From 00d55ee24f4741467db792d0eaf96103ee2ded0c Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Mon, 29 Jan 2024 17:30:11 +0000 Subject: [PATCH 01/44] add debian e2e --- .github/workflows/go-e2e-debian.yaml | 106 +++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 .github/workflows/go-e2e-debian.yaml diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml new file mode 100644 index 00000000000..6fa8a3751d7 --- /dev/null +++ b/.github/workflows/go-e2e-debian.yaml @@ -0,0 +1,106 @@ +name: go-e2e + +on: + pull_request: + branches: [master] + +jobs: + e2e-debian-tests: + name: e2e-debian-tests + strategy: + fail-fast: false + matrix: + go-version: [1.21.x] + os: [ubuntu-latest] + runs-on: ${{ matrix.os }} + steps: + - name: Cancel Previous Runs + uses: styfle/cancel-workflow-action@0.11.0 + with: + access_token: ${{ github.token }} + - name: Check out code + uses: actions/checkout@v3 + with: + persist-credentials: false + - name: Set up Go 1.20.x + uses: actions/setup-go@v4 + with: + go-version: ${{ matrix.go-version }} + - name: Print go env + run: go env + - name: Get Modules + run: go mod vendor + - name: Set up Node v14 + uses: actions/setup-node@v3 + with: + node-version: "14" + - name: Install mock server + run: npm ci + working-directory: .github/scripts/server-mock + - name: Start mock server + run: (npm run start&) + working-directory: .github/scripts/server-mock + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v2 + - name: Cache Docker layers + uses: actions/cache@v3 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.ref }} + restore-keys: | + ${{ runner.os }}-buildx-${{ github.ref }} + - name: Append Entrypoint in dockerfile + run: | + echo "ENTRYPOINT [\"/app/bin/kics\"]" >> docker/Dockerfile.debian + - name: Get short SHA + run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-8)" >> $GITHUB_ENV + - name: Build + id: docker_build + uses: docker/build-push-action@v4.0.0 + with: + load: true + context: ./ + file: ./docker/Dockerfile.debian + builder: ${{ steps.buildx.outputs.name }} + push: false + tags: kics:e2e-debian-tests-${{ github.sha }} + build-args: | + VERSION=development + COMMIT=${{ github.sha }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + - name: Image digest + run: echo ${{ steps.docker_build.outputs.digest }} + - name: Display PWD / Files + run: | + pwd + ls + - name: Set Output Permissions + run: | + sudo chmod -R 777 ./e2e + - name: Run E2E Tests + env: + E2E_KICS_DOCKER: kics:e2e-debiantests-${{ github.sha }} + E2E_KICS_QUERIES_PATH: ${{ steps.getbin.outputs.queries }} + run: | + go test -tags dev "github.com/Checkmarx/kics/e2e" -timeout 1500s -json > results.json + - name: Generate E2E Report + if: always() + env: + E2E_KICS_DOCKERFILE: docker/Dockerfile.debian + run: | + CWD=$(pwd) + cd .github/scripts/report + go mod tidy + go build + ./e2e-report -test-path ${CWD} -test-name results.json -report-path ${CWD} -report-name e2e-report.html + - name: Get docker name + run: | + DOCKER_NAME=$(echo docker/Dockerfile.debian | sed 's/\//-/') + - name: Archive test report + if: always() + uses: actions/upload-artifact@v3 + with: + name: e2e-tests-report-$DOCKER_NAME + path: e2e-report.html From 6b3f3699f9cdb6edfa094c8cae3672af3d4b8a17 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Mon, 29 Jan 2024 17:40:23 +0000 Subject: [PATCH 02/44] fix typo --- .github/workflows/go-e2e-debian.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index 6fa8a3751d7..a41f51e20b1 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -81,7 +81,7 @@ jobs: sudo chmod -R 777 ./e2e - name: Run E2E Tests env: - E2E_KICS_DOCKER: kics:e2e-debiantests-${{ github.sha }} + E2E_KICS_DOCKER: kics:e2e-debian+tests-${{ github.sha }} E2E_KICS_QUERIES_PATH: ${{ steps.getbin.outputs.queries }} run: | go test -tags dev "github.com/Checkmarx/kics/e2e" -timeout 1500s -json > results.json From 86035ebf24a7106b7464d530f6473a23a958594e Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Mon, 29 Jan 2024 17:45:59 +0000 Subject: [PATCH 03/44] fix typo --- .github/workflows/go-e2e-debian.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index a41f51e20b1..d45adb34dc1 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -81,7 +81,7 @@ jobs: sudo chmod -R 777 ./e2e - name: Run E2E Tests env: - E2E_KICS_DOCKER: kics:e2e-debian+tests-${{ github.sha }} + E2E_KICS_DOCKER: kics:e2e-debian-tests-${{ github.sha }} E2E_KICS_QUERIES_PATH: ${{ steps.getbin.outputs.queries }} run: | go test -tags dev "github.com/Checkmarx/kics/e2e" -timeout 1500s -json > results.json From 96585551d50ec797d2369a8384c1fabc9b1e4d92 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Mon, 29 Jan 2024 17:48:37 +0000 Subject: [PATCH 04/44] dummy commit --- .github/workflows/go-e2e-debian.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index d45adb34dc1..61ae3260c37 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -104,3 +104,4 @@ jobs: with: name: e2e-tests-report-$DOCKER_NAME path: e2e-report.html + # dummy From 3804a9f0b6694590c1ae7d1b06d3eccd6e3202c5 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 09:07:34 +0000 Subject: [PATCH 05/44] add sec action --- .github/workflows/sec-checks.yaml | 53 +++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/sec-checks.yaml diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml new file mode 100644 index 00000000000..a65e00a7d74 --- /dev/null +++ b/.github/workflows/sec-checks.yaml @@ -0,0 +1,53 @@ +name: build +on: + push: + branches: + - main + pull_request: +jobs: + trivy: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + grype: + runs-on: ubuntu-20.04 + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Build + id: docker_build + uses: docker/build-push-action@v4.0.0 + with: + load: true + context: ./ + file: ./Dockerfile + builder: ${{ steps.buildx.outputs.name }} + push: false + tags: kics:test-${{ github.sha }} + build-args: | + VERSION=development + COMMIT=${{ github.sha }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + - name: Scan image + uses: anchore/scan-action@v3 + with: + image: kics:test-${{ github.sha }} + fail-build: true + severity-cutoff: critical From dce4af3d5d889a0cc73c58ed563d48305b937d35 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 09:28:50 +0000 Subject: [PATCH 06/44] update sec action --- .github/workflows/sec-checks.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index a65e00a7d74..a166f48317e 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -6,7 +6,7 @@ on: pull_request: jobs: trivy: - name: Build + name: Trivy Scan runs-on: ubuntu-20.04 steps: - name: Checkout code @@ -26,7 +26,12 @@ jobs: with: sarif_file: 'trivy-results.sarif' grype: + name: Grype Scan runs-on: ubuntu-20.04 + strategy: + fail-fast: false + matrix: + kics-docker: [ "Dockerfile"] steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 @@ -36,10 +41,10 @@ jobs: with: load: true context: ./ - file: ./Dockerfile + file: ./${{ matrix.kics-docker }} builder: ${{ steps.buildx.outputs.name }} push: false - tags: kics:test-${{ github.sha }} + tags: kics:sec-tests-${{ github.sha }} build-args: | VERSION=development COMMIT=${{ github.sha }} @@ -48,6 +53,6 @@ jobs: - name: Scan image uses: anchore/scan-action@v3 with: - image: kics:test-${{ github.sha }} + image: kics:sec-tests-${{ github.sha }} fail-build: true severity-cutoff: critical From 13232c3b627eb9243319496d46736fd60ca18edc Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 09:31:23 +0000 Subject: [PATCH 07/44] fix sec action --- .github/workflows/sec-checks.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index a166f48317e..a124375f61c 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -33,6 +33,10 @@ jobs: matrix: kics-docker: [ "Dockerfile"] steps: + - name: Check out code + uses: actions/checkout@v3 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Build From a0b0d3e68663a6fbe42a377981fc9c40bed0e75c Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 09:36:52 +0000 Subject: [PATCH 08/44] add action output --- .github/workflows/sec-checks.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index a124375f61c..cd84659a426 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -60,3 +60,9 @@ jobs: image: kics:sec-tests-${{ github.sha }} fail-build: true severity-cutoff: critical + - name: upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Inspect action SARIF report + run: cat ${{ steps.scan.outputs.sarif }} From 5b1113cbd21528d58b27b93a07ec349859d1bb19 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 09:49:18 +0000 Subject: [PATCH 09/44] fix sec checks --- .github/workflows/go-ci.yml | 2 +- .github/workflows/go-e2e-debian.yaml | 4 ++-- .github/workflows/go-e2e.yaml | 4 ++-- .github/workflows/sec-checks.yaml | 4 ++-- .github/workflows/validate-arm-samples.yaml | 4 ++-- .github/workflows/validate-openapi-samples.yaml | 4 ++-- docs/integrations_ghactions.md | 6 +++--- examples/github/kics-docker-runner-sarif.yaml | 2 +- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index f155fc5207f..6244c8b521a 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -119,6 +119,6 @@ jobs: with: args: "-no-fail -fmt sarif -out results.sarif ./..." - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index 61ae3260c37..761d99e938f 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -31,9 +31,9 @@ jobs: - name: Get Modules run: go mod vendor - name: Set up Node v14 - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: "14" + node-version: "20" - name: Install mock server run: npm ci working-directory: .github/scripts/server-mock diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml index 0a29f9bfd03..aa5ff0aee45 100644 --- a/.github/workflows/go-e2e.yaml +++ b/.github/workflows/go-e2e.yaml @@ -32,9 +32,9 @@ jobs: - name: Get Modules run: go mod vendor - name: Set up Node v14 - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: "14" + node-version: "20" - name: Install mock server run: npm ci working-directory: .github/scripts/server-mock diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index cd84659a426..9fe3fa27a0a 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -22,7 +22,7 @@ jobs: severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' grype: @@ -61,7 +61,7 @@ jobs: fail-build: true severity-cutoff: critical - name: upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Inspect action SARIF report diff --git a/.github/workflows/validate-arm-samples.yaml b/.github/workflows/validate-arm-samples.yaml index b9c3e0baae4..57ec7c4eee2 100644 --- a/.github/workflows/validate-arm-samples.yaml +++ b/.github/workflows/validate-arm-samples.yaml @@ -12,9 +12,9 @@ jobs: - uses: actions/checkout@v3 with: persist-credentials: false - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: "14" + node-version: "20" - name: Installing jsonlint run: | npm install -g jsonlint diff --git a/.github/workflows/validate-openapi-samples.yaml b/.github/workflows/validate-openapi-samples.yaml index e50a2a76b6b..e9647a523e9 100644 --- a/.github/workflows/validate-openapi-samples.yaml +++ b/.github/workflows/validate-openapi-samples.yaml @@ -25,9 +25,9 @@ jobs: - uses: actions/checkout@v3 with: persist-credentials: false - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: - node-version: '14' + node-version: '20' - name: Installing jsonlint run: | npm install -g jsonlint diff --git a/docs/integrations_ghactions.md b/docs/integrations_ghactions.md index f09829cb62c..201ced8a670 100644 --- a/docs/integrations_ghactions.md +++ b/docs/integrations_ghactions.md @@ -50,7 +50,7 @@ steps: path: 'terraform' output_path: results-dir - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results-dir/results.sarif ``` @@ -202,7 +202,7 @@ jobs: cat results-dir/results.sarif cat results-dir/results.json - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results-dir/results.sarif ``` @@ -253,7 +253,7 @@ jobs: path: 'terraform' config_path: ./kics.config - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results-dir/results.sarif ``` diff --git a/examples/github/kics-docker-runner-sarif.yaml b/examples/github/kics-docker-runner-sarif.yaml index ed9cf49dc7f..01137730332 100644 --- a/examples/github/kics-docker-runner-sarif.yaml +++ b/examples/github/kics-docker-runner-sarif.yaml @@ -37,6 +37,6 @@ jobs: cat results-dir/results.sarif cat results-dir/results.json - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results-dir/results.sarif From 6281e1f1e807557751ce8cbf304d2a96cf772a41 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 10:00:19 +0000 Subject: [PATCH 10/44] update actions used --- .github/workflows/alert-update-flags.yaml | 2 +- .../workflows/alert-update-terraform-modules.yaml | 2 +- .github/workflows/check-apache-license.yaml | 6 +++--- .github/workflows/check-go-coverage.yaml | 4 ++-- .github/workflows/go-ci-coverage.yaml | 4 ++-- .github/workflows/go-ci-metrics.yaml | 4 ++-- .github/workflows/go-e2e-debian.yaml | 6 +++--- .github/workflows/go-e2e.yaml | 6 +++--- .github/workflows/go-generate-antlr-parser.yaml | 6 +++--- .github/workflows/kics-gh-action.yaml | 2 +- .github/workflows/prepare-release.yaml | 2 +- .github/workflows/release-commits.yaml | 2 +- .../workflows/release-docker-github-actions.yaml | 10 +++++----- .github/workflows/release-extract-info.yaml | 2 +- .../release-kics-queries-repo-branch.yaml | 2 +- .github/workflows/sec-checks.yaml | 11 ++++++----- .github/workflows/statistics.yaml | 2 +- .github/workflows/update-docs-queries.yaml | 2 +- .github/workflows/update-docs-release.yaml | 2 +- .github/workflows/update-infra-version.yaml | 2 +- .github/workflows/update-install-script.yaml | 2 +- .github/workflows/validate-arm-samples.yaml | 2 +- .github/workflows/validate-issues.yaml | 14 +++++++------- .github/workflows/validate-openapi-samples.yaml | 4 ++-- .github/workflows/validate-prs.yaml | 12 ++++++------ .../github/run_block_injection/test/negative.yaml | 4 ++-- .../github/run_block_injection/test/positive1.yaml | 4 ++-- .../script_block_injection/test/negative1.yaml | 4 ++-- .../script_block_injection/test/negative2.yaml | 4 ++-- .../script_block_injection/test/negative3.yaml | 4 ++-- .../script_block_injection/test/negative4.yaml | 4 ++-- .../script_block_injection/test/negative5.yaml | 4 ++-- .../script_block_injection/test/negative6.yaml | 4 ++-- .../script_block_injection/test/negative7.yaml | 4 ++-- .../script_block_injection/test/positive1.yaml | 4 ++-- .../script_block_injection/test/positive2.yaml | 4 ++-- .../script_block_injection/test/positive3.yaml | 4 ++-- .../script_block_injection/test/positive4.yaml | 4 ++-- .../script_block_injection/test/positive5.yaml | 4 ++-- .../script_block_injection/test/positive6.yaml | 4 ++-- .../script_block_injection/test/positive7.yaml | 4 ++-- .../test/negative2.yaml | 6 +++--- .../passwords_and_secrets/test/negative39.yaml | 6 +++--- examples/github/kics-docker-runner-sarif.yaml | 2 +- test/fixtures/analyzer_test/github.yaml | 4 ++-- 45 files changed, 98 insertions(+), 97 deletions(-) diff --git a/.github/workflows/alert-update-flags.yaml b/.github/workflows/alert-update-flags.yaml index 8fc90ef4403..295bafe2b2e 100644 --- a/.github/workflows/alert-update-flags.yaml +++ b/.github/workflows/alert-update-flags.yaml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 2 - name: Execute diff and send email diff --git a/.github/workflows/alert-update-terraform-modules.yaml b/.github/workflows/alert-update-terraform-modules.yaml index 4c6bd1423b6..0747726e211 100644 --- a/.github/workflows/alert-update-terraform-modules.yaml +++ b/.github/workflows/alert-update-terraform-modules.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Execute diff and send email diff --git a/.github/workflows/check-apache-license.yaml b/.github/workflows/check-apache-license.yaml index 7cbe6c99dee..5b35f5bd4d3 100644 --- a/.github/workflows/check-apache-license.yaml +++ b/.github/workflows/check-apache-license.yaml @@ -2,7 +2,7 @@ name: check-apache-license on: pull_request_target: types: [opened, synchronize, edited, reopened] - branches: + branches: - master jobs: check-license: @@ -12,7 +12,7 @@ jobs: USERNAME: ${{ github.event.pull_request.user.login }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false sparse-checkout: | @@ -51,4 +51,4 @@ jobs: GITHUB_TOKEN: ${{ secrets.KICS_BOT_PAT }} - name: Workflow failed if: env.CHECK_FAILED == 'true' - run: exit 1 \ No newline at end of file + run: exit 1 diff --git a/.github/workflows/check-go-coverage.yaml b/.github/workflows/check-go-coverage.yaml index 03a31cec0f5..38a48c65088 100644 --- a/.github/workflows/check-go-coverage.yaml +++ b/.github/workflows/check-go-coverage.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Go 1.20.x @@ -26,4 +26,4 @@ jobs: if: env.coverage < 80 run: | echo "Go coverage is lower than 80%: ${{ env.coverage }}%" - exit 1 \ No newline at end of file + exit 1 diff --git a/.github/workflows/go-ci-coverage.yaml b/.github/workflows/go-ci-coverage.yaml index a2741bbfdbe..bbfdb91fa90 100644 --- a/.github/workflows/go-ci-coverage.yaml +++ b/.github/workflows/go-ci-coverage.yaml @@ -14,7 +14,7 @@ jobs: color: ${{ steps.testcov.outputs.color }} steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Go 1.20.x @@ -47,7 +47,7 @@ jobs: needs: coverage steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: gh-pages - name: Configure git commit author diff --git a/.github/workflows/go-ci-metrics.yaml b/.github/workflows/go-ci-metrics.yaml index 4ed671b3d57..aa7031040e3 100644 --- a/.github/workflows/go-ci-metrics.yaml +++ b/.github/workflows/go-ci-metrics.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: "3.x" @@ -36,7 +36,7 @@ jobs: needs: metrics steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: gh-pages - name: Configure git commit author diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index 761d99e938f..341b517b318 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -19,7 +19,7 @@ jobs: with: access_token: ${{ github.token }} - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false - name: Set up Go 1.20.x @@ -42,7 +42,7 @@ jobs: working-directory: .github/scripts/server-mock - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Cache Docker layers uses: actions/cache@v3 with: @@ -57,7 +57,7 @@ jobs: run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-8)" >> $GITHUB_ENV - name: Build id: docker_build - uses: docker/build-push-action@v4.0.0 + uses: docker/build-push-action@v5.0.0 with: load: true context: ./ diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml index aa5ff0aee45..1f9887ede3d 100644 --- a/.github/workflows/go-e2e.yaml +++ b/.github/workflows/go-e2e.yaml @@ -20,7 +20,7 @@ jobs: with: access_token: ${{ github.token }} - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false - name: Set up Go 1.20.x @@ -43,7 +43,7 @@ jobs: working-directory: .github/scripts/server-mock - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Cache Docker layers uses: actions/cache@v3 with: @@ -55,7 +55,7 @@ jobs: run: echo "GITHUB_SHA_SHORT=$(echo $GITHUB_SHA | cut -c 1-8)" >> $GITHUB_ENV - name: Build id: docker_build - uses: docker/build-push-action@v4.0.0 + uses: docker/build-push-action@v5.0.0 with: load: true context: ./ diff --git a/.github/workflows/go-generate-antlr-parser.yaml b/.github/workflows/go-generate-antlr-parser.yaml index d7db463efe0..b83a1ccc32b 100644 --- a/.github/workflows/go-generate-antlr-parser.yaml +++ b/.github/workflows/go-generate-antlr-parser.yaml @@ -12,11 +12,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build ANTLR image - uses: docker/build-push-action@v4.0.0 + uses: docker/build-push-action@v5.0.0 id: build_antlr_image with: context: . diff --git a/.github/workflows/kics-gh-action.yaml b/.github/workflows/kics-gh-action.yaml index 327701264af..718f876c942 100644 --- a/.github/workflows/kics-gh-action.yaml +++ b/.github/workflows/kics-gh-action.yaml @@ -9,7 +9,7 @@ jobs: kics-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run KICS Scan uses: checkmarx/kics-github-action@v1.7.0 with: diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml index 1f964e75629..7d9a20b9c47 100644 --- a/.github/workflows/prepare-release.yaml +++ b/.github/workflows/prepare-release.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Get current date diff --git a/.github/workflows/release-commits.yaml b/.github/workflows/release-commits.yaml index f97905777fb..e9bab496188 100644 --- a/.github/workflows/release-commits.yaml +++ b/.github/workflows/release-commits.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Go 1.20.x uses: actions/setup-go@v4 with: diff --git a/.github/workflows/release-docker-github-actions.yaml b/.github/workflows/release-docker-github-actions.yaml index dcfecc282fa..bd05723a01f 100644 --- a/.github/workflows/release-docker-github-actions.yaml +++ b/.github/workflows/release-docker-github-actions.yaml @@ -13,11 +13,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Check out the tag - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.inputs.version }} - name: Set up QEMU @@ -26,14 +26,14 @@ jobs: image: tonistiigi/binfmt:latest platforms: linux/amd64,linux/arm64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v2.1.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Push Github Action Image to Docker Hub - uses: docker/build-push-action@v4.0.0 + uses: docker/build-push-action@v5.0.0 id: build_gh_action with: context: . @@ -46,7 +46,7 @@ jobs: SENTRY_DSN=${{ secrets.SENTRY_DSN }} DESCRIPTIONS_URL=${{ secrets.DESCRIPTIONS_URL }} - name: Check out the repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Export Image Digests diff --git a/.github/workflows/release-extract-info.yaml b/.github/workflows/release-extract-info.yaml index 3452ba0bfb7..92c1c7e770b 100644 --- a/.github/workflows/release-extract-info.yaml +++ b/.github/workflows/release-extract-info.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: "3.x" diff --git a/.github/workflows/release-kics-queries-repo-branch.yaml b/.github/workflows/release-kics-queries-repo-branch.yaml index 56fae4ca90c..37da0145971 100644 --- a/.github/workflows/release-kics-queries-repo-branch.yaml +++ b/.github/workflows/release-kics-queries-repo-branch.yaml @@ -10,7 +10,7 @@ jobs: REPO_NAME: "kics-queries-repo" steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Set up Git credentials run: | diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 9fe3fa27a0a..d361368d647 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@master @@ -19,7 +19,8 @@ jobs: ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL' + severity: 'MEDIUM,HIGH,CRITICAL' + exit-code: '1' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 @@ -34,14 +35,14 @@ jobs: kics-docker: [ "Dockerfile"] steps: - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build id: docker_build - uses: docker/build-push-action@v4.0.0 + uses: docker/build-push-action@v5.0.0 with: load: true context: ./ diff --git a/.github/workflows/statistics.yaml b/.github/workflows/statistics.yaml index 422532a177d..579d2952637 100644 --- a/.github/workflows/statistics.yaml +++ b/.github/workflows/statistics.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Go 1.20.x uses: actions/setup-go@v4 with: diff --git a/.github/workflows/update-docs-queries.yaml b/.github/workflows/update-docs-queries.yaml index 1a5bd7955e4..493ea08345a 100644 --- a/.github/workflows/update-docs-queries.yaml +++ b/.github/workflows/update-docs-queries.yaml @@ -16,7 +16,7 @@ jobs: uses: styfle/cancel-workflow-action@0.11.0 with: access_token: ${{ github.token }} - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: actions/setup-python@v4 diff --git a/.github/workflows/update-docs-release.yaml b/.github/workflows/update-docs-release.yaml index ca868237a28..6e4233e7e00 100644 --- a/.github/workflows/update-docs-release.yaml +++ b/.github/workflows/update-docs-release.yaml @@ -16,7 +16,7 @@ jobs: with: access_token: ${{ github.token }} - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Get release version diff --git a/.github/workflows/update-infra-version.yaml b/.github/workflows/update-infra-version.yaml index 68f446666c4..19037ac9407 100644 --- a/.github/workflows/update-infra-version.yaml +++ b/.github/workflows/update-infra-version.yaml @@ -12,7 +12,7 @@ jobs: if: "!github.event.release.prerelease" steps: - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Update Terraform Cloud Integration diff --git a/.github/workflows/update-install-script.yaml b/.github/workflows/update-install-script.yaml index d8532171d72..472ca9ab9d7 100644 --- a/.github/workflows/update-install-script.yaml +++ b/.github/workflows/update-install-script.yaml @@ -13,7 +13,7 @@ jobs: with: access_token: ${{ github.token }} - name: Checkout project - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Get Godownloader diff --git a/.github/workflows/validate-arm-samples.yaml b/.github/workflows/validate-arm-samples.yaml index 57ec7c4eee2..ca579eb48cc 100644 --- a/.github/workflows/validate-arm-samples.yaml +++ b/.github/workflows/validate-arm-samples.yaml @@ -9,7 +9,7 @@ jobs: lint-json-samples: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: persist-credentials: false - uses: actions/setup-node@v4 diff --git a/.github/workflows/validate-issues.yaml b/.github/workflows/validate-issues.yaml index 26aac0ff695..944eeb53bce 100644 --- a/.github/workflows/validate-issues.yaml +++ b/.github/workflows/validate-issues.yaml @@ -10,20 +10,20 @@ jobs: TITLE: ${{ github.event.issue.title }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false sparse-checkout: | .github/scripts/pr-issue-info/issue-fail.md .github/scripts/pr-issue-info/get_title_types.py .github/issue-title-types.yaml - - name: Set up Python + - name: Set up Python uses: actions/setup-python@v4 with: python-version: "3.x" - name: Install dependencies run: python3 -m pip install --upgrade pip pyyaml - - name: Check issue title + - name: Check issue title env: FILE_PATH: .github/issue-title-types.yaml run: | @@ -69,7 +69,7 @@ jobs: TITLE: ${{ github.event.issue.title }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false sparse-checkout: | @@ -120,7 +120,7 @@ jobs: if echo "$TITLE $BODY" | grep -iqP "(\\b|_)bugs?(\\b|_)" || echo "$BODY" | grep -iqP "steps to reproduce" || echo "$BODY" | grep -iqP "actual behavior" || echo "$BODY" | grep -iqP "expected behavior"; then echo "Adding 'bug' label..." curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["bug"]}' - else + else if echo "$LABELS" | grep -q "bug"; then echo "Removing 'bug' label..." curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/bug @@ -131,13 +131,13 @@ jobs: if echo "$TITLE $BODY" | grep -iqP "(\\b|_)quer(y|ies)(\\b|_)" || echo "$BODY" | grep -iqP "### Platform" || echo "$BODY" | grep -iqP "### Provider"; then echo "Adding 'query' label... " curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels -d '{"labels": ["query"]}' - else + else if echo "$LABELS" | grep -q "query"; then echo "Removing 'query' label..." curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.issue.number }}/labels/query fi fi - - name: Set up Python + - name: Set up Python uses: actions/setup-python@v4 with: python-version: "3.x" diff --git a/.github/workflows/validate-openapi-samples.yaml b/.github/workflows/validate-openapi-samples.yaml index e9647a523e9..9abc2d66d50 100644 --- a/.github/workflows/validate-openapi-samples.yaml +++ b/.github/workflows/validate-openapi-samples.yaml @@ -10,7 +10,7 @@ jobs: lint-yaml-samples: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: persist-credentials: false - name: yaml-lint @@ -22,7 +22,7 @@ jobs: lint-json-samples: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: persist-credentials: false - uses: actions/setup-node@v4 diff --git a/.github/workflows/validate-prs.yaml b/.github/workflows/validate-prs.yaml index 58b47421707..a3c198f2836 100644 --- a/.github/workflows/validate-prs.yaml +++ b/.github/workflows/validate-prs.yaml @@ -2,7 +2,7 @@ name: validate-prs on: pull_request_target: types: [opened, synchronize, edited, reopened] - branches: + branches: - master jobs: title-check: @@ -12,7 +12,7 @@ jobs: TITLE: ${{ github.event.pull_request.title }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false sparse-checkout: | @@ -21,7 +21,7 @@ jobs: .github/scripts/pr-issue-info/title-fail.md - name: Print PR Title run: echo "$TITLE" - - name: Set up Python + - name: Set up Python uses: actions/setup-python@v4 with: python-version: "3.x" @@ -73,7 +73,7 @@ jobs: TITLE: ${{ github.event.pull_request.title }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false sparse-checkout: | @@ -122,7 +122,7 @@ jobs: - name: Add documentation label run: | if [[ "$TITLE" == docs* ]]; then - echo "Adding 'documentation' label..." + echo "Adding 'documentation' label..." curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X POST -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels -d '{"labels": ["documentation"]}' else if echo "$LABELS" | grep -q "documentation"; then @@ -152,7 +152,7 @@ jobs: curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -X DELETE -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/query fi fi - - name: Set up Python + - name: Set up Python uses: actions/setup-python@v4 with: python-version: "3.x" diff --git a/assets/queries/cicd/github/run_block_injection/test/negative.yaml b/assets/queries/cicd/github/run_block_injection/test/negative.yaml index 5f9d4a2dfd5..f2008737977 100644 --- a/assets/queries/cicd/github/run_block_injection/test/negative.yaml +++ b/assets/queries/cicd/github/run_block_injection/test/negative.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up Go 1.20.x @@ -26,4 +26,4 @@ jobs: if: env.coverage < 80 run: | echo "Go coverage is lower than 80%: ${{ env.coverage }}%" - exit 1 \ No newline at end of file + exit 1 diff --git a/assets/queries/cicd/github/run_block_injection/test/positive1.yaml b/assets/queries/cicd/github/run_block_injection/test/positive1.yaml index 6ee6d54c544..4570aa3cbc8 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive1.yaml +++ b/assets/queries/cicd/github/run_block_injection/test/positive1.yaml @@ -21,7 +21,7 @@ jobs: fi; shell: bash - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} - name: Crawl pages and generate Markdown files @@ -36,4 +36,4 @@ jobs: commit_message: '${{ github.event.issue.title }}' file_pattern: chinese/articles/*.md commit_user_name: PageToMarkdown Bot - commit_user_email: PageToMarkdown-bot@freeCodeCamp.org \ No newline at end of file + commit_user_email: PageToMarkdown-bot@freeCodeCamp.org diff --git a/assets/queries/cicd/github/script_block_injection/test/negative1.yaml b/assets/queries/cicd/github/script_block_injection/test/negative1.yaml index ce78396074b..a5cd1c419c6 100644 --- a/assets/queries/cicd/github/script_block_injection/test/negative1.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/negative1.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -22,4 +22,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/negative2.yaml b/assets/queries/cicd/github/script_block_injection/test/negative2.yaml index 3e54df1aa88..6511b16547d 100644 --- a/assets/queries/cicd/github/script_block_injection/test/negative2.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/negative2.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -22,4 +22,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/negative3.yaml b/assets/queries/cicd/github/script_block_injection/test/negative3.yaml index 7b96d141772..646e37b5da8 100644 --- a/assets/queries/cicd/github/script_block_injection/test/negative3.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/negative3.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -22,4 +22,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/negative4.yaml b/assets/queries/cicd/github/script_block_injection/test/negative4.yaml index 2462010831e..72dd432fa16 100644 --- a/assets/queries/cicd/github/script_block_injection/test/negative4.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/negative4.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -22,4 +22,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/negative5.yaml b/assets/queries/cicd/github/script_block_injection/test/negative5.yaml index 62bfdf19ce1..4b2336afade 100644 --- a/assets/queries/cicd/github/script_block_injection/test/negative5.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/negative5.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -22,4 +22,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/negative6.yaml b/assets/queries/cicd/github/script_block_injection/test/negative6.yaml index 140066046da..41e7fbacf86 100644 --- a/assets/queries/cicd/github/script_block_injection/test/negative6.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/negative6.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -22,4 +22,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/negative7.yaml b/assets/queries/cicd/github/script_block_injection/test/negative7.yaml index 697454dad60..0d4a7743040 100644 --- a/assets/queries/cicd/github/script_block_injection/test/negative7.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/negative7.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -22,4 +22,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/positive1.yaml b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml index 16e13af74c5..c0228e654e1 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive1.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive1.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -25,4 +25,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/positive2.yaml b/assets/queries/cicd/github/script_block_injection/test/positive2.yaml index 7e983291659..8de9a095b8a 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive2.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive2.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -25,4 +25,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/positive3.yaml b/assets/queries/cicd/github/script_block_injection/test/positive3.yaml index 8ca2da2066f..3faa8b64f2d 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive3.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive3.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -25,4 +25,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/positive4.yaml b/assets/queries/cicd/github/script_block_injection/test/positive4.yaml index 2436c3b6b56..19ea13093bb 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive4.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive4.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -25,4 +25,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/positive5.yaml b/assets/queries/cicd/github/script_block_injection/test/positive5.yaml index b1aef74842a..caca0b0593e 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive5.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive5.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -25,4 +25,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/positive6.yaml b/assets/queries/cicd/github/script_block_injection/test/positive6.yaml index f48f86268fb..ff012681b2e 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive6.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive6.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -25,4 +25,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/script_block_injection/test/positive7.yaml b/assets/queries/cicd/github/script_block_injection/test/positive7.yaml index 0085761558e..a875e0e871a 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive7.yaml +++ b/assets/queries/cicd/github/script_block_injection/test/positive7.yaml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run script uses: actions/github-script@latest @@ -25,4 +25,4 @@ jobs: body: 'Thanks for reporting!' }) - return true; \ No newline at end of file + return true; diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/negative2.yaml b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/negative2.yaml index 708984ed717..f684dc86ebd 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/negative2.yaml +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/negative2.yaml @@ -2,13 +2,13 @@ name: test-positive on: pull_request: types: [opened, synchronize, edited, reopened] - branches: + branches: - master jobs: test-positive: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: - persist-credentials: false \ No newline at end of file + persist-credentials: false diff --git a/assets/queries/common/passwords_and_secrets/test/negative39.yaml b/assets/queries/common/passwords_and_secrets/test/negative39.yaml index c4297b9de8a..c51ed1df46d 100644 --- a/assets/queries/common/passwords_and_secrets/test/negative39.yaml +++ b/assets/queries/common/passwords_and_secrets/test/negative39.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 --- @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 --- @@ -48,4 +48,4 @@ jobs: runs-on: ubuntu steps: - - uses: actions/checkout@v3 \ No newline at end of file + - uses: actions/checkout@v4 diff --git a/examples/github/kics-docker-runner-sarif.yaml b/examples/github/kics-docker-runner-sarif.yaml index 01137730332..4fce9719184 100644 --- a/examples/github/kics-docker-runner-sarif.yaml +++ b/examples/github/kics-docker-runner-sarif.yaml @@ -10,7 +10,7 @@ jobs: name: kics-github-action steps: - name: Checkout repo - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Mkdir results-dir # make sure results dir is created run: mkdir -p results-dir diff --git a/test/fixtures/analyzer_test/github.yaml b/test/fixtures/analyzer_test/github.yaml index 4d563be1d53..b0b65a272d5 100644 --- a/test/fixtures/analyzer_test/github.yaml +++ b/test/fixtures/analyzer_test/github.yaml @@ -2,7 +2,7 @@ name: check-apache-license on: pull_request_target: types: [opened, synchronize, edited, reopened] - branches: + branches: - master jobs: check-license: @@ -11,7 +11,7 @@ jobs: BODY: ${{ github.event.pull_request.body }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false sparse-checkout: | From 455006bb1b9cf67e1340f0818d0780d0caf28ffa Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 10:19:51 +0000 Subject: [PATCH 11/44] fix action --- .github/workflows/sec-checks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index d361368d647..80ee2ec7c6f 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -24,6 +24,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 + if: always() with: sarif_file: 'trivy-results.sarif' grype: From c1a691d33da7f94f88a4e18379993e8e1927a553 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 11:10:38 +0000 Subject: [PATCH 12/44] fix trivy output --- .github/workflows/sec-checks.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 80ee2ec7c6f..4a2b09bd575 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -17,16 +17,10 @@ jobs: with: scan-type: 'fs' ignore-unfixed: true - format: 'sarif' + format: 'table' output: 'trivy-results.sarif' severity: 'MEDIUM,HIGH,CRITICAL' exit-code: '1' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' grype: name: Grype Scan runs-on: ubuntu-20.04 From 2cf365a0340b7bbbf983bf4ce56270a2e893b5d8 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 11:28:25 +0000 Subject: [PATCH 13/44] fix trivy output --- .github/workflows/sec-checks.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 4a2b09bd575..6ab061dd852 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -17,10 +17,14 @@ jobs: with: scan-type: 'fs' ignore-unfixed: true - format: 'table' - output: 'trivy-results.sarif' - severity: 'MEDIUM,HIGH,CRITICAL' + format: 'json' + output: './trivy-results.json' + severity: 'CRITICAL.HIGH,MEDIUM' exit-code: '1' + + - name: Inspect action SARIF report + shell: bash + run: cat ./trivy-results.json grype: name: Grype Scan runs-on: ubuntu-20.04 From b4c780ee5c90c5c6cebb01ca4bdc9665fd013946 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 11:38:17 +0000 Subject: [PATCH 14/44] fix trivy output --- .github/workflows/sec-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 6ab061dd852..a6d9a4d37a5 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -19,7 +19,7 @@ jobs: ignore-unfixed: true format: 'json' output: './trivy-results.json' - severity: 'CRITICAL.HIGH,MEDIUM' + severity: 'CRITICAL,HIGH,MEDIUM' exit-code: '1' - name: Inspect action SARIF report From 729b0fb3b2e98cdafe607191c8e39fcb972aacd3 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 11:40:17 +0000 Subject: [PATCH 15/44] fix trivy output --- .github/workflows/sec-checks.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index a6d9a4d37a5..76499a5f4c0 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -22,7 +22,8 @@ jobs: severity: 'CRITICAL,HIGH,MEDIUM' exit-code: '1' - - name: Inspect action SARIF report + - name: Inspect action report + if: always() shell: bash run: cat ./trivy-results.json grype: From b9f91b25c558571f3976e1d2af88f3ab66efdbdd Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 12:09:01 +0000 Subject: [PATCH 16/44] fix trivy vulns --- .github/scripts/report/go.mod | 14 ++++++++++++-- go.mod | 16 +++++++++------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/.github/scripts/report/go.mod b/.github/scripts/report/go.mod index 2da931cf663..3dd36b7f876 100644 --- a/.github/scripts/report/go.mod +++ b/.github/scripts/report/go.mod @@ -1,5 +1,15 @@ module github.com/Checkmarx/e2e-report -go 1.16 +go 1.21 -require github.com/tdewolff/minify/v2 v2.9.21 +require ( + github.com/rs/zerolog v1.31.0 + github.com/tdewolff/minify/v2 v2.9.21 +) + +require ( + github.com/mattn/go-colorable v0.1.13 // indirect + github.com/mattn/go-isatty v0.0.19 // indirect + github.com/tdewolff/parse/v2 v2.5.19 // indirect + golang.org/x/sys v0.12.0 // indirect +) diff --git a/go.mod b/go.mod index eb8d30a4fb8..7ccb46be147 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/yargevad/filepathx v1.0.0 github.com/zclconf/go-cty v1.13.1 golang.org/x/net v0.17.0 - golang.org/x/text v0.13.0 + golang.org/x/text v0.14.0 golang.org/x/tools v0.8.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.13.1 @@ -50,7 +50,8 @@ require ( require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect - github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/Microsoft/hcsshim v0.11.1 // indirect + github.com/containerd/log v0.1.0 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -139,7 +140,6 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/jung-kurt/gofpdf v1.16.2 // indirect github.com/klauspost/compress v1.16.0 // indirect - github.com/kylelemons/godebug v1.1.0 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -198,8 +198,8 @@ require ( golang.org/x/crypto v0.14.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/term v0.13.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/api v0.126.0 // indirect @@ -231,11 +231,13 @@ require ( ) replace ( - github.com/containerd/containerd => github.com/containerd/containerd v1.6.18 + github.com/containerd/containerd => github.com/containerd/containerd v1.6.26 github.com/docker/cli => github.com/docker/cli v20.10.12+incompatible + github.com/docker/docker => github.com/docker/docker v24.0.7+incompatible github.com/gin-gonic/gin => github.com/gin-gonic/gin v1.9.1 - github.com/moby/buildkit => github.com/moby/buildkit v0.10.4 + github.com/moby/buildkit => github.com/moby/buildkit v0.11.4 github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 github.com/spf13/afero => github.com/spf13/afero v1.2.2 go.etcd.io/etcd/pkg/v3 => go.etcd.io/etcd/pkg/v3 v3.5.10 + golang.org/x/crypto => golang.org/x/crypto v0.17.0 // indirect ) From cab3e4000fc7a46984ce0812d3717e69f27e5159 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 12:18:27 +0000 Subject: [PATCH 17/44] bump go version --- .github/scripts/report/go.sum | 15 +++ .github/workflows/check-go-coverage.yaml | 4 +- .github/workflows/go-ci-coverage.yaml | 4 +- .github/workflows/go-ci.yml | 12 +- .github/workflows/go-e2e-debian.yaml | 2 +- .github/workflows/go-e2e.yaml | 4 +- .github/workflows/release-commits.yaml | 4 +- .github/workflows/statistics.yaml | 4 +- .../run_block_injection/test/negative.yaml | 4 +- go.mod | 2 +- go.sum | 124 +++++++++++++----- 11 files changed, 127 insertions(+), 52 deletions(-) diff --git a/.github/scripts/report/go.sum b/.github/scripts/report/go.sum index c54b0a490ca..e83fb29040d 100644 --- a/.github/scripts/report/go.sum +++ b/.github/scripts/report/go.sum @@ -1,7 +1,18 @@ github.com/cheekybits/is v0.0.0-20150225183255-68e9c0620927/go.mod h1:h/aW8ynjgkuj+NQRlZcDbAbM1ORAbXjXX77sX7T289U= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/matryer/try v0.0.0-20161228173917-9ac251b645a2/go.mod h1:0KeJpeMD6o+O4hW7qJOT7vyQPKrWmj26uf5wMc/IiIs= +github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= +github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= +github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= +github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= +github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A= +github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/tdewolff/minify/v2 v2.9.21 h1:nO4s1PEMy7aRjlIlbr3Jgr+bJby8QYuifa2Vs2f9lh4= github.com/tdewolff/minify/v2 v2.9.21/go.mod h1:PoDBts2L7sCwUT28vTAlozGeD6qxjrrihtin4bR/RMM= @@ -11,3 +22,7 @@ github.com/tdewolff/test v1.0.6 h1:76mzYJQ83Op284kMT+63iCNCI7NEERsIN8dLM+RiKr4= github.com/tdewolff/test v1.0.6/go.mod h1:6DAvZliBAAnD7rhVgwaM7DE5/d9NMOAJ09SqYqeK4QE= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/.github/workflows/check-go-coverage.yaml b/.github/workflows/check-go-coverage.yaml index 38a48c65088..03e0f0c0d40 100644 --- a/.github/workflows/check-go-coverage.yaml +++ b/.github/workflows/check-go-coverage.yaml @@ -13,10 +13,10 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - name: Run test metrics script id: testcov run: | diff --git a/.github/workflows/go-ci-coverage.yaml b/.github/workflows/go-ci-coverage.yaml index bbfdb91fa90..5bc8f1e1874 100644 --- a/.github/workflows/go-ci-coverage.yaml +++ b/.github/workflows/go-ci-coverage.yaml @@ -17,10 +17,10 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - name: Run test metrics script id: testcov run: | diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 6244c8b521a..cad06ef4821 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -10,10 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x cache: false - name: golangci-lint uses: golangci/golangci-lint-action@v3.5.0 @@ -24,10 +24,10 @@ jobs: name: go-generate runs-on: ubuntu-latest steps: - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - name: Check out code uses: actions/checkout@v3 with: @@ -39,11 +39,11 @@ jobs: name: unit-tests strategy: matrix: - go-version: [1.20.x] + go-version: [1.21.x] os: [ubuntu-latest, windows-latest, macos-latest] runs-on: ${{ matrix.os }} steps: - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: go-version: ${{ matrix.go-version }} diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index 341b517b318..8e6597d3a0b 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -22,7 +22,7 @@ jobs: uses: actions/checkout@v4 with: persist-credentials: false - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: go-version: ${{ matrix.go-version }} diff --git a/.github/workflows/go-e2e.yaml b/.github/workflows/go-e2e.yaml index 1f9887ede3d..24291b12a6c 100644 --- a/.github/workflows/go-e2e.yaml +++ b/.github/workflows/go-e2e.yaml @@ -10,7 +10,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.20.x] + go-version: [1.21.x] os: [ubuntu-latest] kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8"] runs-on: ${{ matrix.os }} @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@v4 with: persist-credentials: false - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: go-version: ${{ matrix.go-version }} diff --git a/.github/workflows/release-commits.yaml b/.github/workflows/release-commits.yaml index e9bab496188..e13736c309d 100644 --- a/.github/workflows/release-commits.yaml +++ b/.github/workflows/release-commits.yaml @@ -12,10 +12,10 @@ jobs: steps: - name: Checkout Source uses: actions/checkout@v4 - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - uses: actions/setup-python@v4 with: python-version: "3.x" diff --git a/.github/workflows/statistics.yaml b/.github/workflows/statistics.yaml index 579d2952637..910effff483 100644 --- a/.github/workflows/statistics.yaml +++ b/.github/workflows/statistics.yaml @@ -11,10 +11,10 @@ jobs: steps: - name: Checkout Source uses: actions/checkout@v4 - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - name: Run test metrics script id: testcoverage run: | diff --git a/assets/queries/cicd/github/run_block_injection/test/negative.yaml b/assets/queries/cicd/github/run_block_injection/test/negative.yaml index f2008737977..5547483494f 100644 --- a/assets/queries/cicd/github/run_block_injection/test/negative.yaml +++ b/assets/queries/cicd/github/run_block_injection/test/negative.yaml @@ -13,10 +13,10 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Set up Go 1.20.x + - name: Set up Go 1.21.x uses: actions/setup-go@v4 with: - go-version: 1.20.x + go-version: 1.21.x - name: Run test metrics script id: testcov run: | diff --git a/go.mod b/go.mod index 7ccb46be147..a1aa442f54e 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/Checkmarx/kics -go 1.20 +go 1.21 require ( code.cloudfoundry.org/bytefmt v0.0.0-20211005130812-5bb3c17173e5 diff --git a/go.sum b/go.sum index 0f39d62cf9e..512480d50da 100644 --- a/go.sum +++ b/go.sum @@ -194,6 +194,7 @@ github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60= +github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= @@ -208,10 +209,12 @@ github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA4 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/Microsoft/hcsshim v0.11.1 h1:hJ3s7GbWlGK4YVV92sO88BQSyF4ZLVy7/awqOlPxFbA= +github.com/Microsoft/hcsshim v0.11.1/go.mod h1:nFJmaO4Zr5Y7eADdFOpYswDDlNVbvcIJJNJLECr5JQg= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= +github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow= github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= @@ -232,6 +235,7 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkE github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef h1:46PFijGLmAjMPwCCCo7Jf0W6f9slllCkkv7vyc1yOSg= github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= @@ -249,11 +253,17 @@ github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs= github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng= +github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ= +github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= +github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= @@ -279,42 +289,51 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA= -github.com/containerd/containerd v1.6.18 h1:qZbsLvmyu+Vlty0/Ex5xc0z2YtKpIsb5n45mAMI+2Ns= -github.com/containerd/containerd v1.6.18/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw= +github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= +github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= +github.com/containerd/containerd v1.6.26 h1:VVfrE6ZpyisvB1fzoY8Vkiq4sy+i5oF4uk7zu03RaHs= +github.com/containerd/containerd v1.6.26/go.mod h1:I4TRdsdoo5MlKob5khDJS2EPT1l1oMNaE2MBm6FrwxM= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= +github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= +github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/djherbis/atime v1.1.0/go.mod h1:28OF6Y8s3NQWwacXc5eZTsEsiMzp7LF8MbXE+XJPdBE= github.com/docker/cli v20.10.12+incompatible h1:lZlz0uzG+GH+c0plStMUdF/qk3ppmgnswpR5EbqzVGA= github.com/docker/cli v20.10.12+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE= -github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= +github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arXfYcAtECDFgAgHklGI8CxgjHnXKJ4= +github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/emicklei/go-restful/v3 v3.10.1 h1:rc42Y5YTp7Am7CS630D7JmhRjq4UlEUuEKfrDac4bSQ= @@ -341,9 +360,13 @@ github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5Kwzbycv github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w= github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg= github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= +github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= +github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= @@ -371,6 +394,7 @@ github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbV github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= +github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -382,10 +406,15 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU= +github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0= +github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY= github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY= +github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gocarina/gocsv v0.0.0-20220310154401-d4df709ca055 h1:UfcDMw41lSx3XM7UvD1i7Fsu3rMgD55OU5LYwLoR/Yk= @@ -396,6 +425,7 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -432,12 +462,15 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k= +github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -466,6 +499,7 @@ github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIG github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -511,6 +545,7 @@ github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+ github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0= github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= +github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= @@ -521,6 +556,7 @@ github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:Fecb github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -537,6 +573,7 @@ github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/hcl/v2 v2.16.2 h1:mpkHZh/Tv+xet3sy3F9Ld4FyI2tUpWe9x3XtPx9f1a0= @@ -576,6 +613,7 @@ github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+ github.com/jung-kurt/gofpdf v1.16.2 h1:jgbatWHfRlPYiK85qgevsZTHviWXKwB1TTiKdz5PtRc= github.com/jung-kurt/gofpdf v1.16.2/go.mod h1:1hl7y57EsiPAkLbOwzpzqgx1A30nQCk/YmFV8S2vmK0= github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw= +github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= @@ -586,6 +624,7 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -608,8 +647,11 @@ github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3v github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI= +github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY= +github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI= +github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/matryer/try v0.0.0-20161228173917-9ac251b645a2/go.mod h1:0KeJpeMD6o+O4hW7qJOT7vyQPKrWmj26uf5wMc/IiIs= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= @@ -625,10 +667,12 @@ github.com/mattn/go-runewidth v0.0.12 h1:Y41i/hVW3Pgwr8gV+J23B9YEY0zxjptBuCWEaxm github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= +github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= +github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= @@ -643,13 +687,14 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/moby/buildkit v0.10.4 h1:FvC+buO8isGpUFZ1abdSLdGHZVqg9sqI4BbFL8tlzP4= -github.com/moby/buildkit v0.10.4/go.mod h1:Yajz9vt1Zw5q9Pp4pdb3TCSUXJBIroIQGQ3TTs/sLug= +github.com/moby/buildkit v0.11.4 h1:mleVHr+n7HUD65QNUkgkT3d8muTzhYUoHE9FM3Ej05s= +github.com/moby/buildkit v0.11.4/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= -github.com/moby/sys/mountinfo v0.6.0 h1:gUDhXQx58YNrpHlK4nSL+7y2pxFZkUcXqzFDKWdC0Oo= +github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78= +github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -674,10 +719,12 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc= github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0= github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= +github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= +github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= github.com/open-policy-agent/opa v0.58.0 h1:S5qvevW8JoFizU7Hp66R/Y1SOXol0aCdFYVkzIqIpUo= github.com/open-policy-agent/opa v0.58.0/go.mod h1:EGWBwvmyt50YURNvL8X4W5hXdlKeNhAHn3QXsetmYcc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -689,10 +736,12 @@ github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY= github.com/phpdave11/gofpdi v1.0.7/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI= github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4= +github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -700,6 +749,7 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= +github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= @@ -729,6 +779,7 @@ github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w= github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0= @@ -825,8 +876,11 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= +github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= +github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= +github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= github.com/zclconf/go-cty v1.13.1 h1:0a6bRwuiSHtAmqCqNOE+c2oHgepv0ctoxU4FUe43kwc= github.com/zclconf/go-cty v1.13.1/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= @@ -839,10 +893,13 @@ go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q= go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= @@ -851,23 +908,17 @@ go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1 go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca h1:VdD38733bfYv5tUZwEIskMM93VanwNIi5bIKnDrJdEY= go.starlark.net v0.0.0-20230525235612-a134d8f9ddca/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds= go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= +go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181112202954-3d3f9f413869/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -907,7 +958,9 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU= +golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -915,7 +968,6 @@ golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= @@ -948,7 +1000,6 @@ golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLd golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -961,7 +1012,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -1005,6 +1057,7 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1082,16 +1135,18 @@ golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1103,8 +1158,10 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1165,6 +1222,7 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1177,6 +1235,7 @@ golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNq golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= +gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -1424,7 +1483,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY= +gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.13.1 h1:DG+XLGzBJeZvMLlMbm6bPDLV1dGaVW9eZsDoUd1/LM0= helm.sh/helm/v3 v3.13.1/go.mod h1:TdQRMiq46CSWcc68Hb0uVhvAWusaN90YwAV54cz6JzU= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 7f6a7f6cc31e5c59383baf26223f89bd1f9418fc Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 14:05:04 +0000 Subject: [PATCH 18/44] bump lint version --- .github/workflows/go-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index cad06ef4821..c1f9d5677bb 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -18,7 +18,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@v3.5.0 with: - version: v1.51.2 + version: v1.55.2 args: -c .golangci.yml --timeout 20m go-generate: name: go-generate From 1510b4ea33f57a1c9c48df7ee118806209dbecc4 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 15:14:07 +0000 Subject: [PATCH 19/44] ad trivy for images --- .github/workflows/sec-checks.yaml | 39 ++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 76499a5f4c0..6f6526fdd16 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -5,7 +5,7 @@ on: - main pull_request: jobs: - trivy: + trivy-file-system: name: Trivy Scan runs-on: ubuntu-20.04 steps: @@ -26,6 +26,43 @@ jobs: if: always() shell: bash run: cat ./trivy-results.json + trivy-docker-image: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build + id: docker_build + uses: docker/build-push-action@v5.0.0 + with: + load: true + context: ./ + file: ./${{ matrix.kics-docker }} + builder: ${{ steps.buildx.outputs.name }} + push: false + tags: kics:sec-trivy-tests-${{ github.sha }} + build-args: | + VERSION=development + COMMIT=${{ github.sha }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: kics:sec-trivy-tests-${{ github.sha }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + output: './trivy-image-results.json' + severity: 'CRITICAL,HIGH,MEDIUM' + - name: Inspect action report + if: always() + shell: bash + run: cat ./trivy-image-results.json grype: name: Grype Scan runs-on: ubuntu-20.04 From fc7f5ebfb5bc1aca8bc9119b9e9bae29fd17351a Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 15:50:03 +0000 Subject: [PATCH 20/44] fix yaml error --- .github/workflows/sec-checks.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 6f6526fdd16..a8d98d42229 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -59,10 +59,10 @@ jobs: vuln-type: 'os,library' output: './trivy-image-results.json' severity: 'CRITICAL,HIGH,MEDIUM' - - name: Inspect action report - if: always() - shell: bash - run: cat ./trivy-image-results.json + - name: Inspect action report + if: always() + shell: bash + run: cat ./trivy-image-results.json grype: name: Grype Scan runs-on: ubuntu-20.04 From 89e4d028094eca05af0e40148daa1303d960c891 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Tue, 30 Jan 2024 16:18:56 +0000 Subject: [PATCH 21/44] fix yaml error --- .github/workflows/sec-checks.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index a8d98d42229..c018aeacc8a 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -27,8 +27,12 @@ jobs: shell: bash run: cat ./trivy-results.json trivy-docker-image: - name: Build + name: Trivy docker image scan runs-on: ubuntu-20.04 + strategy: + fail-fast: false + matrix: + kics-docker: [ "Dockerfile" ] steps: - name: Checkout code uses: actions/checkout@v4 From 3ce3f79d5ebf86bf910f817834b190616652f041 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 12:17:31 +0000 Subject: [PATCH 22/44] add ignore policy --- .github/workflows/sec-checks.yaml | 1 + trivy-ignore.rego | 44 +++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 trivy-ignore.rego diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index c018aeacc8a..582843b697d 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -63,6 +63,7 @@ jobs: vuln-type: 'os,library' output: './trivy-image-results.json' severity: 'CRITICAL,HIGH,MEDIUM' + ignore-policy: './trivy-ignore.rego' - name: Inspect action report if: always() shell: bash diff --git a/trivy-ignore.rego b/trivy-ignore.rego new file mode 100644 index 00000000000..b26d0498254 --- /dev/null +++ b/trivy-ignore.rego @@ -0,0 +1,44 @@ +package trivy + +default ignore = false + +ignore_cve := { + "terraform-provider-aws" : { + "golang.org/x/crypto" : ["CVE-2021-43565", "CVE-2022-27191", "CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2022-27664", "CVE-2022-41723", "CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "golang.org/x/sys" : ["CVE-2022-29526"], + "golang.org/x/text" : ["CVE-2021-38561", "CVE-2022-32149"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], + }, + "terraform-provider-azurerm" : { + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], + }, + "terraform-provider-google" : { + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2022-27664", "CVE-2022-41721", "CVE-2022-41723", "CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "golang.org/x/text" : ["CVE-2022-32149"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], + }, + "terraform" : { + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], + }, + "terraformer" : { + "github.com/crewjam/saml" : ["CVE-2023-45683"], + "github.com/hashicorp/vault" : ["CVE-2020-16250", "CVE-2021-32923", "CVE-2023-24999", "CVE-2023-5077", "CVE-2023-5954", "CVE-2021-38554", "CVE-2022-41316", "CVE-2023-0620", "CVE-2023-0665", "CVE-2023-2121", "CVE-2023-25000", "CVE-2023-3462"], + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], + }, +} + +ignore { + packageUse := ignore_cve[_] + packageValue := packageUse[input.PkgName] + input.VulnerabilityID == packageValue[_] +} + + From b778ed56ae2952c41ff77a33e23371581a64adc2 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 13:02:52 +0000 Subject: [PATCH 23/44] fix lint --- .golangci.yml | 15 +++++----- pkg/parser/grpc/converter/converter.go | 34 ++++++++++++----------- pkg/parser/terraform/converter/default.go | 8 ++++-- 3 files changed, 31 insertions(+), 26 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 258c8b29160..a062ac63ada 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,12 +1,13 @@ linters-settings: depguard: - list-type: blacklist - packages: - # logging is allowed only by logutils.Log, logrus - # is allowed to use only in logutils package - - github.com/sirupsen/logrus - packages-with-error-message: - - github.com/sirupsen/logrus: "logging is allowed only by logutils.Log" + rules: + prevent_bad_packages: + list-mode: lax + deny: + - pkg: github.com/sirupsen/logrus + desc: "logging is allowed only by logutils.Log" + # logging is allowed only by logutils.Log, logrus + # is allowed to use only in logutils package dupl: threshold: 100 funlen: diff --git a/pkg/parser/grpc/converter/converter.go b/pkg/parser/grpc/converter/converter.go index e90a7ce1869..5c03d6a35b0 100644 --- a/pkg/parser/grpc/converter/converter.go +++ b/pkg/parser/grpc/converter/converter.go @@ -140,6 +140,8 @@ func newJSONProto() *JSONProto { } } +const kicsLinesKey = "_kics_" + // Convert converts a proto file to a JSONProto struct func Convert(nodes *proto.Proto) (file *JSONProto, linesIgnore []int) { jproto := newJSONProto() @@ -162,14 +164,14 @@ func Convert(nodes *proto.Proto) (file *JSONProto, linesIgnore []int) { case *proto.Message: jproto.processCommentProto(element.Comment, element.Position.Line, element) jproto.Messages[element.Name] = jproto.convertMessage(element) - messageLines["_kics_"+element.Name] = model.LineObject{ + messageLines[kicsLinesKey+element.Name] = model.LineObject{ Line: element.Position.Line, Arr: make([]map[string]*model.LineObject, 0), } case *proto.Service: jproto.processCommentProto(element.Comment, element.Position.Line, element) jproto.convertService(element) - serviceLines["_kics_"+element.Name] = model.LineObject{ + serviceLines[kicsLinesKey+element.Name] = model.LineObject{ Line: element.Position.Line, Arr: make([]map[string]*model.LineObject, 0), } @@ -184,7 +186,7 @@ func Convert(nodes *proto.Proto) (file *JSONProto, linesIgnore []int) { jproto.Imports[element.Filename] = Import{ Kind: element.Kind, } - importLines["_kics_"+element.Filename] = model.LineObject{ + importLines[kicsLinesKey+element.Filename] = model.LineObject{ Line: element.Position.Line, Arr: make([]map[string]*model.LineObject, 0), } @@ -199,7 +201,7 @@ func Convert(nodes *proto.Proto) (file *JSONProto, linesIgnore []int) { case *proto.Enum: jproto.processCommentProto(element.Comment, element.Position.Line, element) jproto.Enum[element.Name] = jproto.convertEnum(element) - enumLines["_kics_"+element.Name] = model.LineObject{ + enumLines[kicsLinesKey+element.Name] = model.LineObject{ Line: element.Position.Line, Arr: make([]map[string]*model.LineObject, 0), } @@ -245,7 +247,7 @@ func (j *JSONProto) convertMessage(n *proto.Message) Message { switch field := field.(type) { case *proto.NormalField: j.processCommentProto(field.Comment, field.Position.Line, field) - message.Lines["_kics_"+field.Name] = model.LineObject{ + message.Lines[kicsLinesKey+field.Name] = model.LineObject{ Line: field.Position.Line, } message.Field[field.Name] = &Field{ @@ -269,13 +271,13 @@ func (j *JSONProto) convertMessage(n *proto.Message) Message { case *proto.Oneof: j.processCommentProto(field.Comment, field.Position.Line, field) message.OneOf[field.Name] = j.convertOneOf(field) - message.Lines["_kics_"+field.Name] = model.LineObject{ + message.Lines[kicsLinesKey+field.Name] = model.LineObject{ Line: field.Position.Line, } case *proto.Enum: j.processCommentProto(field.Comment, field.Position.Line, field) message.Enum[field.Name] = j.convertEnum(field) - message.Lines["_kics_"+field.Name] = model.LineObject{ + message.Lines[kicsLinesKey+field.Name] = model.LineObject{ Line: field.Position.Line, } case *proto.MapField: @@ -290,19 +292,19 @@ func (j *JSONProto) convertMessage(n *proto.Message) Message { }, KeyType: field.KeyType, } - message.Lines["_kics_"+field.Name] = model.LineObject{ + message.Lines[kicsLinesKey+field.Name] = model.LineObject{ Line: field.Position.Line, } case *proto.Message: j.processCommentProto(field.Comment, field.Position.Line, field) message.InnerMessage[field.Name] = j.convertMessage(field) - message.Lines["_kics_"+field.Name] = model.LineObject{ + message.Lines[kicsLinesKey+field.Name] = model.LineObject{ Line: field.Position.Line, } case *proto.Option: j.processCommentProto(field.Comment, field.Position.Line, field) message.Options[field.Name] = j.convertSingleOption(field) - message.Lines["_kics_"+field.Name] = model.LineObject{ + message.Lines[kicsLinesKey+field.Name] = model.LineObject{ Line: field.Position.Line, } } @@ -339,7 +341,7 @@ func (j *JSONProto) convertEnum(n *proto.Enum) Enum { "_kics__default": {Line: elem.Position.Line}, }, } - enum.Lines["_kics_"+elem.Name] = model.LineObject{ + enum.Lines[kicsLinesKey+elem.Name] = model.LineObject{ Line: elem.Position.Line, } case *proto.Reserved: @@ -353,7 +355,7 @@ func (j *JSONProto) convertEnum(n *proto.Enum) Enum { case *proto.Option: j.processCommentProto(elem.Comment, elem.Position.Line, elem) enum.Options[elem.Name] = j.convertSingleOption(elem) - enum.Lines["_kics_"+elem.Name] = model.LineObject{ + enum.Lines[kicsLinesKey+elem.Name] = model.LineObject{ Line: elem.Position.Line, } } @@ -391,13 +393,13 @@ func (j *JSONProto) convertOneOf(n *proto.Oneof) OneOf { "_kics__default": {Line: elem.Position.Line}, }, } - oneof.Lines["_kics_"+elem.Name] = model.LineObject{ + oneof.Lines[kicsLinesKey+elem.Name] = model.LineObject{ Line: elem.Position.Line, } case *proto.Option: j.processCommentProto(elem.Comment, elem.Position.Line, elem) oneof.Options[elem.Name] = j.convertSingleOption(elem) - oneof.Lines["_kics_"+elem.Name] = model.LineObject{ + oneof.Lines[kicsLinesKey+elem.Name] = model.LineObject{ Line: elem.Position.Line, } } @@ -435,13 +437,13 @@ func (j *JSONProto) convertService(n *proto.Service) { case *proto.RPC: j.processCommentProto(rpc.Comment, rpc.Position.Line, rpc) service.RPC[rpc.Name] = j.convertRPC(rpc) - service.Lines["_kics_"+rpc.Name] = model.LineObject{ + service.Lines[kicsLinesKey+rpc.Name] = model.LineObject{ Line: rpc.Position.Line, } case *proto.Option: j.processCommentProto(rpc.Comment, rpc.Position.Line, rpc) service.Options[rpc.Name] = j.convertSingleOption(rpc) - service.Lines["_kics_"+rpc.Name] = model.LineObject{ + service.Lines[kicsLinesKey+rpc.Name] = model.LineObject{ Line: rpc.Position.Line, } } diff --git a/pkg/parser/terraform/converter/default.go b/pkg/parser/terraform/converter/default.go index 3be15cdd0d1..dc9a36fe95d 100644 --- a/pkg/parser/terraform/converter/default.go +++ b/pkg/parser/terraform/converter/default.go @@ -52,6 +52,8 @@ type converter struct { bytes []byte } +const kicsLinesKey = "_kics_" + func (c *converter) rangeSource(r hcl.Range) string { return string(c.bytes[r.Start.Byte:r.End.Byte]) } @@ -94,7 +96,7 @@ func (c *converter) convertBody(body *hclsyntax.Body, defLine int) (model.Docume for key, value := range body.Attributes { out[key], err = c.convertExpression(value.Expr) // set kics line for the body value - kicsS["_kics_"+key] = model.LineObject{ + kicsS[kicsLinesKey+key] = model.LineObject{ Line: value.SrcRange.Start.Line, Arr: c.getArrLines(value.Expr), } @@ -112,7 +114,7 @@ func (c *converter) convertBody(body *hclsyntax.Body, defLine int) (model.Docume for _, block := range body.Blocks { // set kics line for block - kicsS["_kics_"+block.Type] = model.LineObject{ + kicsS[kicsLinesKey+block.Type] = model.LineObject{ Line: block.TypeRange.Start.Line, } err = c.convertBlock(block, out, block.TypeRange.Start.Line) @@ -159,7 +161,7 @@ func (c *converter) getArrLines(expr hclsyntax.Expression) []map[string]*model.L }, false) return nil } - arrEx["_kics_"+key] = &model.LineObject{ + arrEx[kicsLinesKey+key] = &model.LineObject{ Line: item.KeyExpr.Range().Start.Line, } } From c202521d8204feb197e3c61019060230e16ad23e Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 14:45:10 +0000 Subject: [PATCH 24/44] update grype action --- .github/workflows/sec-checks.yaml | 1 + .grype.yaml | 1 + 2 files changed, 2 insertions(+) create mode 100644 .grype.yaml diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 582843b697d..3fb4136a5ad 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -108,4 +108,5 @@ jobs: with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Inspect action SARIF report + if: always() run: cat ${{ steps.scan.outputs.sarif }} diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000000..3993f68197e --- /dev/null +++ b/.grype.yaml @@ -0,0 +1 @@ +ignore: From 906fa297d627795b211d709428197a57532f063d Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 14:49:37 +0000 Subject: [PATCH 25/44] update grype action --- .github/workflows/sec-checks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 3fb4136a5ad..e7f017a95d3 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -104,6 +104,7 @@ jobs: fail-build: true severity-cutoff: critical - name: upload Anchore scan SARIF report + if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} From a886d292d344612676452b3e9b1a6b0cfe9656c6 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 15:07:53 +0000 Subject: [PATCH 26/44] try grype ignore --- .github/workflows/sec-checks.yaml | 4 +--- .grype.yaml | 2 ++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index e7f017a95d3..c71c39b9f26 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -102,12 +102,10 @@ jobs: with: image: kics:sec-tests-${{ github.sha }} fail-build: true - severity-cutoff: critical + severity-cutoff: medium - name: upload Anchore scan SARIF report - if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Inspect action SARIF report - if: always() run: cat ${{ steps.scan.outputs.sarif }} diff --git a/.grype.yaml b/.grype.yaml index 3993f68197e..9f47f201523 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1 +1,3 @@ ignore: + - package: + name: anchore/scan-action From 61b1530ff667d516a365378feb4b2de0358bda54 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 15:14:18 +0000 Subject: [PATCH 27/44] update grype action --- .github/workflows/sec-checks.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index c71c39b9f26..e91a0f480ac 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -103,9 +103,12 @@ jobs: image: kics:sec-tests-${{ github.sha }} fail-build: true severity-cutoff: medium + output-format: sarif - name: upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@v3 + if: always() with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Inspect action SARIF report + if: always() run: cat ${{ steps.scan.outputs.sarif }} From 498dc82e1fb0871289dff136f9e298e3aec59ca2 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 15:44:06 +0000 Subject: [PATCH 28/44] update action name --- .github/workflows/sec-checks.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index e91a0f480ac..b90ed782da6 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -1,4 +1,4 @@ -name: build +name: security-checks on: push: branches: @@ -104,6 +104,11 @@ jobs: fail-build: true severity-cutoff: medium output-format: sarif + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: AnchoreReports + path: ./anchore-reports/ - name: upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@v3 if: always() From 1a48225a4003b0bacaa1b0e102a07f47b682ea49 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 15:44:23 +0000 Subject: [PATCH 29/44] update action name --- .github/workflows/sec-checks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index b90ed782da6..fc28718d54d 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -106,6 +106,7 @@ jobs: output-format: sarif - name: Upload artifact uses: actions/upload-artifact@v4 + if: always() with: name: AnchoreReports path: ./anchore-reports/ From 27de89530496f1a062c20ec32d05dd3ce9f2731f Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 15:55:05 +0000 Subject: [PATCH 30/44] fix grype scan --- .github/workflows/sec-checks.yaml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index fc28718d54d..d045ef60147 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -98,23 +98,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache - name: Scan image + id: grype-scan uses: anchore/scan-action@v3 with: image: kics:sec-tests-${{ github.sha }} fail-build: true severity-cutoff: medium output-format: sarif - - name: Upload artifact - uses: actions/upload-artifact@v4 - if: always() - with: - name: AnchoreReports - path: ./anchore-reports/ - name: upload Anchore scan SARIF report uses: github/codeql-action/upload-sarif@v3 if: always() with: - sarif_file: ${{ steps.scan.outputs.sarif }} + sarif_file: ${{ steps.grype-scan.outputs.sarif }} - name: Inspect action SARIF report if: always() - run: cat ${{ steps.scan.outputs.sarif }} + run: cat ${{ steps.grype-scan.outputs.sarif }} From c6189a5fb4baf5376019d1e85a61cf5efc887b16 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 17:15:51 +0000 Subject: [PATCH 31/44] upload grype results --- .github/workflows/sec-checks.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index d045ef60147..9561877afe5 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -110,6 +110,12 @@ jobs: if: always() with: sarif_file: ${{ steps.grype-scan.outputs.sarif }} + - name: upload artifact + uses: actions/upload-artifact@v4 + if: always() + with: + name: grype-scan-results + path: ${{ steps.grype-scan.outputs.sarif }} - name: Inspect action SARIF report if: always() run: cat ${{ steps.grype-scan.outputs.sarif }} From d792673fdfeca807e861a3cb9a1a2de12b5ddfaa Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 17:40:33 +0000 Subject: [PATCH 32/44] update grype --- .grype.yaml | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++ Dockerfile | 4 ++-- 2 files changed, 66 insertions(+), 2 deletions(-) diff --git a/.grype.yaml b/.grype.yaml index 9f47f201523..e4cd3389cca 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,3 +1,67 @@ ignore: - package: name: anchore/scan-action + - package: + name: stdlib + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: goloang.org/x/crypto + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: goloang.org/x/net + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: goloang.org/x/text + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: google.golang.org/grpc + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: github.com/x/sys + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: github.com/crewjam/saml + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: github.com/hashicorp/vault + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: github.com/dgrijalva/jwt-go + location: "/root/.terraform.d/plugins/linux_amd64/**" + - package: + name: github.com/hashicorp/terraform + location: "/root/.terraform.d/plugins/linux_amd64/**" + + + ignore_cve := { +"terraform-provider-aws" : { + "golang.org/x/crypto" : ["CVE-2021-43565", "CVE-2022-27191", "CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2022-27664", "CVE-2022-41723", "CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "golang.org/x/sys" : ["CVE-2022-29526"], + "golang.org/x/text" : ["CVE-2021-38561", "CVE-2022-32149"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], +}, +"terraform-provider-azurerm" : { + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], +}, +"terraform-provider-google" : { + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2022-27664", "CVE-2022-41721", "CVE-2022-41723", "CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "golang.org/x/text" : ["CVE-2022-32149"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], +}, +"terraform" : { + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], +}, +"terraformer" : { + "github.com/crewjam/saml" : ["CVE-2023-45683"], + "github.com/hashicorp/vault" : ["CVE-2020-16250", "CVE-2021-32923", "CVE-2023-24999", "CVE-2023-5077", "CVE-2023-5954", "CVE-2021-38554", "CVE-2022-41316", "CVE-2023-0620", "CVE-2023-0665", "CVE-2023-2121", "CVE-2023-25000", "CVE-2023-3462"], + "golang.org/x/crypto" : ["CVE-2023-48795"], + "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], + "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], +}, +} diff --git a/Dockerfile b/Dockerfile index 38975235202..cfe4e022492 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.21.5-alpine as build_env +FROM golang:1.21.6-alpine as build_env # Copy the source from the current directory to the Working Directory inside the container WORKDIR /app @@ -33,7 +33,7 @@ HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt # Runtime image # Ignore no User Cmd since KICS container is stopped afer scan # kics-scan ignore-line -FROM alpine:3.18 +FROM alpine:3.19 ENV TERM xterm-256color From 3f73db5dffb286064abe56fc7d75d4592519d022 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 17:53:35 +0000 Subject: [PATCH 33/44] fix dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cfe4e022492..83a01eaff00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,7 +41,7 @@ ENV TERM xterm-256color Run apk update --no-cache \ && apk add --no-cache \ gcompat~=1.1.0 \ - git~=2.40 + git~=2.43 # Install Terraform and Terraform plugins RUN wget https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip \ From 897d85d24ba463cc62d4018900ff97ce17040a33 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 18:01:47 +0000 Subject: [PATCH 34/44] fix grype --- .grype.yaml | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/.grype.yaml b/.grype.yaml index e4cd3389cca..3ec87af8eeb 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -31,37 +31,3 @@ ignore: - package: name: github.com/hashicorp/terraform location: "/root/.terraform.d/plugins/linux_amd64/**" - - - ignore_cve := { -"terraform-provider-aws" : { - "golang.org/x/crypto" : ["CVE-2021-43565", "CVE-2022-27191", "CVE-2023-48795"], - "golang.org/x/net" : ["CVE-2022-27664", "CVE-2022-41723", "CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], - "golang.org/x/sys" : ["CVE-2022-29526"], - "golang.org/x/text" : ["CVE-2021-38561", "CVE-2022-32149"], - "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], -}, -"terraform-provider-azurerm" : { - "golang.org/x/crypto" : ["CVE-2023-48795"], - "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], - "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], -}, -"terraform-provider-google" : { - "golang.org/x/crypto" : ["CVE-2023-48795"], - "golang.org/x/net" : ["CVE-2022-27664", "CVE-2022-41721", "CVE-2022-41723", "CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], - "golang.org/x/text" : ["CVE-2022-32149"], - "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], -}, -"terraform" : { - "golang.org/x/crypto" : ["CVE-2023-48795"], - "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], - "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], -}, -"terraformer" : { - "github.com/crewjam/saml" : ["CVE-2023-45683"], - "github.com/hashicorp/vault" : ["CVE-2020-16250", "CVE-2021-32923", "CVE-2023-24999", "CVE-2023-5077", "CVE-2023-5954", "CVE-2021-38554", "CVE-2022-41316", "CVE-2023-0620", "CVE-2023-0665", "CVE-2023-2121", "CVE-2023-25000", "CVE-2023-3462"], - "golang.org/x/crypto" : ["CVE-2023-48795"], - "golang.org/x/net" : ["CVE-2023-39325", "CVE-2023-3978", "CVE-2023-44487"], - "google.golang.org/grpc" : ["GHSA-m425-mq94-257g", "CVE-2023-44487"], -}, -} From bf7474f5a82f0263e2d2ae16d0313a3fe117a065 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 18:29:54 +0000 Subject: [PATCH 35/44] fix grype --- .grype.yaml | 30 ++++-------------------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/.grype.yaml b/.grype.yaml index 3ec87af8eeb..879d6971f3c 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -2,32 +2,10 @@ ignore: - package: name: anchore/scan-action - package: - name: stdlib - location: "/root/.terraform.d/plugins/linux_amd64/**" + location: "/root/.terraform.d/plugins/linux_amd64/terraform-provider-**" - package: - name: goloang.org/x/crypto - location: "/root/.terraform.d/plugins/linux_amd64/**" + location: "/usr/bin/terraformer" - package: - name: goloang.org/x/net - location: "/root/.terraform.d/plugins/linux_amd64/**" + location: "/usr/bin/terraform" - package: - name: goloang.org/x/text - location: "/root/.terraform.d/plugins/linux_amd64/**" - - package: - name: google.golang.org/grpc - location: "/root/.terraform.d/plugins/linux_amd64/**" - - package: - name: github.com/x/sys - location: "/root/.terraform.d/plugins/linux_amd64/**" - - package: - name: github.com/crewjam/saml - location: "/root/.terraform.d/plugins/linux_amd64/**" - - package: - name: github.com/hashicorp/vault - location: "/root/.terraform.d/plugins/linux_amd64/**" - - package: - name: github.com/dgrijalva/jwt-go - location: "/root/.terraform.d/plugins/linux_amd64/**" - - package: - name: github.com/hashicorp/terraform - location: "/root/.terraform.d/plugins/linux_amd64/**" + location: "/usr/local/bin/terraform" From 100609a27ccbff92364dabf9d0d7771371420b1e Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 18:48:26 +0000 Subject: [PATCH 36/44] test e2e debian --- docker/Dockerfile.debian | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index f4617ba4c66..5d74b984b11 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -68,7 +68,6 @@ RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries -COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ WORKDIR /app/bin From 8da372214cc23b2bcdff5d1b84c0921efc9e4e71 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Wed, 31 Jan 2024 19:06:34 +0000 Subject: [PATCH 37/44] test normal dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 83a01eaff00..8f825a474e0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,7 +66,7 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0. # kics-scan ignore-line COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries -COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ +#COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ WORKDIR /app/bin From 6e4dfeec4b28ec111cc7ff3d166b75d4f6e6b8e3 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 1 Feb 2024 09:19:20 +0000 Subject: [PATCH 38/44] revert dockerfiles --- Dockerfile | 2 +- docker/Dockerfile.debian | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8f825a474e0..83a01eaff00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -66,7 +66,7 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0. # kics-scan ignore-line COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries -#COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ +COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ WORKDIR /app/bin diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian index 5d74b984b11..f4617ba4c66 100644 --- a/docker/Dockerfile.debian +++ b/docker/Dockerfile.debian @@ -68,6 +68,7 @@ RUN mkdir ~/.terraform.d && mkdir ~/.terraform.d/plugins && mkdir ~/.terraform.d COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries +COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ WORKDIR /app/bin From 2476868fb075743b0030d69d9159ce460501358b Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 1 Feb 2024 09:43:58 +0000 Subject: [PATCH 39/44] add test file for docker e2e --- .github/workflows/sec-checks.yaml | 102 +++++++++++++++--------------- Dockerfile | 1 + assets/test/test_file.txt | 1 + pkg/scan/scan.go | 12 ++++ 4 files changed, 65 insertions(+), 51 deletions(-) create mode 100644 assets/test/test_file.txt diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index 9561877afe5..49b8c9c067f 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -68,54 +68,54 @@ jobs: if: always() shell: bash run: cat ./trivy-image-results.json - grype: - name: Grype Scan - runs-on: ubuntu-20.04 - strategy: - fail-fast: false - matrix: - kics-docker: [ "Dockerfile"] - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - persist-credentials: false - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Build - id: docker_build - uses: docker/build-push-action@v5.0.0 - with: - load: true - context: ./ - file: ./${{ matrix.kics-docker }} - builder: ${{ steps.buildx.outputs.name }} - push: false - tags: kics:sec-tests-${{ github.sha }} - build-args: | - VERSION=development - COMMIT=${{ github.sha }} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache - - name: Scan image - id: grype-scan - uses: anchore/scan-action@v3 - with: - image: kics:sec-tests-${{ github.sha }} - fail-build: true - severity-cutoff: medium - output-format: sarif - - name: upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: ${{ steps.grype-scan.outputs.sarif }} - - name: upload artifact - uses: actions/upload-artifact@v4 - if: always() - with: - name: grype-scan-results - path: ${{ steps.grype-scan.outputs.sarif }} - - name: Inspect action SARIF report - if: always() - run: cat ${{ steps.grype-scan.outputs.sarif }} + #grype: + # name: Grype Scan + # runs-on: ubuntu-20.04 + # strategy: + # fail-fast: false + # matrix: + # kics-docker: [ "Dockerfile"] + # steps: + # - name: Check out code + # uses: actions/checkout@v4 + # with: + # persist-credentials: false + # - name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v3 + # - name: Build + # id: docker_build + # uses: docker/build-push-action@v5.0.0 + # with: + # load: true + # context: ./ + # file: ./${{ matrix.kics-docker }} + # builder: ${{ steps.buildx.outputs.name }} + # push: false + # tags: kics:sec-tests-${{ github.sha }} + # build-args: | + # VERSION=development + # COMMIT=${{ github.sha }} + # cache-from: type=local,src=/tmp/.buildx-cache + # cache-to: type=local,dest=/tmp/.buildx-cache + # - name: Scan image + # id: grype-scan + # uses: anchore/scan-action@v3 + # with: + # image: kics:sec-tests-${{ github.sha }} + # fail-build: true + # severity-cutoff: medium + # output-format: sarif + # - name: upload Anchore scan SARIF report + # uses: github/codeql-action/upload-sarif@v3 + # if: always() + # with: + # sarif_file: ${{ steps.grype-scan.outputs.sarif }} + # - name: upload artifact + # uses: actions/upload-artifact@v4 + # if: always() + # with: + # name: grype-scan-results + # path: ${{ steps.grype-scan.outputs.sarif }} + # - name: Inspect action SARIF report + # if: always() + # run: cat ${{ steps.grype-scan.outputs.sarif }} diff --git a/Dockerfile b/Dockerfile index 83a01eaff00..fd30e9159d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -67,6 +67,7 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0. COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ +COPY --from=build_env /app/assets/test/* /app/bin/assets/test/ WORKDIR /app/bin diff --git a/assets/test/test_file.txt b/assets/test/test_file.txt new file mode 100644 index 00000000000..ddaa7509bc8 --- /dev/null +++ b/assets/test/test_file.txt @@ -0,0 +1 @@ +Hello, this is a test message from a text file diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 168c72361fa..857a9228f7b 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -41,6 +41,8 @@ type executeScanParameters struct { extractedPaths provider.ExtractedPath } +const testFilePath = "./assets/test/test_file.txt" + func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { progressBar := c.ProBarBuilder.BuildCircle("Preparing Scan Assets: ") go progressBar.Start() @@ -55,6 +57,16 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { return nil, nil } + //load a file and log its content + file, err := os.Open(testFilePath) + if err != nil { + log.Err(err) + return nil, err + } + defer file.Close() + + log.Info().Msgf("File content: %s", file) + querySource := source.NewFilesystemSource( c.ScanParams.QueriesPath, c.ScanParams.Platform, From 4213e14262b5b62b757e6a429f5aadf4f03da069 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 1 Feb 2024 11:13:49 +0000 Subject: [PATCH 40/44] revert 2e2 debian test --- assets/test/test_file.txt | 1 - 1 file changed, 1 deletion(-) delete mode 100644 assets/test/test_file.txt diff --git a/assets/test/test_file.txt b/assets/test/test_file.txt deleted file mode 100644 index ddaa7509bc8..00000000000 --- a/assets/test/test_file.txt +++ /dev/null @@ -1 +0,0 @@ -Hello, this is a test message from a text file From 490cfc6a400dd4b073e21b05c536bbd582b849fd Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 1 Feb 2024 11:17:53 +0000 Subject: [PATCH 41/44] revert 2e2 debian test --- Dockerfile | 1 - go.mod | 6 +++--- pkg/scan/scan.go | 12 ------------ 3 files changed, 3 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index fd30e9159d5..83a01eaff00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -67,7 +67,6 @@ RUN wget https://github.com/GoogleCloudPlatform/terraformer/releases/download/0. COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/queries /app/bin/assets/queries COPY --from=build_env /app/assets/libraries/* /app/bin/assets/libraries/ -COPY --from=build_env /app/assets/test/* /app/bin/assets/test/ WORKDIR /app/bin diff --git a/go.mod b/go.mod index a1aa442f54e..d070f58152a 100644 --- a/go.mod +++ b/go.mod @@ -52,6 +52,7 @@ require ( cloud.google.com/go/compute/metadata v0.2.3 // indirect github.com/Microsoft/hcsshim v0.11.1 // indirect github.com/containerd/log v0.1.0 // indirect + github.com/containerd/typeurl/v2 v2.1.1 // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect github.com/go-ini/ini v1.67.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -95,7 +96,6 @@ require ( github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/containerd/containerd v1.7.7 // indirect - github.com/containerd/typeurl v1.0.2 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/docker/cli v24.0.6+incompatible // indirect @@ -139,7 +139,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/jung-kurt/gofpdf v1.16.2 // indirect - github.com/klauspost/compress v1.16.0 // indirect + github.com/klauspost/compress v1.17.2 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -235,7 +235,7 @@ replace ( github.com/docker/cli => github.com/docker/cli v20.10.12+incompatible github.com/docker/docker => github.com/docker/docker v24.0.7+incompatible github.com/gin-gonic/gin => github.com/gin-gonic/gin v1.9.1 - github.com/moby/buildkit => github.com/moby/buildkit v0.11.4 + github.com/moby/buildkit => github.com/moby/buildkit v0.12.5 github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2 github.com/spf13/afero => github.com/spf13/afero v1.2.2 go.etcd.io/etcd/pkg/v3 => go.etcd.io/etcd/pkg/v3 v3.5.10 diff --git a/pkg/scan/scan.go b/pkg/scan/scan.go index 857a9228f7b..168c72361fa 100644 --- a/pkg/scan/scan.go +++ b/pkg/scan/scan.go @@ -41,8 +41,6 @@ type executeScanParameters struct { extractedPaths provider.ExtractedPath } -const testFilePath = "./assets/test/test_file.txt" - func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { progressBar := c.ProBarBuilder.BuildCircle("Preparing Scan Assets: ") go progressBar.Start() @@ -57,16 +55,6 @@ func (c *Client) initScan(ctx context.Context) (*executeScanParameters, error) { return nil, nil } - //load a file and log its content - file, err := os.Open(testFilePath) - if err != nil { - log.Err(err) - return nil, err - } - defer file.Close() - - log.Info().Msgf("File content: %s", file) - querySource := source.NewFilesystemSource( c.ScanParams.QueriesPath, c.ScanParams.Platform, From eb037e2a87738b4f07de9a80cb425e5047daf386 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 1 Feb 2024 11:53:45 +0000 Subject: [PATCH 42/44] update --- go.sum | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/go.sum b/go.sum index 512480d50da..da9bc0a7eb6 100644 --- a/go.sum +++ b/go.sum @@ -295,8 +295,8 @@ github.com/containerd/containerd v1.6.26 h1:VVfrE6ZpyisvB1fzoY8Vkiq4sy+i5oF4uk7z github.com/containerd/containerd v1.6.26/go.mod h1:I4TRdsdoo5MlKob5khDJS2EPT1l1oMNaE2MBm6FrwxM= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= -github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY= -github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s= +github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= +github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -617,8 +617,8 @@ github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1q github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= -github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= -github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/klauspost/compress v1.17.2 h1:RlWWUY/Dr4fL8qk9YG7DTZ7PDgME2V4csBXA8L/ixi4= +github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -687,8 +687,8 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/moby/buildkit v0.11.4 h1:mleVHr+n7HUD65QNUkgkT3d8muTzhYUoHE9FM3Ej05s= -github.com/moby/buildkit v0.11.4/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo= +github.com/moby/buildkit v0.12.5 h1:RNHH1l3HDhYyZafr5EgstEu8aGNCwyfvMtrQDtjH9T0= +github.com/moby/buildkit v0.12.5/go.mod h1:YGwjA2loqyiYfZeEo8FtI7z4x5XponAaIWsWcSjWwso= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= From 1bc1c4ff6c269be374977abc08d5fdf3153b74d0 Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Thu, 1 Feb 2024 15:48:49 +0000 Subject: [PATCH 43/44] change workflow name --- .github/workflows/go-e2e-debian.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-e2e-debian.yaml b/.github/workflows/go-e2e-debian.yaml index 8e6597d3a0b..e0b91fb0a15 100644 --- a/.github/workflows/go-e2e-debian.yaml +++ b/.github/workflows/go-e2e-debian.yaml @@ -1,4 +1,4 @@ -name: go-e2e +name: go-e2e-debian on: pull_request: From ffbf6dce4198436a38b05f9088808be762b9d72b Mon Sep 17 00:00:00 2001 From: cxMiguelSilva Date: Fri, 2 Feb 2024 12:06:22 +0000 Subject: [PATCH 44/44] fix typo --- assets/queries/dockerCompose/networks_not_set/metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/dockerCompose/networks_not_set/metadata.json b/assets/queries/dockerCompose/networks_not_set/metadata.json index f0bdb445523..5bad451ab89 100644 --- a/assets/queries/dockerCompose/networks_not_set/metadata.json +++ b/assets/queries/dockerCompose/networks_not_set/metadata.json @@ -3,9 +3,9 @@ "queryName": "Networks Not Set", "severity": "MEDIUM", "category": "Networking and Firewall", - "descriptionText": "Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.", + "descriptionText": "Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic between all containers.", "descriptionUrl": "https://docs.docker.com/compose/compose-file/compose-file-v3/#networks", "platform": "DockerCompose", "descriptionID": "3743a217", "cwe": "" -} \ No newline at end of file +}