.github/workflows/security-scan.yml

name: Security Scan

on:
  workflow_dispatch:
#   push:
#     branches:
#       - main

jobs:
  snyk_scan:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      
    - name: Install Snyk CLI
      run: npm install -g snyk
        
    - name: Authenticate with Snyk
      run: snyk auth ${{ secrets.SNYK_TOKEN }}

    - name: Run Snyk scan and save JSON report
      run: |
        snyk test --json > snyk_results.json || true
        sleep 10
    
    - name: Upload Snyk results
      uses: actions/upload-artifact@v3
      with:
        name: snyk-results
        path: snyk_results.json

  code-ql-analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      packages: read
      security-events: write 

    strategy:
      fail-fast: false
      matrix:
        language: [java-kotlin]      

    steps:
    - name: Checkout repository
      uses: actions/checkout@v3

    - name: Set up JDK 17
      uses: actions/setup-java@v3
      with:
        java-version: 17
        distribution: 'temurin' 

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        queries: security-extended,security-and-quality
        
    - name: Maven Build
      run: mvn -B clean package
      env:
        JAVA_HOME: ${{ steps.setup-java.outputs.java-home }}

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"
        output: codeql-results.sarif
        
    - name: Debug - List files
      run: ls -la ./codeql-results.sarif
      
    - name: Convert SARIF to JSON
      run: |
        wget -O sarif-converter https://gitlab.com/ignis-build/sarif-converter/-/releases/permalink/latest/downloads/bin/sarif-converter-linux
        chmod +x sarif-converter
        ./sarif-converter --type codequality codeql-results.sarif/java.sarif codeql-results.json

    - name: Upload CodeQL results
      uses: actions/upload-artifact@v3
      with:
        name: codeql-results
        path: codeql-results.json

  compare_results:
    runs-on: ubuntu-latest
    needs: [snyk_scan, code-ql-analyze]  # Depends on both scans
    # env:
    #   SEMGREP_SEND_METRICS: 'on'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      
      - name: Download Artifacts
        uses: actions/download-artifact@v3

      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: '3.x'

      # - name: Install Semgrep
      #   run: |
      #     pip install semgrep
      #     pip install -r Matching_scripts/requirements.txt
        
      # - name: Compare and Consolidate Results
      #   run: |
      #     semgrep --config ./Matching_scripts/semgrep.yml ./snyk-results/snyk_results.json ./codeql-results/codeql-results.json --json --output results_comparison.json
      #     # semgrep --metrics off --config Matching_scripts/semgrep.yml \
      #     #         snyk-results.json codeql-results.json \
      #     #         --json --output results_comparison.json

      - name: Process Comparison Results
        run: python ./Matching_scripts/compare_vulnerabilities.py
        
      - name: Upload Consolidated Results
        uses: actions/upload-artifact@v3
        with:
          name: consolidated-results
          path: consolidated_results.json