Leaves behind artifacts as `root` user

[ron-spree]

Scenario:

Invoked as a github actions, running on self-hosted runners
Runners are using runner.runner for their UID/GID

Running with:

  depcheck:
    runs-on: self-hosted
    name: OWASP DepCheck
    steps: 
      - name: Depcheck
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: ${{ github.event.repository.name }}
          path: '.'
          format: 'HTML'
          args: >
            --failOnCVSS 7
            --enableRetired

      - name: Upload OWASP Test results
        uses: actions/upload-artifact@master
        with:
          name: Depcheck report
          path: ${{github.workspace}}/reports

This leaves behind artifacts (in the workspace's reports folder) as root.root, and subsequent steps or jobs run on the same machine will fail.

For example, running this (after a scan)

steps:
      - name: Checkout Reset for next validations
        uses: actions/checkout@v2

Will have this error (with Github Actions debugging enabled):

Cleaning the repository
  /usr/bin/git clean -ffdx
  warning: failed to remove reports/dependency-check-report.html: Permission denied
  Removing node_modules/
  ##[debug]The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '/runner/_work/test-demo/test-demo'.
  ::endgroup::
Warning: Unable to clean or reset the repository. The repository will be recreated instead.
Deleting the contents of '/runner/_work/test-demo/test-demo'
##[debug]Unsetting HOME override
::remove-matcher owner=checkout-git::
##[debug]Removed matchers: 'checkout-git'
Error: Command failed: rm -rf /runner/_work/test-demo/test-demo/reports
rm: cannot remove '/runner/_work/test-demo/test-demo/reports/dependency-check-report.html': Permission denied

That location on the runners now has:
drwxr-xr-x 4 runner runner 34 Jun 29 00:23 .
drwxr-xr-x 3 runner runner 26 Jun 5 14:10 ..
drwxr-xr-x 2 root root 42 Jun 29 00:14 reports

I would guess it might be because of this:
https://github.com/dependency-check/Dependency-Check_Action/blob/main/Dockerfile#L11

(Sets USER root )

Since packages are not being installed anymore:
cd2308e

is the root user still needed?

[javixeneize]

Hi. That’s an interesting one. I agree with you, I don’t think root is needed anymore, however the entrypoint sh will need to be copied to another folder instead of /

Would you be happy to do a PR removing the line to set the root user, and also modify the path of the entrypoint, so you will appear as a contributor here ;)

thanks

[romeupalos]

I'm also affected by this issue.
It would be nice to have it run as unprivileged user.

[DominikZig]

@javixeneize I made a PR for this here #39, please take a look, thanks