From f84e76f30c3e764d6ff671d8e20bb6490b7c3fe1 Mon Sep 17 00:00:00 2001 From: Nicolas Vuillamy Date: Sat, 15 Jul 2023 11:19:12 +0200 Subject: [PATCH] Generate SBOM from Trivy (#2810) * Fix grype issue * [automation] Auto-update linters version, help and documentation * Downgrade grype * mega-liter-runner ml config * fix test cases * [MegaLinter] Apply linters fixes * trivy sbom * Trivy SBOM * trivy sbom call * trivy SBOM test classes * sbom cyclonedx * Fix call to trivy sbom * JSON output * jscpd * [MegaLinter] Apply linters fixes --------- Co-authored-by: nvuillam Co-authored-by: nvuillam --- .../generated/linter-links-previews.json | 5 + .github/linters/.jscpd.json | 1 + .github/workflows/deploy-BETA-linters.yml | 1 + .github/workflows/deploy-DEV-linters.yml | 1 + .github/workflows/deploy-RELEASE-linters.yml | 1 + Dockerfile | 4 + docs/descriptors/xml_xmllint.md | 2 +- docs/standalone-linters.md | 1 + flavors/ci_light/Dockerfile | 4 + flavors/ci_light/flavor.json | 1 + flavors/cupcake/Dockerfile | 4 + flavors/cupcake/flavor.json | 1 + flavors/documentation/Dockerfile | 4 + flavors/documentation/flavor.json | 1 + flavors/dotnet/Dockerfile | 4 + flavors/dotnet/flavor.json | 1 + flavors/dotnetweb/Dockerfile | 4 + flavors/dotnetweb/flavor.json | 1 + flavors/go/Dockerfile | 4 + flavors/go/flavor.json | 1 + flavors/java/Dockerfile | 4 + flavors/java/flavor.json | 1 + flavors/javascript/Dockerfile | 4 + flavors/javascript/flavor.json | 1 + flavors/php/Dockerfile | 4 + flavors/php/flavor.json | 1 + flavors/python/Dockerfile | 4 + flavors/python/flavor.json | 1 + flavors/ruby/Dockerfile | 4 + flavors/ruby/flavor.json | 1 + flavors/rust/Dockerfile | 4 + flavors/rust/flavor.json | 1 + flavors/salesforce/Dockerfile | 4 + flavors/salesforce/flavor.json | 1 + flavors/security/Dockerfile | 4 + flavors/security/flavor.json | 1 + flavors/swift/Dockerfile | 4 + flavors/swift/flavor.json | 1 + flavors/terraform/Dockerfile | 4 + flavors/terraform/flavor.json | 1 + linters/repository_trivy_sbom/Dockerfile | 214 ++++++++++++++++++ megalinter/descriptors/all_flavors.json | 16 ++ .../repository.megalinter-descriptor.yml | 39 ++++ .../megalinter-configuration.jsonschema.json | 1 + .../linters/repository_trivy_sbom_test.py | 47 ++++ 45 files changed, 412 insertions(+), 1 deletion(-) create mode 100644 linters/repository_trivy_sbom/Dockerfile create mode 100644 megalinter/tests/test_megalinter/linters/repository_trivy_sbom_test.py diff --git a/.automation/generated/linter-links-previews.json b/.automation/generated/linter-links-previews.json index c8a84fab39a..175c024a7b4 100644 --- a/.automation/generated/linter-links-previews.json +++ b/.automation/generated/linter-links-previews.json @@ -544,6 +544,11 @@ "image": null, "title": "Redirecting" }, + "trivy-sbom": { + "description": "None", + "image": null, + "title": "Redirecting" + }, "ts-standard": { "description": "English \u2022 Espan\u0303ol (Latinoame\u0301rica) \u2022 Franc\u0327ais \u2022 Bahasa Indonesia \u2022 Italiano (Italian) \u2022 \u65e5\u672c\u8a9e (Japanese) \u2022 \u1112\u1161\u11ab\u1100\u116e\u11a8\u110b\u1165 (Korean) \u2022 Portugue\u0302s (Brasil) \u2022 \u7b80\u4f53\u4e2d\u6587 (Simplified Chinese) \u2022 \u7e41\u9ad4\u4e2d\u6587 (Taiwanese Mandarin).", "image": null, diff --git a/.github/linters/.jscpd.json b/.github/linters/.jscpd.json index f88c111bd9d..8607fdfba75 100644 --- a/.github/linters/.jscpd.json +++ b/.github/linters/.jscpd.json @@ -24,6 +24,7 @@ "**/megalinter/tests/test_megalinter/mega_linter*", "**/megalinter/tests/test_megalinter/plugins_test.py*", "**/megalinter/tests/test_megalinter/config_test.py", + "**/repository_trivy_sbom_test.py", "**/megalinter/utilstest.py", "**/*.test.js", "**/CHANGELOG.md", diff --git a/.github/workflows/deploy-BETA-linters.yml b/.github/workflows/deploy-BETA-linters.yml index af8d6914a81..a7bfe2e2f99 100644 --- a/.github/workflows/deploy-BETA-linters.yml +++ b/.github/workflows/deploy-BETA-linters.yml @@ -155,6 +155,7 @@ jobs: "repository_semgrep", "repository_syft", "repository_trivy", + "repository_trivy_sbom", "rst_rst_lint", "rst_rstcheck", "rst_rstfmt", diff --git a/.github/workflows/deploy-DEV-linters.yml b/.github/workflows/deploy-DEV-linters.yml index a4da723ebef..b287de25b9d 100644 --- a/.github/workflows/deploy-DEV-linters.yml +++ b/.github/workflows/deploy-DEV-linters.yml @@ -144,6 +144,7 @@ jobs: "repository_semgrep", "repository_syft", "repository_trivy", + "repository_trivy_sbom", "rst_rst_lint", "rst_rstcheck", "rst_rstfmt", diff --git a/.github/workflows/deploy-RELEASE-linters.yml b/.github/workflows/deploy-RELEASE-linters.yml index 9838b7729b2..0e3f77ed8e1 100644 --- a/.github/workflows/deploy-RELEASE-linters.yml +++ b/.github/workflows/deploy-RELEASE-linters.yml @@ -131,6 +131,7 @@ jobs: "repository_semgrep", "repository_syft", "repository_trivy", + "repository_trivy_sbom", "rst_rst_lint", "rst_rstcheck", "rst_rstfmt", diff --git a/Dockerfile b/Dockerfile index 1eb8f00bfbe..85d5ed03e43 100644 --- a/Dockerfile +++ b/Dockerfile @@ -701,6 +701,10 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | # trivy installation && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \ +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # sfdx-scanner-apex installation && sfdx plugins:install @salesforce/sfdx-scanner \ && npm cache clean --force || true \ diff --git a/docs/descriptors/xml_xmllint.md b/docs/descriptors/xml_xmllint.md index d7edb3fa72b..19a4313ad2c 100644 --- a/docs/descriptors/xml_xmllint.md +++ b/docs/descriptors/xml_xmllint.md @@ -25,7 +25,7 @@ To apply file formatting you must set `XML_XMLLINT_CLI_LINT_MODE: file` and `XML | Variable | Description | Default value | |-----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| | XML_XMLLINT_AUTOFORMAT | If set to `true`, it will reformat and reindent the output | `false` | -| XML_XMLLINT_INDENT | The number of indentation spaces when `XML_XMLLINT_AUTOFORMAT` is `true` | ` ` | +| XML_XMLLINT_INDENT | The number of indentation spaces when `XML_XMLLINT_AUTOFORMAT` is `true` | `` | | XML_XMLLINT_ARGUMENTS | User custom arguments to add in linter CLI call
Ex: `-s --foo "bar"` | | | XML_XMLLINT_FILTER_REGEX_INCLUDE | Custom regex including filter
Ex: `(src\|lib)` | Include every file | | XML_XMLLINT_FILTER_REGEX_EXCLUDE | Custom regex excluding filter
Ex: `(test\|examples)` | Exclude no file | diff --git a/docs/standalone-linters.md b/docs/standalone-linters.md index da63a4590f6..7df789f7215 100644 --- a/docs/standalone-linters.md +++ b/docs/standalone-linters.md @@ -84,6 +84,7 @@ | REPOSITORY_SEMGREP | oxsecurity/megalinter-only-repository_semgrep:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_semgrep/beta) | | REPOSITORY_SYFT | oxsecurity/megalinter-only-repository_syft:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_syft/beta) | | REPOSITORY_TRIVY | oxsecurity/megalinter-only-repository_trivy:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trivy/beta) | +| REPOSITORY_TRIVY_SBOM | oxsecurity/megalinter-only-repository_trivy_sbom:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-repository_trivy_sbom/beta) | | RST_RST_LINT | oxsecurity/megalinter-only-rst_rst_lint:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rst_lint/beta) | | RST_RSTCHECK | oxsecurity/megalinter-only-rst_rstcheck:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rstcheck/beta) | | RST_RSTFMT | oxsecurity/megalinter-only-rst_rstfmt:beta | ![Docker Image Size (tag)](https://img.shields.io/docker/image-size/oxsecurity/megalinter-only-rst_rstfmt/beta) | diff --git a/flavors/ci_light/Dockerfile b/flavors/ci_light/Dockerfile index c4bb14293fd..e0a9c8a3df6 100644 --- a/flavors/ci_light/Dockerfile +++ b/flavors/ci_light/Dockerfile @@ -201,6 +201,10 @@ RUN wget -q -O - https://raw.githubusercontent.com/dotenv-linter/dotenv-linter/m && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + #OTHER__END ################################ diff --git a/flavors/ci_light/flavor.json b/flavors/ci_light/flavor.json index b13d87f5bc4..ce34b1f7cf2 100644 --- a/flavors/ci_light/flavor.json +++ b/flavors/ci_light/flavor.json @@ -20,6 +20,7 @@ "REPOSITORY_GRYPE", "REPOSITORY_SECRETLINT", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "XML_XMLLINT", "YAML_PRETTIER", "YAML_YAMLLINT", diff --git a/flavors/cupcake/Dockerfile b/flavors/cupcake/Dockerfile index bac04f88384..35f131ed8df 100644 --- a/flavors/cupcake/Dockerfile +++ b/flavors/cupcake/Dockerfile @@ -473,6 +473,10 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # lychee installation # Managed with COPY --link --from=lychee /usr/local/bin/lychee /usr/bin/ diff --git a/flavors/cupcake/flavor.json b/flavors/cupcake/flavor.json index a16a7a22bf7..2117c222e5f 100644 --- a/flavors/cupcake/flavor.json +++ b/flavors/cupcake/flavor.json @@ -69,6 +69,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", diff --git a/flavors/documentation/Dockerfile b/flavors/documentation/Dockerfile index c80cea69130..4f41b751f29 100644 --- a/flavors/documentation/Dockerfile +++ b/flavors/documentation/Dockerfile @@ -282,6 +282,10 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/documentation/flavor.json b/flavors/documentation/flavor.json index 3f1bd329dbf..1e829e661a1 100644 --- a/flavors/documentation/flavor.json +++ b/flavors/documentation/flavor.json @@ -41,6 +41,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/dotnet/Dockerfile b/flavors/dotnet/Dockerfile index e6ca99e0c20..2daa3d8c0ab 100644 --- a/flavors/dotnet/Dockerfile +++ b/flavors/dotnet/Dockerfile @@ -367,6 +367,10 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \ # trivy installation && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \ +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/dotnet/flavor.json b/flavors/dotnet/flavor.json index 68f061cbc12..9aada612a4a 100644 --- a/flavors/dotnet/flavor.json +++ b/flavors/dotnet/flavor.json @@ -55,6 +55,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/dotnetweb/Dockerfile b/flavors/dotnetweb/Dockerfile index 63afdf56f96..8b7149b8995 100644 --- a/flavors/dotnetweb/Dockerfile +++ b/flavors/dotnetweb/Dockerfile @@ -387,6 +387,10 @@ RUN curl --retry 5 --retry-delay 5 -sLO "${ARM_TTK_URI}" \ # trivy installation && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \ +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/dotnetweb/flavor.json b/flavors/dotnetweb/flavor.json index 9e829a13211..71e02372211 100644 --- a/flavors/dotnetweb/flavor.json +++ b/flavors/dotnetweb/flavor.json @@ -61,6 +61,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/go/Dockerfile b/flavors/go/Dockerfile index 15bceff6264..58d67bd8a0d 100644 --- a/flavors/go/Dockerfile +++ b/flavors/go/Dockerfile @@ -297,6 +297,10 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/go/flavor.json b/flavors/go/flavor.json index 5ccfa717fb1..64b640a71ff 100644 --- a/flavors/go/flavor.json +++ b/flavors/go/flavor.json @@ -43,6 +43,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/java/Dockerfile b/flavors/java/Dockerfile index ff55aea56a8..d293109a680 100644 --- a/flavors/java/Dockerfile +++ b/flavors/java/Dockerfile @@ -358,6 +358,10 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/java/flavor.json b/flavors/java/flavor.json index 40dd3d126c5..6fc62ba83b6 100644 --- a/flavors/java/flavor.json +++ b/flavors/java/flavor.json @@ -47,6 +47,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/javascript/Dockerfile b/flavors/javascript/Dockerfile index 79df96b8b4d..70751e36d34 100644 --- a/flavors/javascript/Dockerfile +++ b/flavors/javascript/Dockerfile @@ -299,6 +299,10 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/javascript/flavor.json b/flavors/javascript/flavor.json index e677dddd1af..c8a3a9019c2 100644 --- a/flavors/javascript/flavor.json +++ b/flavors/javascript/flavor.json @@ -47,6 +47,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/php/Dockerfile b/flavors/php/Dockerfile index 939f5ff7be1..0203a4b2b9a 100644 --- a/flavors/php/Dockerfile +++ b/flavors/php/Dockerfile @@ -324,6 +324,10 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/php/flavor.json b/flavors/php/flavor.json index d755e963cc2..852021dd109 100644 --- a/flavors/php/flavor.json +++ b/flavors/php/flavor.json @@ -45,6 +45,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/python/Dockerfile b/flavors/python/Dockerfile index eaa074e8b2d..7039a304eb1 100644 --- a/flavors/python/Dockerfile +++ b/flavors/python/Dockerfile @@ -297,6 +297,10 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/python/flavor.json b/flavors/python/flavor.json index 6e8a803e3cf..96b61bfda2f 100644 --- a/flavors/python/flavor.json +++ b/flavors/python/flavor.json @@ -49,6 +49,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", diff --git a/flavors/ruby/Dockerfile b/flavors/ruby/Dockerfile index d223cedd310..7ed36409bc6 100644 --- a/flavors/ruby/Dockerfile +++ b/flavors/ruby/Dockerfile @@ -283,6 +283,10 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/ruby/flavor.json b/flavors/ruby/flavor.json index 34dcf82a3db..05c2966acac 100644 --- a/flavors/ruby/flavor.json +++ b/flavors/ruby/flavor.json @@ -40,6 +40,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RUBY_RUBOCOP", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", diff --git a/flavors/rust/Dockerfile b/flavors/rust/Dockerfile index 9ffc914331c..fb03d6e7291 100644 --- a/flavors/rust/Dockerfile +++ b/flavors/rust/Dockerfile @@ -277,6 +277,10 @@ RUN printf '#!/bin/bash \n\nif [[ -x "$1" ]]; then exit 0; else echo "Error: Fil && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/rust/flavor.json b/flavors/rust/flavor.json index 5488c5c315f..d71766b88fa 100644 --- a/flavors/rust/flavor.json +++ b/flavors/rust/flavor.json @@ -40,6 +40,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RUST_CLIPPY", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", diff --git a/flavors/salesforce/Dockerfile b/flavors/salesforce/Dockerfile index e5a6a96d806..eb0d990cb6e 100644 --- a/flavors/salesforce/Dockerfile +++ b/flavors/salesforce/Dockerfile @@ -286,6 +286,10 @@ RUN echo y|sfdx plugins:install sfdx-hardis \ # trivy installation && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \ +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # sfdx-scanner-apex installation && sfdx plugins:install @salesforce/sfdx-scanner \ && npm cache clean --force || true \ diff --git a/flavors/salesforce/flavor.json b/flavors/salesforce/flavor.json index 4a75e4753ee..f6c4cbdfb7b 100644 --- a/flavors/salesforce/flavor.json +++ b/flavors/salesforce/flavor.json @@ -42,6 +42,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SALESFORCE_SFDX_SCANNER_APEX", "SALESFORCE_SFDX_SCANNER_AURA", "SALESFORCE_SFDX_SCANNER_LWC", diff --git a/flavors/security/Dockerfile b/flavors/security/Dockerfile index 7b111b51405..fa3505ec64a 100644 --- a/flavors/security/Dockerfile +++ b/flavors/security/Dockerfile @@ -235,6 +235,10 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # tflint installation # Managed with COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/ diff --git a/flavors/security/flavor.json b/flavors/security/flavor.json index f3fa2d86349..675eb08aac7 100644 --- a/flavors/security/flavor.json +++ b/flavors/security/flavor.json @@ -21,6 +21,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_SYFT", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "TERRAFORM_TFLINT", "TERRAFORM_TERRASCAN", "TERRAFORM_TERRAGRUNT" diff --git a/flavors/swift/Dockerfile b/flavors/swift/Dockerfile index a25d5b6a402..4b3dd2f6900 100644 --- a/flavors/swift/Dockerfile +++ b/flavors/swift/Dockerfile @@ -280,6 +280,10 @@ RUN rc-update add docker boot && rc-service docker start || true \ && wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/swift/flavor.json b/flavors/swift/flavor.json index abbaa77818f..bc9d9d0baf9 100644 --- a/flavors/swift/flavor.json +++ b/flavors/swift/flavor.json @@ -40,6 +40,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/flavors/terraform/Dockerfile b/flavors/terraform/Dockerfile index 79da6bcc06b..7d927e26ba7 100644 --- a/flavors/terraform/Dockerfile +++ b/flavors/terraform/Dockerfile @@ -295,6 +295,10 @@ ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/ass RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin +# trivy-sbom installation +# Next line commented because already managed by another linter +# RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + # vale installation # Managed with COPY --link --from=vale /bin/vale /bin/vale diff --git a/flavors/terraform/flavor.json b/flavors/terraform/flavor.json index b52cf024b2a..8409edcac8f 100644 --- a/flavors/terraform/flavor.json +++ b/flavors/terraform/flavor.json @@ -41,6 +41,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/linters/repository_trivy_sbom/Dockerfile b/linters/repository_trivy_sbom/Dockerfile new file mode 100644 index 00000000000..a8360d56f28 --- /dev/null +++ b/linters/repository_trivy_sbom/Dockerfile @@ -0,0 +1,214 @@ +# syntax=docker/dockerfile:1 +########################################### +########################################### +## Dockerfile to run MegaLinter ## +########################################### +########################################### + +# @not-generated + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#FROM__START + +#FROM__END + +################## +# Get base image # +################## +FROM python:3.11.4-alpine3.17 +ARG GITHUB_TOKEN + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#ARG__START + +#ARG__END + +#################### +# Run APK installs # +#################### + +WORKDIR / + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#APK__START +RUN apk add --no-cache \ + bash \ + ca-certificates \ + curl \ + gcc \ + git \ + git-lfs \ + libffi-dev \ + make \ + musl-dev \ + openssh \ + && git config --global core.autocrlf true +#APK__END + +# PATH for golang & python +ENV GOROOT=/usr/lib/go \ + GOPATH=/go + # PYTHONPYCACHEPREFIX="$HOME/.cache/cpython/" NV: not working for all packages :/ +# hadolint ignore=DL3044 +ENV PATH="$PATH":"$GOROOT"/bin:"$GOPATH"/bin +RUN mkdir -p ${GOPATH}/src ${GOPATH}/bin || true && \ + # Ignore npm package issues + yarn config set ignore-engines true || true + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#PIP__START + +#PIP__END + +#PIPVENV__START + +#PIPVENV__END + +############################ +# Install NPM dependencies # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +ENV NODE_OPTIONS="--max-old-space-size=8192" \ + NODE_ENV=production +#NPM__START + +#NPM__END + +# Add node packages to path # +ENV PATH="/node-deps/node_modules/.bin:${PATH}" \ + NODE_PATH="/node-deps/node_modules" + +############################## +# Installs ruby dependencies # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +#GEM__START + +#GEM__END + +############################## +# Installs rust dependencies # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +#CARGO__START + +#CARGO__END + +############################## +# COPY instructions # +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# + +#COPY__START + +#COPY__END + +############################################################################################# +## @generated by .automation/build.py using descriptor files, please do not update manually ## +############################################################################################# +#OTHER__START +# trivy-sbom installation +RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + + +#OTHER__END + +################################ +# Installs python dependencies # +################################ +COPY megalinter /megalinter +RUN PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py install \ + && PYTHONDONTWRITEBYTECODE=1 python /megalinter/setup.py clean --all \ + && rm -rf /var/cache/apk/* \ + && find . | grep -E "(/__pycache__$|\.pyc$|\.pyo$)" | xargs rm -rf + +####################################### +# Copy scripts and rules to container # +####################################### +COPY megalinter/descriptors /megalinter-descriptors +COPY TEMPLATES /action/lib/.automation + +# Copy server scripts +COPY server /server + +########################### +# Get the build arguments # +########################### +ARG BUILD_DATE +ARG BUILD_REVISION +ARG BUILD_VERSION + +################################################# +# Set ENV values used for debugging the version # +################################################# +ENV BUILD_DATE=$BUILD_DATE \ + BUILD_REVISION=$BUILD_REVISION \ + BUILD_VERSION=$BUILD_VERSION + +#FLAVOR__START +ENV MEGALINTER_FLAVOR=none +#FLAVOR__END + +######################################### +# Label the instance and set maintainer # +######################################### +LABEL com.github.actions.name="MegaLinter" \ + com.github.actions.description="The ultimate linters aggregator to make sure your projects are clean" \ + com.github.actions.icon="code" \ + com.github.actions.color="red" \ + maintainer="Nicolas Vuillamy " \ + org.opencontainers.image.created=$BUILD_DATE \ + org.opencontainers.image.revision=$BUILD_REVISION \ + org.opencontainers.image.version=$BUILD_VERSION \ + org.opencontainers.image.authors="Nicolas Vuillamy " \ + org.opencontainers.image.url="https://megalinter.io" \ + org.opencontainers.image.source="https://github.com/oxsecurity/megalinter" \ + org.opencontainers.image.documentation="https://megalinter.io" \ + org.opencontainers.image.vendor="Nicolas Vuillamy" \ + org.opencontainers.image.description="Lint your code base with GitHub Actions" + +#EXTRA_DOCKERFILE_LINES__START +ENV ENABLE_LINTERS=REPOSITORY_TRIVY_SBOM \ + FLAVOR_SUGGESTIONS=false \ + SINGLE_LINTER=REPOSITORY_TRIVY_SBOM \ + PRINT_ALPACA=false \ + LOG_FILE=none \ + SARIF_REPORTER=true \ + TEXT_REPORTER=false \ + UPDATED_SOURCES_REPORTER=false \ + GITHUB_STATUS_REPORTER=false \ + GITHUB_COMMENT_REPORTER=false \ + EMAIL_REPORTER=false \ + FILEIO_REPORTER=false \ + CONFIG_REPORTER=false \ + SARIF_TO_HUMAN=false +RUN mkdir /root/docker_ssh && mkdir /usr/bin/megalinter-sh +EXPOSE 22 +COPY entrypoint.sh /entrypoint.sh +COPY sh /usr/bin/megalinter-sh +COPY sh/megalinter_exec /usr/bin/megalinter_exec +COPY sh/motd /etc/motd +RUN find /usr/bin/megalinter-sh/ -type f -iname "*.sh" -exec chmod +x {} \; && \ + chmod +x entrypoint.sh && \ + chmod +x /usr/bin/megalinter_exec && \ + echo "alias megalinter='python -m megalinter.run'" >> ~/.bashrc && source ~/.bashrc && \ + echo "alias megalinter_exec='/usr/bin/megalinter_exec'" >> ~/.bashrc && source ~/.bashrc +RUN export STANDALONE_LINTER_VERSION="$(python -m megalinter.run --input /tmp --linterversion)" && \ + echo $STANDALONE_LINTER_VERSION +ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] +#EXTRA_DOCKERFILE_LINES__END diff --git a/megalinter/descriptors/all_flavors.json b/megalinter/descriptors/all_flavors.json index 2cbd4f73fb7..725cf06c229 100644 --- a/megalinter/descriptors/all_flavors.json +++ b/megalinter/descriptors/all_flavors.json @@ -21,6 +21,7 @@ "REPOSITORY_GRYPE", "REPOSITORY_SECRETLINT", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "XML_XMLLINT", "YAML_PRETTIER", "YAML_YAMLLINT", @@ -98,6 +99,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", @@ -166,6 +168,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -238,6 +241,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -318,6 +322,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -384,6 +389,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -448,6 +454,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -512,6 +519,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -578,6 +586,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -644,6 +653,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", @@ -704,6 +714,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RUBY_RUBOCOP", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", @@ -762,6 +773,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RUST_CLIPPY", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", @@ -822,6 +834,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SALESFORCE_SFDX_SCANNER_APEX", "SALESFORCE_SFDX_SCANNER_AURA", "SALESFORCE_SFDX_SCANNER_LWC", @@ -863,6 +876,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_SYFT", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "TERRAFORM_TFLINT", "TERRAFORM_TERRASCAN", "TERRAFORM_TERRAGRUNT" @@ -910,6 +924,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", @@ -969,6 +984,7 @@ "REPOSITORY_SECRETLINT", "REPOSITORY_SEMGREP", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "SNAKEMAKE_LINT", "SNAKEMAKE_SNAKEFMT", "SPELL_CSPELL", diff --git a/megalinter/descriptors/repository.megalinter-descriptor.yml b/megalinter/descriptors/repository.megalinter-descriptor.yml index 719459aefa5..d583cb2fb52 100644 --- a/megalinter/descriptors/repository.megalinter-descriptor.yml +++ b/megalinter/descriptors/repository.megalinter-descriptor.yml @@ -495,3 +495,42 @@ linters: vscode: - name: VSCode Trivy url: https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner + + # TRIVY + - linter_name: trivy-sbom + name: REPOSITORY_TRIVY_SBOM + cli_executable: trivy + descriptor_flavors: + - all_flavors # Applicable to CI in any language project + - ci_light + - cupcake + - security + linter_text: | + Generates SBOM (Software Bill Of Material) using Trivy + linter_url: https://aquasecurity.github.io/trivy/ + linter_repo: https://github.com/aquasecurity/trivy + linter_speed: 2 + linter_banner_image_url: https://github.com/aquasecurity/trivy/raw/main/docs/imgs/logo.png + linter_rules_configuration_url: https://aquasecurity.github.io/trivy/latest/docs/configuration/ + linter_rules_ignore_config_url: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-inline-comments + cli_lint_mode: project + config_file_name: trivy-sbom.yaml + cli_config_arg_name: --config + cli_lint_extra_args: + - fs + - --format + - spdx-json + cli_lint_extra_args_after: + - "." + test_folder: trivy + examples: + - "trivy fs --format spdx-json ." + - "trivy fs --config trivy-sbom.yaml --format spdx-json ." + install: + dockerfile: + - | + RUN wget --tries=5 -q -O - https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + ide: + vscode: + - name: VSCode Trivy + url: https://marketplace.visualstudio.com/items?itemName=AquaSecurityOfficial.trivy-vulnerability-scanner diff --git a/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json b/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json index 1c70283a5ee..c65f78b3e90 100644 --- a/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json +++ b/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json @@ -192,6 +192,7 @@ "REPOSITORY_SEMGREP", "REPOSITORY_SYFT", "REPOSITORY_TRIVY", + "REPOSITORY_TRIVY_SBOM", "RST_RST_LINT", "RST_RSTCHECK", "RST_RSTFMT", diff --git a/megalinter/tests/test_megalinter/linters/repository_trivy_sbom_test.py b/megalinter/tests/test_megalinter/linters/repository_trivy_sbom_test.py new file mode 100644 index 00000000000..9f1418e7aa2 --- /dev/null +++ b/megalinter/tests/test_megalinter/linters/repository_trivy_sbom_test.py @@ -0,0 +1,47 @@ +# !/usr/bin/env python3 +""" +Unit tests for REPOSITORY linter trivy-sbom +This class has been automatically @generated by .automation/build.py, please don't update it manually +""" + +import os +import unittest +from unittest import TestCase + +from megalinter.tests.test_megalinter.LinterTestRoot import LinterTestRoot + + +class repository_trivy_sbom_test(TestCase, LinterTestRoot): + descriptor_id = "REPOSITORY" + linter_name = "trivy-sbom" + + def test_success(self): + self.check_if_another_test_suite() + super().test_success() + + def test_failure(self): + raise unittest.SkipTest("Skipped because SBOM generation can not fail") + + def test_get_linter_version(self): + self.check_if_another_test_suite() + super().test_get_linter_version() + + def test_get_linter_help(self): + self.check_if_another_test_suite() + super().test_get_linter_help() + + def test_report_tap(self): + self.check_if_another_test_suite() + super().test_report_tap() + + def test_report_sarif(self): + self.check_if_another_test_suite() + super().test_report_sarif() + + def test_format_fix(self): + self.check_if_another_test_suite() + super().test_format_fix() + + def check_if_another_test_suite(self): + if os.environ.get("SINGLE_LINTER", "") == "REPOSITORY_TRIVY": + raise unittest.SkipTest("Skipped because unrelated test suite")