Error: "filepath does not represent a valid path"

[dominic-oconnor]

I've tried many different formats for the filepath and I get the same "filepath does not represent a valid path." error every time.
The README documentation includes this snippet:

- uses: veracode/veracode-uploadandscan-action@master # Run the uploadandscan action. Inputs are described above.
  with:
    filepath: 'folder_to_upload/'

which suggests I should use a relative path with a trailing forward slash. The folder I want to upload is named "api" and is in the top level of my project. I've tried api/, api, /api, and /api/ and I get the same error.

Full output from the action is below:

Required Information
====================
appname: myapp
createprofile: true
filepath: /github/workspace/api/
version: Scan from Github job: 1056568497
vid: ***
vkey: ***

Optional Information
====================
createsandbox: 
sandboxname: 
scantimeout: 15
exclude: api/vendor/*,api/tests/*
include: 
criticality: 
pattern: 
replacement: 
sandboxid: 
scanallnonfataltoplevelmodules: 
selected: 
selectedpreviously: 
teams: 
toplevel: 
deleteincompletescan: 

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  1088  100  1088    0     0  11574      0 --:--:-- --:--:-- --:--:-- 11574
#!/bin/sh -l
java -jar VeracodeJavaAPI.jar \
        -filepath api/ \
        -version "Scan from Github job: 1056568497" \
        -action "uploadandscan" \
        -appname "myapp" \
        -vid "***" \
        -vkey "***" \
        -scantimeout "15" \
        -exclude "api/vendor/*,api/tests/*" \
        -createprofile "true"
VeracodeJavaAPI v21.6.8.0 c16.0.2

Parsing error(s):
  -filepath does not represent a valid path.

The following parameters are optional for the selected action:
  -autorecreate                    -autoscan
  -createsandbox                   -criticality
  -deleteincompletescan            -format
  -include                         -inputfilepath
  -logfilepath                     -maxretrycount
  -pattern                         -phost
  -ppassword                       -pport
  -puser                           -replacement
  -sandboxid                       -sandboxname
  -scanallnonfataltoplevelmodules  -scanpollinginterval
  -selected                        -selectedpreviously
  -teams                           -toplevel

[2021.07.22 14:52:45.368] Invalid input

[tjarrettveracode]

Hi @dominic-oconnor : thanks for reporting this. I think this is a documentation miss.

What we're actually looking for in -filepath is an expression representing the files to upload. So your path should include not just the directory but a filename or expression that describes the files to upload. Example: api/*.zip or api/*.war, or api/upload.zip.

You can see a sample of a Github workflow that uses this action here:

https://github.com/tjarrettveracode/.github/blob/main/workflow-templates/policyscan-java.yml

Note that this example actually performs a Maven build, which may not apply for your project, but the portion that invokes the action should help clarify how to use this parameter.

We'll work on clarifying this in the documentation, so I'll keep this ticket open until we do.

[dominic-oconnor]

Ahhh got it. Thanks! 🚀

[bharrison-wingstop]

Can you please explain this snippet to me:

- uses: actions/upload-artifact@v2 # Copy files from repository to docker container so the next uploadandscan action can access them.
  with:
    path: '**/*.war' # Wildcards can be used to filter the files copied into the container. See: https://github.com/actions/upload-artifact

How exactly does uploading an artifact to Github place it into the container? I'm struggling to get this working with the same error as @dominic-oconnor, and can't make heads or tails of what is happening or why it's failing.

I've tried specifying the fully-qualified path to a zip file, and it is declared invalid. I've also tried uploading an artifact and setting filepath to the name of the artifact, but it is also invalid.

My zip file is created successfully, and I can get the scans to run just fine if I manually use the JAR from https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip.

Here's my setup, any help is appreciated:

  integration_tests:
    name: Run Veracode
    needs: get_projects
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    strategy:
      max-parallel: 8
      fail-fast: false
      matrix:
        project_dir: ${{ fromJson(needs.get_projects.outputs.matrix) }}
    steps:
      - uses: actions/checkout@v2
      - name: Get Project Name
        uses: actions/github-script@v4
        id: project-name
        with:
          script: |
            const regex = /Ecomm.*/;
            const projectName = '${{ matrix.project_dir }}'.match(regex)[0];
            console.log(projectName);
            core.setOutput('projectName', projectName);
      - name: Setup dotnet 5.0.x
        uses: actions/[email protected]
        with:
          dotnet-version: 5.0.x
      - name: Run Build
        run: dotnet build --output ./output
        working-directory: ${{ matrix.project_dir }}
      - uses: actions/upload-artifact@v2
        with:
          path: |
            ${{ matrix.project_dir }}/output/${{ steps.project-name.outputs.projectName }}*.dll
            ${{ matrix.project_dir }}/output/${{ steps.project-name.outputs.projectName }}*.pdb
      - uses: veracode/veracode-uploadandscan-action@master
        with:
          appname: ${{ steps.project-name.outputs.projectName }}
          createprofile: 'true'
          filepath: '${{ matrix.project_dir }}/output/'
          vid: ${{ secrets.VERACODE_API_ID }}
          vkey: ${{ secrets.VERACODE_API_KEY }}
          createsandbox: 'true'
          sandboxname: Development Sandbox
          scantimeout: 60
          deleteIncompleteScan: 'true'
          criticality: VeryHigh

[tjarrettveracode]

Hi @bharrison-wingstop -- sorry for the confusion. My sample script is set up to perform building and scanning in different jobs, which is why I'm capturing the results of the build as an artifact in between. If you're doing everything in one job, you don't need upload-artifact.

In your case, I think you just need to make sure of the following:

1. Identify the path where your build is placing the artifact.
2. Amend the filepath argument to specify the file pattern to upload.

In your case, though, since you're uploading EXE and DLL files, I'd recommend zipping those up first and then just specifying the zip file name for the filepath argument.

Hope this is helpful.

[JohnARauchwarter]

Edit: I tried several different existing directories, creating a new directory, removing wildcards and giving the a complete filename....

The only strategy that got my workflow to success was zipping both files into the working directory and passing only the filename to this action:

filepath: a205150-images.zip

---

Hi @tjarrettveracode
This is a vexing pattern that I can't seem to figure out.
I have tried the below filepath

• with single quote
• without single quote
• with leading slash and single quote
• with leading slash and without single quote

All receiving the same result of invalid filepath. According to the help files, tar is supported so that shouldn't be the issue.

My code:

      - uses: veracode/veracode-uploadandscan-action@master # Run the uploadandscan action. Inputs are described above.
        with:
          appname: 'ISRM-IAM-VDS-ENG' # Veracode application profile name
          filepath: tmp/*.tar

Runner performing a check for the files

Run ls -la /tmp/*.tar
  ls -la /tmp/*.tar
  shell: /usr/bin/bash -e {0}
-rw-r--r-- 1 runner docker 1213604864 Nov  9 01:01 /tmp/a205150-fid.tar
-rw-r--r-- 1 runner docker  238446592 Nov  9 01:01 /tmp/a205150-zk.tar

Inputs at the start of the Veracode job

"true" "tmp/*.tar" "Scan from Github job: 1439969900" "***" "***" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "true"
Required Information
====================
appname: ISRM-IAM-VDS-ENG
createprofile: true
filepath: tmp/*.tar

However, still receiving the not found error

Parsing error(s):
  -filepath does not represent a valid path.

[tjarrettveracode]

Hi @JohnARauchwarter , yes, sorry my response was delayed and thanks for posting the solution you found. The action currently can only upload from within the current working directory or a subdirectory. The filepath argument supports globbing (e.g. **/*.war) but all paths must be beneath the current working directory.

[Gby56]

@tjarrettveracode Hi ! I think I'm also hitting the issue a bit hard here, I can see that my runner is mounting a volume to start the action, and it should make the folder of my files available in "/github/workspace" but the filepath argument is still throwing errors, I can't find a way to make it work, tried all the wildcards/double wildcards....

I just tried the example filepath: '**/*.[jw]ar' and it didn't work, my files are in an output/ folder, but 3-4 levels deep, maybe I need multiple **.... EDIT: **/**/*.[jw]ar didn't work either...

[Gby56]

Okay, for those who might be struggling, add another step before the action:

      - name: Find files for upload and move them
        run: pwd && find . -name *.war -exec mv -t . {} + && ls -lia

[PrabhdeepSingh]

I ran into something similar and the only thing that worked for me was passing in the .zip file without anything else. See below

- name: Build with dotnet
  run: dotnet build --configuration debug

- name: dotnet publish
  run: dotnet publish ${{github.workspace}}/path-to-project/project.csproj -c debug -o ${{github.workspace}}/myapp

- name: Zip the published output
  run: zip -r ${{github.workspace}}/myapp.zip ${{github.workspace}}/myapp

- name: Veracode Upload And Scan
  uses: veracode/[email protected]
  with:
    appname: 'App Name'
    createprofile: false
    filepath: 'myapp.zip'
    vid: '${{ secrets.VERACODE_API_ID }}'
    vkey: '${{ secrets.VERACODE_API_SECRET }}'