From 438cd293cc29c4977cf67aa7f62a314fa9b15b57 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 29 Aug 2024 12:25:45 +0100 Subject: [PATCH 01/37] add podman commands to makefile --- Makefile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Makefile b/Makefile index c5f169685cb..54a2ceb5d9f 100644 --- a/Makefile +++ b/Makefile @@ -123,16 +123,31 @@ docker: ## build docker image $(call print-target) @docker build --build-arg VERSION=${VERSION} --build-arg COMMIT=${COMMIT} -t "kics:${IMAGE_TAG}" . +.PHONY: podman +podman: ## build podman image + $(call print-target) + @podman build --build-arg VERSION=${VERSION} --build-arg COMMIT=${COMMIT} -t "kics:${IMAGE_TAG}" . + .PHONY: docker-compose dkr-compose: ## build docker image and runs docker-compose up $(call print-target) VERSION=${VERSION} COMMIT=${COMMIT} IMAGE_TAG=${IMAGE_TAG} docker-compose up --build +.PHONY: podman-compose +podman-compose: ## build podman image and runs podman-compose up + $(call print-target) + VERSION=${VERSION} COMMIT=${COMMIT} IMAGE_TAG=${IMAGE_TAG} podman-compose up --build + .PHONY: dkr-build-antlr dkr-build-antlr: ## build ANTLRv4 docker image and generate parser based on given grammar @docker build -t antlr4-generator:dev -f ./docker/Dockerfile.antlr . @docker run --rm -u $(id -u ${USER}):$(id -g ${USER}) -v $(pwd)/pkg/parser:/work -it antlr4-generator:dev +.PHONY: podman-build-antlr +podman-build-antlr: ## build ANTLRv4 podman image and generate parser based on given grammar + @podman build -t antlr4-generator:dev -f ./docker/Dockerfile.antlr . + @podman run --rm -u $(id -u ${USER}):$(id -g ${USER}) -v $(pwd)/pkg/parser:/work -it antlr4-generator:dev + .PHONY: release release: ## goreleaser --rm-dist release: install @@ -178,3 +193,7 @@ endef .PHONY: lint-docker-image lint-docker-image: docker run -t --rm -v ./:/app -w /app golangci/golangci-lint:v1.57.2 golangci-lint run -v -c /app/.golangci.yml --timeout 20m + +.PHONY: lint-podman-image +lint-podman-image: + podman run -t --rm -v ./:/app -w /app golangci/golangci-lint:v1.57.2 golangci-lint run -v -c /app/.golangci.yml --timeout 20m \ No newline at end of file From cd0d3cb0b140f9bae3a49156d6924af020260c09 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 9 Sep 2024 17:40:15 +0100 Subject: [PATCH 02/37] update go version to 1.22.7 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index f6b4af2ad22..38d31a3c875 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/Checkmarx/kics/v2 -go 1.22.5 +go 1.22.7 replace ( github.com/containerd/containerd => github.com/containerd/containerd v1.6.26 From d23c95e0f3b99af2984b49518d0179dcc508fe93 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro <153724638+ArturRibeiro-CX@users.noreply.github.com> Date: Mon, 9 Sep 2024 18:37:36 +0100 Subject: [PATCH 03/37] update go version on dockerfiles --- docker/Dockerfile.debian | 2 +- docker/Dockerfile.ubi8 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index a738737d769..0803a0a461c 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -3,7 +3,7 @@ # it does not define an ENTRYPOINT as this is a requirement described here: # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers # -FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.22.5-bookworm as build_env +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.22.7-bookworm as build_env # Create a group and user RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx USER checkmarx diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index af172789f33..b7c39bf6220 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -6,8 +6,8 @@ ENV PATH=$PATH:/usr/local/go/bin ADD https://golang.org/dl/go1.22.4.linux-amd64.tar.gz . RUN yum install git gcc -y \ - && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.4.linux-amd64.tar.gz \ - && rm -f go1.22.4.linux-amd64.tar.gz + && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.7.linux-amd64.tar.gz \ + && rm -f go1.22.7.linux-amd64.tar.gz ENV GOPRIVATE=github.com/Checkmarx/* ARG VERSION="development" From 6fa16bd87dc1a324fcde2f4ea5ce67e7041f5d5e Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 11:38:01 +0100 Subject: [PATCH 04/37] pin gosec to latest version instead of master --- .github/workflows/go-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 0fbbf450379..e572cb084e6 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -99,7 +99,7 @@ jobs: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run Gosec Security Scanner - uses: securego/gosec@master + uses: securego/gosec@abfe8cfd6d5687c96abf31f8e7f57982df2a6e4f with: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Upload SARIF file From bcb60fc6cce0aacd248a26a9149a8b8f5af2a9da Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 15:12:29 +0100 Subject: [PATCH 05/37] update chainguard images --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4253f2152eb..16622a15510 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/go@sha256:4f11a0dfbd73832405bc3f611e53b4dbd61a1d1d23d205f2665cabfbd295a109 as build_env +FROM cgr.dev/chainguard/go@sha256:27d8b84203a3acb1bdeb128874d2b89749a6fb3582535e7703680a9f46e08422 as build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app @@ -31,7 +31,7 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/git@sha256:51620806588a4738b536e1f328206b17ae2a988b2a424a6a37c419041eb2b9a9 +FROM cgr.dev/chainguard/busybox@sha256:464c46b551bb3187f893f48d29556a944720d4680d35dfd9ece956493b15c33b ENV TERM xterm-256color From 889a14fd31382ef4d14975825ca1aa0089d1c94a Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 15:17:12 +0100 Subject: [PATCH 06/37] change sha codes and go version --- .github/workflows/go-ci.yml | 2 +- Dockerfile | 2 +- docker/Dockerfile.ubi8 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index e572cb084e6..0fbbf450379 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -99,7 +99,7 @@ jobs: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run Gosec Security Scanner - uses: securego/gosec@abfe8cfd6d5687c96abf31f8e7f57982df2a6e4f + uses: securego/gosec@master with: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Upload SARIF file diff --git a/Dockerfile b/Dockerfile index 16622a15510..748cafbc753 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/go@sha256:27d8b84203a3acb1bdeb128874d2b89749a6fb3582535e7703680a9f46e08422 as build_env +FROM cgr.dev/chainguard/go@sha256:4f11a0dfbd73832405bc3f611e53b4dbd61a1d1d23d205f2665cabfbd295a109 as build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index b7c39bf6220..499a1fdb5b5 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -4,7 +4,7 @@ WORKDIR /build ENV PATH=$PATH:/usr/local/go/bin -ADD https://golang.org/dl/go1.22.4.linux-amd64.tar.gz . +ADD https://golang.org/dl/go1.22.7.linux-amd64.tar.gz . RUN yum install git gcc -y \ && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.7.linux-amd64.tar.gz \ && rm -f go1.22.7.linux-amd64.tar.gz From e2941e636cef2ec5996b37f7448e1a9f724145b0 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 15:21:11 +0100 Subject: [PATCH 07/37] test new sha code --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 748cafbc753..36f4815622c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/go@sha256:4f11a0dfbd73832405bc3f611e53b4dbd61a1d1d23d205f2665cabfbd295a109 as build_env +FROM cgr.dev/chainguard/go@sha256:1b27d8f2f9bb49434e38fbb7456cb8b72b6652235bb07e2ee002d06f44821c29 as build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app @@ -31,7 +31,7 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/busybox@sha256:464c46b551bb3187f893f48d29556a944720d4680d35dfd9ece956493b15c33b +FROM cgr.dev/chainguard/busybox@sha256:02e248d0c2ad1cb8c110f550a0a9d881699e09879de2b8fed91ef03b3abef05c ENV TERM xterm-256color From 4b2b49186f7f5e61b43fbb15944961a88ca1b0e2 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 15:26:17 +0100 Subject: [PATCH 08/37] update package-lock versions --- .github/scripts/server-mock/package-lock.json | 134 ++++++++++++++---- 1 file changed, 103 insertions(+), 31 deletions(-) diff --git a/.github/scripts/server-mock/package-lock.json b/.github/scripts/server-mock/package-lock.json index cd6bf63be3e..04773c43850 100644 --- a/.github/scripts/server-mock/package-lock.json +++ b/.github/scripts/server-mock/package-lock.json @@ -30,9 +30,9 @@ "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==" }, "node_modules/body-parser": { - "version": "1.20.2", - "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz", - "integrity": "sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==", + "version": "1.20.3", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz", + "integrity": "sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==", "dependencies": { "bytes": "3.1.2", "content-type": "~1.0.5", @@ -42,7 +42,7 @@ "http-errors": "2.0.0", "iconv-lite": "0.4.24", "on-finished": "2.4.1", - "qs": "6.11.0", + "qs": "6.13.0", "raw-body": "2.5.2", "type-is": "~1.6.18", "unpipe": "1.0.0" @@ -52,6 +52,20 @@ "npm": "1.2.8000 || >= 1.4.16" } }, + "node_modules/body-parser/node_modules/qs": { + "version": "6.13.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz", + "integrity": "sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==", + "dependencies": { + "side-channel": "^1.0.6" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/bytes": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", @@ -157,9 +171,9 @@ "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" }, "node_modules/encodeurl": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz", - "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", "engines": { "node": ">= 0.8" } @@ -197,36 +211,36 @@ } }, "node_modules/express": { - "version": "4.19.2", - "resolved": "https://registry.npmjs.org/express/-/express-4.19.2.tgz", - "integrity": "sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==", + "version": "4.20.0", + "resolved": "https://registry.npmjs.org/express/-/express-4.20.0.tgz", + "integrity": "sha512-pLdae7I6QqShF5PnNTCVn4hI91Dx0Grkn2+IAsMTgMIKuQVte2dN9PeGSSAME2FR8anOhVA62QDIUaWVfEXVLw==", "dependencies": { "accepts": "~1.3.8", "array-flatten": "1.1.1", - "body-parser": "1.20.2", + "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", "cookie": "0.6.0", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", - "encodeurl": "~1.0.2", + "encodeurl": "~2.0.0", "escape-html": "~1.0.3", "etag": "~1.8.1", "finalhandler": "1.2.0", "fresh": "0.5.2", "http-errors": "2.0.0", - "merge-descriptors": "1.0.1", + "merge-descriptors": "1.0.3", "methods": "~1.1.2", "on-finished": "2.4.1", "parseurl": "~1.3.3", - "path-to-regexp": "0.1.7", + "path-to-regexp": "0.1.10", "proxy-addr": "~2.0.7", "qs": "6.11.0", "range-parser": "~1.2.1", "safe-buffer": "5.2.1", - "send": "0.18.0", - "serve-static": "1.15.0", + "send": "0.19.0", + "serve-static": "1.16.0", "setprototypeof": "1.2.0", "statuses": "2.0.1", "type-is": "~1.6.18", @@ -254,6 +268,14 @@ "node": ">= 0.8" } }, + "node_modules/finalhandler/node_modules/encodeurl": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz", + "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/forwarded": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", @@ -399,9 +421,12 @@ } }, "node_modules/merge-descriptors": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.1.tgz", - "integrity": "sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w==" + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz", + "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==", + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } }, "node_modules/methods": { "version": "1.1.2", @@ -455,9 +480,12 @@ } }, "node_modules/object-inspect": { - "version": "1.13.1", - "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.1.tgz", - "integrity": "sha512-5qoj1RUiKOMsCCNLV1CBiPYE10sziTsnmNxkAI/rZhiD63CF7IqdFGC/XzjWjpSgLf0LxXX3bDFIh0E18f6UhQ==", + "version": "1.13.2", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.2.tgz", + "integrity": "sha512-IRZSRuzJiynemAXPYtPe5BoI/RESNYR7TYm50MC5Mqbd3Jmw5y790sErYw3V6SryFJD64b74qQQs9wn5Bg/k3g==", + "engines": { + "node": ">= 0.4" + }, "funding": { "url": "https://github.com/sponsors/ljharb" } @@ -482,9 +510,9 @@ } }, "node_modules/path-to-regexp": { - "version": "0.1.7", - "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz", - "integrity": "sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==" + "version": "0.1.10", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.10.tgz", + "integrity": "sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==" }, "node_modules/proxy-addr": { "version": "2.0.7", @@ -559,9 +587,9 @@ "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/send": { - "version": "0.18.0", - "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz", - "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==", + "version": "0.19.0", + "resolved": "https://registry.npmjs.org/send/-/send-0.19.0.tgz", + "integrity": "sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==", "dependencies": { "debug": "2.6.9", "depd": "2.0.0", @@ -581,15 +609,23 @@ "node": ">= 0.8.0" } }, + "node_modules/send/node_modules/encodeurl": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz", + "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==", + "engines": { + "node": ">= 0.8" + } + }, "node_modules/send/node_modules/ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" }, "node_modules/serve-static": { - "version": "1.15.0", - "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.15.0.tgz", - "integrity": "sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==", + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.0.tgz", + "integrity": "sha512-pDLK8zwl2eKaYrs8mrPZBJua4hMplRWJ1tIFksVC3FtBEBnl8dxgeHtsaMS8DhS9i4fLObaon6ABoc4/hQGdPA==", "dependencies": { "encodeurl": "~1.0.2", "escape-html": "~1.0.3", @@ -600,6 +636,42 @@ "node": ">= 0.8.0" } }, + "node_modules/serve-static/node_modules/encodeurl": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-1.0.2.tgz", + "integrity": "sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/serve-static/node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" + }, + "node_modules/serve-static/node_modules/send": { + "version": "0.18.0", + "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz", + "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==", + "dependencies": { + "debug": "2.6.9", + "depd": "2.0.0", + "destroy": "1.2.0", + "encodeurl": "~1.0.2", + "escape-html": "~1.0.3", + "etag": "~1.8.1", + "fresh": "0.5.2", + "http-errors": "2.0.0", + "mime": "1.6.0", + "ms": "2.1.3", + "on-finished": "2.4.1", + "range-parser": "~1.2.1", + "statuses": "2.0.1" + }, + "engines": { + "node": ">= 0.8.0" + } + }, "node_modules/set-function-length": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz", From 15eda62dc79d6c4becd5ec244571617ac838c7fc Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 15:35:51 +0100 Subject: [PATCH 09/37] add permission for assets/queries path --- .github/workflows/go-ci-integration.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 328fc24c2f6..7df694b0c7a 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -45,6 +45,9 @@ jobs: COMMIT=${GITHUB_SHA} cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Set Output Permissions + run: | + sudo chmod -R 777 ${PWD}/assets/queries - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} - name: Run docker image and generate results.json From 0caef56d23ad646fb4adee048c6cebb04ad4999f Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 15:46:17 +0100 Subject: [PATCH 10/37] update version for upload-sarif and integration test naming --- examples/github/kics-docker-runner-sarif.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/github/kics-docker-runner-sarif.yaml b/examples/github/kics-docker-runner-sarif.yaml index 4fce9719184..d7c920c6fe3 100644 --- a/examples/github/kics-docker-runner-sarif.yaml +++ b/examples/github/kics-docker-runner-sarif.yaml @@ -37,6 +37,6 @@ jobs: cat results-dir/results.sarif cat results-dir/results.json - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 with: sarif_file: results-dir/results.sarif From 4437bc8da22ebbaa1784e108c333d8dcd282a828 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 15:59:51 +0100 Subject: [PATCH 11/37] update actions --- .github/workflows/go-ci-integration.yml | 2 +- .github/workflows/go-ci.yml | 4 ++++ examples/github/kics-docker-runner-sarif.yaml | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 7df694b0c7a..0dd0bdb4667 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -45,7 +45,7 @@ jobs: COMMIT=${GITHUB_SHA} cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache - - name: Set Output Permissions + - name: Set Permissions run: | sudo chmod -R 777 ${PWD}/assets/queries - name: Image digest diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 0fbbf450379..792aac0fc6c 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -102,6 +102,10 @@ jobs: uses: securego/gosec@master with: args: "-no-fail -fmt sarif -out results.sarif ./..." + - name: Show results + run: | + cat results-dir/results.sarif + cat results-dir/results.json - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: diff --git a/examples/github/kics-docker-runner-sarif.yaml b/examples/github/kics-docker-runner-sarif.yaml index d7c920c6fe3..4fce9719184 100644 --- a/examples/github/kics-docker-runner-sarif.yaml +++ b/examples/github/kics-docker-runner-sarif.yaml @@ -37,6 +37,6 @@ jobs: cat results-dir/results.sarif cat results-dir/results.json - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results-dir/results.sarif From 1b0c9cbcd69c65f1123962f5a5da4c413bd1538c Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 16:26:44 +0100 Subject: [PATCH 12/37] change kics docker runner sarif to show results --- examples/github/kics-docker-runner-sarif.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/github/kics-docker-runner-sarif.yaml b/examples/github/kics-docker-runner-sarif.yaml index 4fce9719184..0cccd4b23d5 100644 --- a/examples/github/kics-docker-runner-sarif.yaml +++ b/examples/github/kics-docker-runner-sarif.yaml @@ -32,7 +32,6 @@ jobs: exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # look for the queries' ID in its metadata.json exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e - - name: Show results run: | cat results-dir/results.sarif cat results-dir/results.json From ef67258a0a251b11c3dd4e64f4e38ae2161f934d Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 16:35:15 +0100 Subject: [PATCH 13/37] sarif runner changes on go-ci --- .github/workflows/go-ci.yml | 3 +-- examples/github/kics-docker-runner-sarif.yaml | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 792aac0fc6c..eea5036448d 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -104,8 +104,7 @@ jobs: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Show results run: | - cat results-dir/results.sarif - cat results-dir/results.json + cat results.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: diff --git a/examples/github/kics-docker-runner-sarif.yaml b/examples/github/kics-docker-runner-sarif.yaml index 0cccd4b23d5..4fce9719184 100644 --- a/examples/github/kics-docker-runner-sarif.yaml +++ b/examples/github/kics-docker-runner-sarif.yaml @@ -32,6 +32,7 @@ jobs: exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # look for the queries' ID in its metadata.json exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e + - name: Show results run: | cat results-dir/results.sarif cat results-dir/results.json From fdaec97f305d37e40a1cec05ebebb7262b4d7b6f Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 17:08:30 +0100 Subject: [PATCH 14/37] change go-ci workflow permission and pin sha code for securego/gosec --- .github/workflows/go-ci-integration.yml | 2 +- .github/workflows/go-ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 0dd0bdb4667..1e6c94935e8 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -47,7 +47,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache - name: Set Permissions run: | - sudo chmod -R 777 ${PWD}/assets/queries + sudo chmod -R 770 ${PWD}/assets/queries - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} - name: Run docker image and generate results.json diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index eea5036448d..598996d780d 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -99,7 +99,7 @@ jobs: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run Gosec Security Scanner - uses: securego/gosec@master + uses: securego/gosec@abfe8cfd6d5687c96abf31f8e7f57982df2a6e4f with: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Show results From 16497c2375f9b4041270a1fddb5da999e8501368 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 17:12:56 +0100 Subject: [PATCH 15/37] pin to another version for securego/gosec --- .github/workflows/go-ci-integration.yml | 2 +- .github/workflows/go-ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 1e6c94935e8..0dd0bdb4667 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -47,7 +47,7 @@ jobs: cache-to: type=local,dest=/tmp/.buildx-cache - name: Set Permissions run: | - sudo chmod -R 770 ${PWD}/assets/queries + sudo chmod -R 777 ${PWD}/assets/queries - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} - name: Run docker image and generate results.json diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 598996d780d..290e97cb3e9 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -99,7 +99,7 @@ jobs: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run Gosec Security Scanner - uses: securego/gosec@abfe8cfd6d5687c96abf31f8e7f57982df2a6e4f + uses: securego/gosec@0ce4453ddd8cca1291d2056cf903b545baad95a0 with: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Show results From 7bc9b2cacb3f4f170d5d73041bd01bf24e65e4de Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 17:17:14 +0100 Subject: [PATCH 16/37] pin gosec to version v2.20 --- .github/workflows/go-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 290e97cb3e9..ce44391e975 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -99,7 +99,7 @@ jobs: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run Gosec Security Scanner - uses: securego/gosec@0ce4453ddd8cca1291d2056cf903b545baad95a0 + uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 with: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Show results From be5e907c98a9dd36aa7c74a9b9423999cbfd2942 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 10 Sep 2024 17:57:16 +0100 Subject: [PATCH 17/37] install git and pin version of upload-sarif --- .github/workflows/go-ci.yml | 4 ++-- Dockerfile | 9 ++++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index ce44391e975..62ecc431d52 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -99,13 +99,13 @@ jobs: - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run Gosec Security Scanner - uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 + uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 # v2.20.0 with: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Show results run: | cat results.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 with: sarif_file: results.sarif diff --git a/Dockerfile b/Dockerfile index 36f4815622c..f39ee48613a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ FROM cgr.dev/chainguard/go@sha256:1b27d8f2f9bb49434e38fbb7456cb8b72b6652235bb07e WORKDIR /app ENV GOPRIVATE=github.com/Checkmarx/* +ENV GIT_VERSION=2.46.0 ARG VERSION="development" ARG COMMIT="NOCOMMIT" ARG SENTRY_DSN="" @@ -31,7 +32,13 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/busybox@sha256:02e248d0c2ad1cb8c110f550a0a9d881699e09879de2b8fed91ef03b3abef05c +FROM cgr.dev/chainguard/bash@sha256:2faccc3e8ab049d82dec0e4d2dd8b45718c71ce640608584d95a39092b5006b5 + +RUN curl -LO https://github.com/git/git/archive/refs/tags/v${GIT_VERSION}.tar.gz && \ + tar -zxf v${GIT_VERSION}.tar.gz && \ + mv git-${GIT_VERSION}/bin/git /usr/local/bin/git && \ + chmod +x /usr/local/bin/git && \ + rm -rf git-${GIT_VERSION} v${GIT_VERSION}.tar.gz ENV TERM xterm-256color From 428b582b31e7efce252a15717b87a8056ba7f933 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 08:42:16 +0100 Subject: [PATCH 18/37] add new image to dockerfile and pin sha version --- Dockerfile | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index f39ee48613a..36f4815622c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,6 @@ FROM cgr.dev/chainguard/go@sha256:1b27d8f2f9bb49434e38fbb7456cb8b72b6652235bb07e WORKDIR /app ENV GOPRIVATE=github.com/Checkmarx/* -ENV GIT_VERSION=2.46.0 ARG VERSION="development" ARG COMMIT="NOCOMMIT" ARG SENTRY_DSN="" @@ -32,13 +31,7 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/bash@sha256:2faccc3e8ab049d82dec0e4d2dd8b45718c71ce640608584d95a39092b5006b5 - -RUN curl -LO https://github.com/git/git/archive/refs/tags/v${GIT_VERSION}.tar.gz && \ - tar -zxf v${GIT_VERSION}.tar.gz && \ - mv git-${GIT_VERSION}/bin/git /usr/local/bin/git && \ - chmod +x /usr/local/bin/git && \ - rm -rf git-${GIT_VERSION} v${GIT_VERSION}.tar.gz +FROM cgr.dev/chainguard/busybox@sha256:02e248d0c2ad1cb8c110f550a0a9d881699e09879de2b8fed91ef03b3abef05c ENV TERM xterm-256color From a3e5b660fc92f383478d1d91d5f9e80bc3566627 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 08:50:00 +0100 Subject: [PATCH 19/37] update send package on package-lock via npm --- .github/scripts/server-mock/package-lock.json | 30 +------------------ 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/.github/scripts/server-mock/package-lock.json b/.github/scripts/server-mock/package-lock.json index 04773c43850..4666f2252ff 100644 --- a/.github/scripts/server-mock/package-lock.json +++ b/.github/scripts/server-mock/package-lock.json @@ -630,7 +630,7 @@ "encodeurl": "~1.0.2", "escape-html": "~1.0.3", "parseurl": "~1.3.3", - "send": "0.18.0" + "send": "0.19.0" }, "engines": { "node": ">= 0.8.0" @@ -644,34 +644,6 @@ "node": ">= 0.8" } }, - "node_modules/serve-static/node_modules/ms": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", - "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" - }, - "node_modules/serve-static/node_modules/send": { - "version": "0.18.0", - "resolved": "https://registry.npmjs.org/send/-/send-0.18.0.tgz", - "integrity": "sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==", - "dependencies": { - "debug": "2.6.9", - "depd": "2.0.0", - "destroy": "1.2.0", - "encodeurl": "~1.0.2", - "escape-html": "~1.0.3", - "etag": "~1.8.1", - "fresh": "0.5.2", - "http-errors": "2.0.0", - "mime": "1.6.0", - "ms": "2.1.3", - "on-finished": "2.4.1", - "range-parser": "~1.2.1", - "statuses": "2.0.1" - }, - "engines": { - "node": ">= 0.8.0" - } - }, "node_modules/set-function-length": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz", From f8f70e3e34a6c8703284af2c0c42c11ee0048732 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 12:49:06 +0100 Subject: [PATCH 20/37] change image for latest-glibc --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 36f4815622c..002cfdfc3ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,7 @@ FROM cgr.dev/chainguard/go@sha256:1b27d8f2f9bb49434e38fbb7456cb8b72b6652235bb07e WORKDIR /app ENV GOPRIVATE=github.com/Checkmarx/* +ENV GIT_VERSION=2.46.0 ARG VERSION="development" ARG COMMIT="NOCOMMIT" ARG SENTRY_DSN="" @@ -25,13 +26,13 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \ -ldflags "-s -w -X github.com/Checkmarx/kics/v2/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/v2/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/v2/internal/constants.SentryDSN=${SENTRY_DSN} -X github.com/Checkmarx/kics/v2/internal/constants.BaseURL=${DESCRIPTIONS_URL}" \ -a -installsuffix cgo \ -o bin/kics cmd/console/main.go - + USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/busybox@sha256:02e248d0c2ad1cb8c110f550a0a9d881699e09879de2b8fed91ef03b3abef05c +FROM cgr.dev/chainguard/git:latest-glibc@sha256:6234bec5d1a6a3d46ae11117b5d803846366b728297503e00396d4203b8a0cc5 ENV TERM xterm-256color From a9ec7e4b6d2f808f940c4ec61154a99172c59ca2 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 12:52:07 +0100 Subject: [PATCH 21/37] remove unnecessary arguments and evironment variables --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 002cfdfc3ba..aa7185b15fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,6 @@ FROM cgr.dev/chainguard/go@sha256:1b27d8f2f9bb49434e38fbb7456cb8b72b6652235bb07e WORKDIR /app ENV GOPRIVATE=github.com/Checkmarx/* -ENV GIT_VERSION=2.46.0 ARG VERSION="development" ARG COMMIT="NOCOMMIT" ARG SENTRY_DSN="" @@ -26,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \ -ldflags "-s -w -X github.com/Checkmarx/kics/v2/internal/constants.Version=${VERSION} -X github.com/Checkmarx/kics/v2/internal/constants.SCMCommit=${COMMIT} -X github.com/Checkmarx/kics/v2/internal/constants.SentryDSN=${SENTRY_DSN} -X github.com/Checkmarx/kics/v2/internal/constants.BaseURL=${DESCRIPTIONS_URL}" \ -a -installsuffix cgo \ -o bin/kics cmd/console/main.go - + USER nonroot # Runtime image From c63a6c646d969b15c77e9d833d66f1cd00905cfb Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 14:41:26 +0100 Subject: [PATCH 22/37] change image to git latest --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index aa7185b15fa..de26878914a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,7 +31,7 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/git:latest-glibc@sha256:6234bec5d1a6a3d46ae11117b5d803846366b728297503e00396d4203b8a0cc5 +FROM cgr.dev/chainguard/git:latest@sha256:6234bec5d1a6a3d46ae11117b5d803846366b728297503e00396d4203b8a0cc5 ENV TERM xterm-256color From cdc8354f83b5ec1c04dba1cf3ee64ee1f3d97664 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 14:58:07 +0100 Subject: [PATCH 23/37] update image latest-root-dev --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index de26878914a..a67a9d91cce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,7 +31,7 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/git:latest@sha256:6234bec5d1a6a3d46ae11117b5d803846366b728297503e00396d4203b8a0cc5 +FROM cgr.dev/chainguard/git@sha256:02660563e96b553d6aeb4093e3fcc3e91b2ad3a86e05c65b233f37f035e5044e ENV TERM xterm-256color From f1715c8d1e7d515ce8f9591ba53da1243e63fca6 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 15:38:42 +0100 Subject: [PATCH 24/37] test new image with sed --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a67a9d91cce..56b49b98529 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,7 +31,7 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM cgr.dev/chainguard/git@sha256:02660563e96b553d6aeb4093e3fcc3e91b2ad3a86e05c65b233f37f035e5044e +FROM docker.io/ruigomes99/git-sed:golden-amd64@sha256:66f75ea8d23050cc261f7d72add62cdbb40869c8bc3c8fbbeede4fe18db12c30 ENV TERM xterm-256color From e134871c6d83410e97fb315a4ea228cb4efc1e6b Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 16:19:33 +0100 Subject: [PATCH 25/37] update dockerfile run time image to latest root dev --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 56b49b98529..a67a9d91cce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,7 +31,7 @@ USER nonroot # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM docker.io/ruigomes99/git-sed:golden-amd64@sha256:66f75ea8d23050cc261f7d72add62cdbb40869c8bc3c8fbbeede4fe18db12c30 +FROM cgr.dev/chainguard/git@sha256:02660563e96b553d6aeb4093e3fcc3e91b2ad3a86e05c65b233f37f035e5044e ENV TERM xterm-256color From 7d789eae1a703efeac93cbcffcc4e4a9ee149f3d Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 17:42:32 +0100 Subject: [PATCH 26/37] update go to version 1.23.1 --- .github/workflows/go-ci-integration.yml | 3 --- docker/Dockerfile.debian | 2 +- docker/Dockerfile.ubi8 | 6 +++--- go.mod | 2 +- 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 0dd0bdb4667..328fc24c2f6 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -45,9 +45,6 @@ jobs: COMMIT=${GITHUB_SHA} cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache - - name: Set Permissions - run: | - sudo chmod -R 777 ${PWD}/assets/queries - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} - name: Run docker image and generate results.json diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index 0803a0a461c..b73bfbbff1a 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -3,7 +3,7 @@ # it does not define an ENTRYPOINT as this is a requirement described here: # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers # -FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.22.7-bookworm as build_env +FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23.1-bookworm as build_env # Create a group and user RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx USER checkmarx diff --git a/docker/Dockerfile.ubi8 b/docker/Dockerfile.ubi8 index 499a1fdb5b5..d49727fd3a3 100644 --- a/docker/Dockerfile.ubi8 +++ b/docker/Dockerfile.ubi8 @@ -4,10 +4,10 @@ WORKDIR /build ENV PATH=$PATH:/usr/local/go/bin -ADD https://golang.org/dl/go1.22.7.linux-amd64.tar.gz . +ADD https://golang.org/dl/go1.23.1.linux-amd64.tar.gz . RUN yum install git gcc -y \ - && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.7.linux-amd64.tar.gz \ - && rm -f go1.22.7.linux-amd64.tar.gz + && rm -rf /usr/local/go && tar -C /usr/local -xzf go1.23.1.linux-amd64.tar.gz \ + && rm -f go1.23.1.linux-amd64.tar.gz ENV GOPRIVATE=github.com/Checkmarx/* ARG VERSION="development" diff --git a/go.mod b/go.mod index 38d31a3c875..43c799d2f0b 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/Checkmarx/kics/v2 -go 1.22.7 +go 1.23.1 replace ( github.com/containerd/containerd => github.com/containerd/containerd v1.6.26 From 5af59c60912393eef2e722bb098c70f1ddc6454f Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 11 Sep 2024 17:59:50 +0100 Subject: [PATCH 27/37] update go version on report and dockerfile sha code --- .github/scripts/report/go.mod | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/scripts/report/go.mod b/.github/scripts/report/go.mod index 3dd36b7f876..2245154eb8f 100644 --- a/.github/scripts/report/go.mod +++ b/.github/scripts/report/go.mod @@ -1,6 +1,6 @@ module github.com/Checkmarx/e2e-report -go 1.21 +go 1.23.1 require ( github.com/rs/zerolog v1.31.0 diff --git a/Dockerfile b/Dockerfile index a67a9d91cce..641bb5630ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM cgr.dev/chainguard/go@sha256:1b27d8f2f9bb49434e38fbb7456cb8b72b6652235bb07e2ee002d06f44821c29 as build_env +FROM cgr.dev/chainguard/go@sha256:1e17e06119fc26b78a9a2208aeab6209f9ef90b6a19f3fc69d4cc581e70d09bf as build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app From 8c0e597a1558c1d43ebc7a794a5134fdd68a37d7 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 00:39:45 +0100 Subject: [PATCH 28/37] test pin sha for golangci lint and action --- .github/workflows/go-ci.yml | 2 +- .golangci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 62ecc431d52..e909af50803 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -16,7 +16,7 @@ jobs: go-version-file: go.mod cache: false - name: golangci-lint - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: version: v1.57.2 args: -c .golangci.yml --timeout 20m diff --git a/.golangci.yml b/.golangci.yml index 51266a830a3..b653726cc42 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -32,7 +32,7 @@ linters-settings: gocyclo: min-complexity: 15 goimports: - local-prefixes: github.com/golangci/golangci-lint + local-prefixes: github.com/golangci/golangci-lint@a1d6c560de1a193a0c68ffed68cd5928ef39e884 gomnd: # don't include the "operation" and "assign" checks: From 48b5cb4e3f0c832b9a6f752706e1e98d481ba87a Mon Sep 17 00:00:00 2001 From: ArturRibeiro-CX Date: Thu, 12 Sep 2024 00:53:03 +0100 Subject: [PATCH 29/37] test ubuntu-20.04 instead of ubuntu-latest for first job of go-ci --- .github/workflows/go-ci.yml | 2 +- .golangci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index e909af50803..aca3633074a 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -7,7 +7,7 @@ on: jobs: lint: name: lint - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Go diff --git a/.golangci.yml b/.golangci.yml index b653726cc42..51266a830a3 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -32,7 +32,7 @@ linters-settings: gocyclo: min-complexity: 15 goimports: - local-prefixes: github.com/golangci/golangci-lint@a1d6c560de1a193a0c68ffed68cd5928ef39e884 + local-prefixes: github.com/golangci/golangci-lint gomnd: # don't include the "operation" and "assign" checks: From ae356e8c0d7ffa25aa68efcfb0c316cb4a323ccb Mon Sep 17 00:00:00 2001 From: ArturRibeiro-CX Date: Thu, 12 Sep 2024 01:00:10 +0100 Subject: [PATCH 30/37] revert golangci-lint-action version --- .github/workflows/go-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index aca3633074a..3ccd646d609 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -16,7 +16,7 @@ jobs: go-version-file: go.mod cache: false - name: golangci-lint - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 + uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 with: version: v1.57.2 args: -c .golangci.yml --timeout 20m From 88fa9507a522c3eacda44a6009f26a9d477222b3 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 09:28:48 +0100 Subject: [PATCH 31/37] pin sha golangci lint action on go-ci workflow and upload-sarif on kics docker runner sarif --- .github/workflows/go-ci.yml | 2 +- examples/github/kics-docker-runner-sarif.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 62ecc431d52..e909af50803 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -16,7 +16,7 @@ jobs: go-version-file: go.mod cache: false - name: golangci-lint - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: version: v1.57.2 args: -c .golangci.yml --timeout 20m diff --git a/examples/github/kics-docker-runner-sarif.yaml b/examples/github/kics-docker-runner-sarif.yaml index 4fce9719184..d9e8c8d1432 100644 --- a/examples/github/kics-docker-runner-sarif.yaml +++ b/examples/github/kics-docker-runner-sarif.yaml @@ -37,6 +37,6 @@ jobs: cat results-dir/results.sarif cat results-dir/results.json - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 with: sarif_file: results-dir/results.sarif From 77b537af9876dee7ced18a15ddcc0a73a1b7c9c0 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 09:46:48 +0100 Subject: [PATCH 32/37] update go version to 1.23 and lint version on go-ci --- .github/workflows/go-ci.yml | 4 ++-- .github/workflows/go-e2e-debian.yaml | 2 +- .github/workflows/go-e2e.yaml | 2 +- .github/workflows/release-apispec.yml | 2 +- .github/workflows/release-nightly.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index aca3633074a..283ccd97dc1 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -18,7 +18,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: - version: v1.57.2 + version: v1.61.0 args: -c .golangci.yml --timeout 20m go-generate: name: go-generate @@ -39,7 +39,7 @@ jobs: name: unit-tests strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest, windows-latest, macos-latest] runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index 130ba3e54ed..caeb9b1369b 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -10,7 +10,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml index 70b129f0fb6..873b85d2b02 100644 --- a/.github/workflows/go-e2e.yaml +++ b/.github/workflows/go-e2e.yaml @@ -10,7 +10,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8"] runs-on: ${{ matrix.os }} diff --git a/.github/workflows/release-apispec.yml b/.github/workflows/release-apispec.yml index d7c384dd5fe..d41daa8d666 100644 --- a/.github/workflows/release-apispec.yml +++ b/.github/workflows/release-apispec.yml @@ -34,7 +34,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.22.x + go-version: 1.23.x - name: Run GoReleaser uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 #v5.1.0 with: diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 4cc8e90d6c1..013fdab20a7 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -51,7 +51,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.22.x + go-version: 1.23.x - name: Run GoReleaser uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 with: From 108c6b35ad097db7d861b5a6489c06fe58833e5a Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 10:23:30 +0100 Subject: [PATCH 33/37] fix lint problems and add new go version to docs --- .../20f14e1a-a899-4e79-9f09-b6a84cd4649b.md | 4 ++-- internal/console/analyze.go | 2 +- pkg/engine/secrets/inspector.go | 10 +++++----- pkg/printer/printer.go | 10 +++++----- pkg/scan/preview_secrets_mask.go | 10 +++++----- pkg/scan/utils.go | 2 +- pkg/utils/random.go | 2 +- 7 files changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/queries/cicd-queries/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md b/docs/queries/cicd-queries/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md index ef3f681e084..9dea0defeb5 100644 --- a/docs/queries/cicd-queries/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md +++ b/docs/queries/cicd-queries/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md @@ -205,10 +205,10 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up Go 1.22.x + - name: Set up Go 1.23.x uses: actions/setup-go@v5 with: - go-version: 1.22.x + go-version: 1.23.x - name: Run test metrics script id: testcov run: | diff --git a/internal/console/analyze.go b/internal/console/analyze.go index ecd9e2ec8ee..2069b871923 100644 --- a/internal/console/analyze.go +++ b/internal/console/analyze.go @@ -77,7 +77,7 @@ func executeAnalyze(analyzeParams *analyzer.Parameters) error { log.Debug().Msg("console.scan()") for _, warn := range warnings { - log.Warn().Msgf(warn) + log.Warn().Msgf("%s", warn) } console := newConsole() diff --git a/pkg/engine/secrets/inspector.go b/pkg/engine/secrets/inspector.go index e01191f3f82..3ee708190b8 100644 --- a/pkg/engine/secrets/inspector.go +++ b/pkg/engine/secrets/inspector.go @@ -316,18 +316,18 @@ func (c *Inspector) isSecret(s string, query *RegexQuery) (isSecretRet bool, gro for _, group := range groups { splitedText := strings.Split(s, "\n") - max := -1 + maxSplit := -1 for i, splited := range splitedText { if len(groups) < query.Multiline.DetectLineGroup { - if strings.Contains(splited, group[query.Multiline.DetectLineGroup]) && i > max { - max = i + if strings.Contains(splited, group[query.Multiline.DetectLineGroup]) && i > maxSplit { + maxSplit = i } } } - if max == -1 { + if maxSplit == -1 { continue } - secret, newGroups := c.isSecret(strings.Join(append(splitedText[:max], splitedText[max+1:]...), "\n"), query) + secret, newGroups := c.isSecret(strings.Join(append(splitedText[:maxSplit], splitedText[maxSplit+1:]...), "\n"), query) if !secret { continue } diff --git a/pkg/printer/printer.go b/pkg/printer/printer.go index 0ca05454280..96ef66e9104 100644 --- a/pkg/printer/printer.go +++ b/pkg/printer/printer.go @@ -280,15 +280,15 @@ func NewPrinter(minimal bool) *Printer { func (p *Printer) PrintBySev(content, sev string) string { switch strings.ToUpper(sev) { case model.SeverityCritical: - return p.Critical.Sprintf(content) + return p.Critical.Sprintf("%s", content) case model.SeverityHigh: - return p.High.Sprintf(content) + return p.High.Sprintf("%s", content) case model.SeverityMedium: - return p.Medium.Sprintf(content) + return p.Medium.Sprintf("%s", content) case model.SeverityLow: - return p.Low.Sprintf(content) + return p.Low.Sprintf("%s", content) case model.SeverityInfo: - return p.Info.Sprintf(content) + return p.Info.Sprintf("%s", content) } return content } diff --git a/pkg/scan/preview_secrets_mask.go b/pkg/scan/preview_secrets_mask.go index 417d8d3e7b6..6a9f9851727 100644 --- a/pkg/scan/preview_secrets_mask.go +++ b/pkg/scan/preview_secrets_mask.go @@ -126,18 +126,18 @@ func isSecret(line string, rule *secrets.RegexQuery, allowRules *[]secrets.Allow for _, group := range groups { splitedText := strings.Split(line, "\n") - max := -1 + maxSplit := -1 for i, splited := range splitedText { if len(groups) < rule.Multiline.DetectLineGroup { - if strings.Contains(splited, group[rule.Multiline.DetectLineGroup]) && i > max { - max = i + if strings.Contains(splited, group[rule.Multiline.DetectLineGroup]) && i > maxSplit { + maxSplit = i } } } - if max == -1 { + if maxSplit == -1 { continue } - secret, newGroups := isSecret(strings.Join(append(splitedText[:max], splitedText[max+1:]...), "\n"), rule, allowRules) + secret, newGroups := isSecret(strings.Join(append(splitedText[:maxSplit], splitedText[maxSplit+1:]...), "\n"), rule, allowRules) if !secret { continue } diff --git a/pkg/scan/utils.go b/pkg/scan/utils.go index 59aab45644f..16a470512b1 100644 --- a/pkg/scan/utils.go +++ b/pkg/scan/utils.go @@ -241,7 +241,7 @@ func printVersionCheck(customPrint *consolePrinter.Printer, s *model.Summary) { message := fmt.Sprintf("A new version 'v%s' of KICS is available, please consider updating", s.LatestVersion.LatestVersionTag) fmt.Println(customPrint.VersionMessage.Sprintf(message)) - log.Warn().Msgf(message) + log.Warn().Msgf("%s", message) } } diff --git a/pkg/utils/random.go b/pkg/utils/random.go index fb524a38a6d..d9a45a1e425 100644 --- a/pkg/utils/random.go +++ b/pkg/utils/random.go @@ -14,7 +14,7 @@ var randmu sync.Mutex const tempDirFormat = 1e9 func reseed() uint32 { - return uint32(time.Now().UnixNano() + int64(os.Getpid())) + return uint32(int32(time.Now().UnixNano()) + int32(os.Getpid())) } // NextRandom returns a random number From e22dd59b5567a6148768ffc8d670dea6c49ef6af Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 10:45:54 +0100 Subject: [PATCH 34/37] fix linting problems and ignore gosec vuln with uint conversion --- internal/console/pre_scan.go | 2 +- internal/sentry/sentry.go | 2 +- pkg/parser/buildah/comments.go | 6 +++--- pkg/printer/printer.go | 2 +- pkg/remediation/remediation.go | 2 +- pkg/scan/utils.go | 2 +- pkg/utils/random.go | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/console/pre_scan.go b/internal/console/pre_scan.go index 7cde3657850..9fba76f7f52 100644 --- a/internal/console/pre_scan.go +++ b/internal/console/pre_scan.go @@ -135,7 +135,7 @@ func newConsole() *console { func (console *console) preScan() { log.Debug().Msg("console.scan()") for _, warn := range warnings { - log.Warn().Msgf(warn) + log.Warn().Msgf("%s", warn) } printer := internalPrinter.NewPrinter(flags.GetBoolFlag(flags.MinimalUIFlag)) diff --git a/internal/sentry/sentry.go b/internal/sentry/sentry.go index adcdb9b7c4a..66b8bd3db7f 100644 --- a/internal/sentry/sentry.go +++ b/internal/sentry/sentry.go @@ -35,7 +35,7 @@ func ReportSentry(report *Report, shouldLog bool) { }) if shouldLog { - log.Err(report.Err).Msgf(report.Message) + log.Err(report.Err).Msgf("%s", report.Message) log.Debug().Msgf("Error Report: \n%+v\n", report.string()) } } diff --git a/pkg/parser/buildah/comments.go b/pkg/parser/buildah/comments.go index d306b643da3..30acc0c6ba4 100644 --- a/pkg/parser/buildah/comments.go +++ b/pkg/parser/buildah/comments.go @@ -17,7 +17,7 @@ func getKicsIgnore(comment string) string { func (i *Info) getIgnoreLines(comment *syntax.Comment) { // get normal comments - i.IgnoreLines = append(i.IgnoreLines, int(comment.Hash.Line())) + i.IgnoreLines = append(i.IgnoreLines, int(comment.Hash.Line())) //nolint:gosec if model.KICSCommentRgxp.MatchString(comment.Text) { kicsIgnore := getKicsIgnore(comment.Text) @@ -25,10 +25,10 @@ func (i *Info) getIgnoreLines(comment *syntax.Comment) { switch model.CommentCommand(kicsIgnore) { case model.IgnoreLine: // get kics-scan ignore-line - i.IgnoreLines = append(i.IgnoreLines, int(comment.Hash.Line())+1) + i.IgnoreLines = append(i.IgnoreLines, int(comment.Hash.Line())+1) //nolint:gosec case model.IgnoreBlock: // get kics-scan ignore-block for ignoreFromBlock - i.IgnoreBlockLines = append(i.IgnoreBlockLines, int(comment.Pos().Line())) + i.IgnoreBlockLines = append(i.IgnoreBlockLines, int(comment.Pos().Line())) //nolint:gosec } } } diff --git a/pkg/printer/printer.go b/pkg/printer/printer.go index 96ef66e9104..66c22cfa71a 100644 --- a/pkg/printer/printer.go +++ b/pkg/printer/printer.go @@ -295,7 +295,7 @@ func (p *Printer) PrintBySev(content, sev string) string { // Bold returns the output in a bold format func (p *Printer) Bold(content string) string { - return color.Bold.Sprintf(content) + return color.Bold.Sprintf("%s", content) } func validQueryID(queryID string) bool { diff --git a/pkg/remediation/remediation.go b/pkg/remediation/remediation.go index 6d621c12e7f..e8f33a6802e 100644 --- a/pkg/remediation/remediation.go +++ b/pkg/remediation/remediation.go @@ -156,7 +156,7 @@ func addition(r *Remediation, lines *[]string) []string { func (s *Summary) writeRemediation(remediatedLines, lines []string, filePath, similarityID string) []string { remediated := []byte(strings.Join(remediatedLines, "\n")) - if err := os.WriteFile(filePath, remediated, os.ModePerm); err != nil { + if err := os.WriteFile(filePath, remediated, 0600); err != nil { log.Error().Msgf("failed to write file: %s", err) return lines } diff --git a/pkg/scan/utils.go b/pkg/scan/utils.go index 16a470512b1..8d31f30585a 100644 --- a/pkg/scan/utils.go +++ b/pkg/scan/utils.go @@ -240,7 +240,7 @@ func printVersionCheck(customPrint *consolePrinter.Printer, s *model.Summary) { if !s.LatestVersion.Latest { message := fmt.Sprintf("A new version 'v%s' of KICS is available, please consider updating", s.LatestVersion.LatestVersionTag) - fmt.Println(customPrint.VersionMessage.Sprintf(message)) + fmt.Println(customPrint.VersionMessage.Sprintf("%s", message)) log.Warn().Msgf("%s", message) } } diff --git a/pkg/utils/random.go b/pkg/utils/random.go index d9a45a1e425..d8bd4875706 100644 --- a/pkg/utils/random.go +++ b/pkg/utils/random.go @@ -14,7 +14,7 @@ var randmu sync.Mutex const tempDirFormat = 1e9 func reseed() uint32 { - return uint32(int32(time.Now().UnixNano()) + int32(os.Getpid())) + return uint32(int32(time.Now().UnixNano()) + int32(os.Getpid())) //nolint:gosec } // NextRandom returns a random number From 168825a1b2bc55fd5ca9f462622688b0c7752b5d Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 12:20:13 +0100 Subject: [PATCH 35/37] tackle lint issues and ignore gosec lint warning --- internal/console/pre_scan.go | 2 +- pkg/parser/buildah/comments.go | 2 +- pkg/parser/buildah/parser.go | 4 ++-- pkg/remediation/remediation.go | 4 +++- pkg/scan/utils.go | 2 +- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/internal/console/pre_scan.go b/internal/console/pre_scan.go index 9fba76f7f52..db0a1b090f4 100644 --- a/internal/console/pre_scan.go +++ b/internal/console/pre_scan.go @@ -143,7 +143,7 @@ func (console *console) preScan() { versionMsg := fmt.Sprintf("\nScanning with %s\n\n", constants.GetVersion()) fmt.Println(versionMsg) - log.Info().Msgf(strings.ReplaceAll(versionMsg, "\n", "")) + log.Info().Msgf("%s", strings.ReplaceAll(versionMsg, "\n", "")) log.Info().Msgf("Operating system: %s", runtime.GOOS) diff --git a/pkg/parser/buildah/comments.go b/pkg/parser/buildah/comments.go index 30acc0c6ba4..ef296ce9ddc 100644 --- a/pkg/parser/buildah/comments.go +++ b/pkg/parser/buildah/comments.go @@ -42,7 +42,7 @@ func (i *Info) getIgnoreBlockLines(comments []syntax.Comment, start, end int) { kicsIgnore := getKicsIgnore(comment.Text) if model.CommentCommand(kicsIgnore) == model.IgnoreBlock { - if int(comment.Hash.Line()) == start-1 { + if int(comment.Hash.Line()) == start-1 { //nolint:gosec i.IgnoreLines = append(i.IgnoreLines, model.Range(start, end)...) i.IgnoreBlockLines = append(i.IgnoreBlockLines, model.Range(start, end)...) } diff --git a/pkg/parser/buildah/parser.go b/pkg/parser/buildah/parser.go index 90ad02fd067..d5d08370493 100644 --- a/pkg/parser/buildah/parser.go +++ b/pkg/parser/buildah/parser.go @@ -134,8 +134,8 @@ func (i *Info) getStmtInfo(stmt *syntax.Stmt, args []*syntax.Word) Command { cmd := "buildah " + strings.TrimSpace(getWordValue(args[1])) fullCmd := strings.TrimSpace(getFullCommand(args)) value := strings.TrimPrefix(fullCmd, cmd) - start := int(args[0].Pos().Line()) - end := int(args[len(args)-1].End().Line()) + start := int(args[0].Pos().Line()) //nolint:gosec + end := int(args[len(args)-1].End().Line()) //nolint:gosec command = Command{ Cmd: cmd, diff --git a/pkg/remediation/remediation.go b/pkg/remediation/remediation.go index e8f33a6802e..8c2746ecb46 100644 --- a/pkg/remediation/remediation.go +++ b/pkg/remediation/remediation.go @@ -156,7 +156,9 @@ func addition(r *Remediation, lines *[]string) []string { func (s *Summary) writeRemediation(remediatedLines, lines []string, filePath, similarityID string) []string { remediated := []byte(strings.Join(remediatedLines, "\n")) - if err := os.WriteFile(filePath, remediated, 0600); err != nil { + mode := os.FileMode(0600) + + if err := os.WriteFile(filePath, remediated, mode); err != nil { log.Error().Msgf("failed to write file: %s", err) return lines } diff --git a/pkg/scan/utils.go b/pkg/scan/utils.go index 8d31f30585a..56daec54b09 100644 --- a/pkg/scan/utils.go +++ b/pkg/scan/utils.go @@ -226,7 +226,7 @@ func contributionAppeal(customPrint *consolePrinter.Printer, queriesPath []strin msg := "\nAre you using a custom query? If so, feel free to contribute to KICS!\n" contributionPage := "Check out how to do it: https://github.com/Checkmarx/kics/blob/master/docs/CONTRIBUTING.md\n" - output := customPrint.ContributionMessage.Sprintf(msg + contributionPage) + output := customPrint.ContributionMessage.Sprintf("%s", msg+contributionPage) fmt.Println(output) } } From 78644c6271776d077cb51c4f4731201b537d35a4 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 12:30:51 +0100 Subject: [PATCH 36/37] replace magic number with constant for writefile perms --- pkg/remediation/remediation.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/remediation/remediation.go b/pkg/remediation/remediation.go index 8c2746ecb46..2ab555c9fe8 100644 --- a/pkg/remediation/remediation.go +++ b/pkg/remediation/remediation.go @@ -153,10 +153,14 @@ func addition(r *Remediation, lines *[]string) []string { return remediation } +const ( + FilePermMode = 0600 // File permissions mode with read and write only +) + func (s *Summary) writeRemediation(remediatedLines, lines []string, filePath, similarityID string) []string { remediated := []byte(strings.Join(remediatedLines, "\n")) - mode := os.FileMode(0600) + mode := os.FileMode(FilePermMode) if err := os.WriteFile(filePath, remediated, mode); err != nil { log.Error().Msgf("failed to write file: %s", err) From 23de6dabad3bffae65ab2c078ec60bcacf41aa43 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Thu, 12 Sep 2024 17:51:57 +0100 Subject: [PATCH 37/37] dummypr for gh pipeline --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45722c64675..f4c8d52664a 100644 --- a/README.md +++ b/README.md @@ -264,7 +264,7 @@ KICS is used by various companies and organizations, some are listed below. If y - [Keptn](https://github.com/keptn) / [Keptn Lifecycle Toolkit](https://keptn.sh) **Keeping Infrastructure as Code Secure!** - + --- © 2024 Checkmarx Ltd. All Rights Reserved.