00:00:00.10476[5](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:5)[5](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:6)
                               Detection Summary                                
┌───────────────────┬───────────────────┬───────────────────┬──────────────────┐
│ Component         │ Detection Time    │ # Components      │ # Explicitly     │
│ Detector Id       │                   │ Found             │ Referenced       │
├───────────────────┼───────────────────┼───────────────────┼──────────────────┤
│ CocoaPods         │ 0.37 seconds      │ 0                 │ 0                │
│ Go                │ 0.37 seconds      │ 0                 │ 0                │
│ GoWithReplace     │ 0.37 seconds      │ 0                 │ 0                │
│ (Beta)            │                   │                   │                  │
│ Gradle            │ 0.3[6](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:7) seconds      │ 0                 │ 0                │
│ Ivy (Beta)        │ 0.3[7](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:8) seconds      │ 0                 │ 0                │
│ Linux             │ 0.24 seconds      │ 0                 │ 0                │
│ MvnCli            │ 0.36 seconds      │ 0                 │ 0                │
│ Npm               │ 0.36 seconds      │ 0                 │ 0                │
│ NpmLockfile3      │ 0.36 seconds      │ 0                 │ 0                │
│ NpmWithRoots      │ 0.36 seconds      │ 0                 │ 0                │
│ NuGet             │ 0.36 seconds      │ 0                 │ 0                │
│ NuGetPackagesConf │ 0.36 seconds      │ 0                 │ 0                │
│ ig                │                   │                   │                  │
│ NuGetProjectCentr │ 0.5[8](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:9) seconds      │ 192               │ 36               │
│ ic                │                   │                   │                  │
│ PipReport         │ 0.36 seconds      │ 0                 │ 0                │
│ Pnpm              │ 0.36 seconds      │ 0                 │ 0                │
│ Poetry (Beta)     │ 0.37 seconds      │ 0                 │ 0                │
│ Ruby              │ 0.36 seconds      │ 0                 │ 0                │
│ RustCli           │ 0.36 seconds      │ 0                 │ 0                │
│ RustCrateDetector │ 0.36 seconds      │ 0                 │ 0                │
│ Vcpkg             │ 0.36 seconds      │ 0                 │ 0                │
│ Yarn              │ 0.36 seconds      │ 0                 │ 0                │
│ ───────────────── │ ───────────────── │ ───────────────── │ ──────────────── │
│ Total             │ 0.6[9](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:10) seconds      │ 192               │ 36               │
└───────────────────┴───────────────────┴───────────────────┴──────────────────┘
[17:56:03 INF] 
[17:56:03 INF] 
[17:56:03 INF] Detection time: 0.6855745 seconds.
[17:56:03 INF] Scan Manifest file: C:\actions-runner-3\_work\usvc-party\usvc-party\output.json
Getting manifests from results
Notice: Submitting snapshot...
Notice: {
    "detector": {
        "name": "Component Detection",
        "version": "0.0.1",
        "url": "https://github.com/advanced-security/component-detection-dependency-submission-action"
    },
    "version": 0,
    "job": {
        "correlator": "Component-Detection-Dependency",
        "id": "[10](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:11)195"
    },
    "sha": "8d5d5a9b62b05ba383ad8de722e5908a6006b53e",
    "ref": "refs/pull/478/merge",
    "scanned": "2024-09-09T17:56:04.209Z",
    "manifests": {
        "/src/Assent.Party.Api/Assent.Party.Api.csproj": {
            "resolved": {
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": [
                        "pkg:nuget/[email protected]"
                    ]
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected][11](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:12)": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": [
                        "pkg:nuget/Newtonsoft.Json@[13](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:14).0.1",
                        "pkg:nuget/[email protected]",
                        "pkg:nuget/[email protected]"
                    ]
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "pkg:nuget/[email protected]",
                    "relationship": "indirect",
                    "scope": "runtime",
                    "dependencies": []
                },
                "pkg:nuget/[email protected]": {
                    "package_url": "p
Error: Cannot read properties of null (reading 'toString')
Error: TypeError: Cannot read properties of null (reading 'toString')
    at C:\actions-runner-3\_work\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.2\webpack:\component-detection-action\node_modules\@github\dependency-submission-toolkit\dist\index.js:506:1
    at Generator.next (<anonymous>)
    at fulfilled (C:\actions-runner-3\_work\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.2\webpack:\component-detection-action\node_modules\@github\dependency-submission-toolkit\dist\index.js:395:1)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

C:\actions-runner-3\_work\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.2\webpack:\component-detection-action\node_modules\@github\dependency-submission-toolkit\dist\index.js:395
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
^
Error: Failed to submit snapshot: TypeError: Cannot read properties of null (reading 'toString')
    at C:\actions-runner-3\_work\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.2\webpack:\component-detection-action\node_modules\@github\dependency-submission-toolkit\dist\index.js:5[20](https://git.assentcompliance.com/assent-compliance/usvc-party/actions/runs/10195/job/38048#step:6:21):1
    at Generator.next (<anonymous>)
    at fulfilled (C:\actions-runner-3\_work\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.2\webpack:\component-detection-action\node_modules\@github\dependency-submission-toolkit\dist\index.js:395:1)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

Let me know if you need further information.

[jhutchings1]

@nihalraghuraj-assent Thanks for sharing the detailed logs. You're actually failing much further down than I expected. That error is getting thrown when submitting the snapshot. Can you confirm that the dependency graph is enabled in your server and on the repository you're running this against?

[nihalraghuraj-assent]

@jhutchings1 I can confirm that dependency graph is enabled both in repository and the server as well

[jhutchings1]

@nihalraghuraj-assent Can you also confirm your version of GHES? I do not have a repro of what's happening on my end, so I'm kind of guessing at causes for why that API call isn't working when it submits the snapshot. We may need to have you escalate with GitHub Support to get a better idea of what's happening.

[nihalraghuraj-assent]

GitHub Enterprise Server 3.13.3

[jhutchings1]

Ok, 3.13.3 should work appropriately. I think my test environment issue should be fixed in the next day or so, but I'll keep you posted when I'm able to have another look.

[nihalraghuraj-assent]

Sure, thank you for your prompt response!

[jhutchings1]

@nihalraghuraj-assent Can you actually proactively open a support ticket for this one? I'm leaving GitHub for a new opportunity next week, and I don't want to see the ball drop if I run out of time, particularly since I won't have a GHES instance to help you out once my access is cut. You can mention that I asked you to do so, and that should get it escalated to the team very quickly.

[nihalraghuraj-assent]

@jhutchings1 do you want me to open a github support ticket?

[jhutchings1]

Yes please