From 7d50e84722feefaf7057266a2a948e53bf057c57 Mon Sep 17 00:00:00 2001 From: chgl Date: Tue, 3 Oct 2023 20:10:09 +0200 Subject: [PATCH] chore(deps): updated megalinter to latest to fix trivy --- .config/dotnet-tools.json | 10 +++------- .github/workflows/ci.yaml | 4 ++-- .github/workflows/mega-linter.yml | 14 +++++++------- .kics.yaml | 3 +++ .markdownlintignore | 1 + .mega-linter.yml | 18 +++++++++++++++++- .trivy.yaml | 3 +++ .trivyignore | 5 +++++ Dockerfile | 3 +++ README.md | 30 +++++++++++++++--------------- docker-compose.yaml | 4 +++- grpc-utils.Dockerfile | 6 +++--- 12 files changed, 65 insertions(+), 36 deletions(-) create mode 100644 .kics.yaml create mode 100644 .markdownlintignore create mode 100644 .trivy.yaml diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json index 20fa420..8d66078 100644 --- a/.config/dotnet-tools.json +++ b/.config/dotnet-tools.json @@ -4,15 +4,11 @@ "tools": { "dotnet-outdated-tool": { "version": "4.5.3", - "commands": [ - "dotnet-outdated" - ] + "commands": ["dotnet-outdated"] }, "csharpier": { "version": "0.25.0", - "commands": [ - "dotnet-csharpier" - ] + "commands": ["dotnet-csharpier"] } } -} \ No newline at end of file +} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 40fa50f..2b6035f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -288,7 +288,7 @@ jobs: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: iter8-tools/iter8@bf13530586a447220caccf71fae506350b47fd75 # v0.18.4 + - uses: iter8-tools/iter8@9b867240dcaa77858d2458f52a3845e47ea2c657 # v0.13.17 - name: Create KinD cluster uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 @@ -419,7 +419,7 @@ jobs: - test-api-container permissions: actions: read # for detecting the Github Actions environment. - id-token: write # for creating OIDC tokens for signing. + id-token: write packages: write # for uploading attestations. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 with: diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 8b939e5..4fa52c2 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -6,9 +6,8 @@ name: MegaLinter on: # Trigger mega-linter at every push. Action will also be visible from Pull Requests to master pull_request: - branches: [master, main] + branches: [master] -# Declare default permissions as read only. permissions: read-all env: # Comment env block if you do not want to apply fixes @@ -31,8 +30,9 @@ jobs: steps: # Git Checkout - name: Checkout Code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 with: + token: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances # MegaLinter @@ -40,18 +40,18 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://oxsecurity.github.io/megalinter/flavors/ - uses: oxsecurity/megalinter@93700f8c21c59ea784a32abe23896e49e54463b8 # v6.22.2 + uses: oxsecurity/megalinter@a87b2872713c6bdde46d2473c5d7ed23e5752dc2 # v7.4.0 env: # All available variables are described in documentation # https://oxsecurity.github.io/megalinter/configuration/ - VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + VALIDATE_ALL_CODEBASE: "true" GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY # Upload MegaLinter artifacts - name: Archive production artifacts - if: ${{ success() }} || ${{ failure() }} - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # tag=v2 + if: ${{ always() }} + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: MegaLinter reports path: | diff --git a/.kics.yaml b/.kics.yaml new file mode 100644 index 0000000..7ee390d --- /dev/null +++ b/.kics.yaml @@ -0,0 +1,3 @@ +exclude-paths: + - "tests/" + - "src/Vfps/Protos/vfps/api/v1/*.proto" diff --git a/.markdownlintignore b/.markdownlintignore new file mode 100644 index 0000000..1b763b1 --- /dev/null +++ b/.markdownlintignore @@ -0,0 +1 @@ +CHANGELOG.md diff --git a/.mega-linter.yml b/.mega-linter.yml index c32fc89..6d2097e 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -10,10 +10,26 @@ DISABLE: DISABLE_LINTERS: - REPOSITORY_DEVSKIM + - SPELL_LYCHEE SHOW_ELAPSED_TIME: true FILEIO_REPORTER: false # DISABLE_ERRORS: true # Uncomment if you want MegaLinter to detect errors but not block CI to pass REPOSITORY_TRIVY_ARGUMENTS: - - "--severity='HIGH,CRITICAL'" + - "--severity=MEDIUM,HIGH,CRITICAL" + +REPOSITORY_CHECKOV_ARGUMENTS: + - "--skip-path=tests/" + +IGNORE_GITIGNORED_FILES: true + +REPOSITORY_KICS_ARGUMENTS: + - --fail-on=HIGH + +REPOSITORY_KICS_CONFIG_FILE: .kics.yaml + +MARKDOWN_MARKDOWN_TABLE_FORMATTER_ARGUMENTS: + - -p 0 + +REPOSITORY_TRIVY_CONFIG_FILE: .trivy.yaml diff --git a/.trivy.yaml b/.trivy.yaml new file mode 100644 index 0000000..fb39695 --- /dev/null +++ b/.trivy.yaml @@ -0,0 +1,3 @@ +scan: + skip-dirs: + - tests/ diff --git a/.trivyignore b/.trivyignore index bd0778b..5e22b78 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,3 +1,8 @@ # iter8 requires access to secrets + AVD-KSV-0041 KSV041 + +# OK, already covered by hadolint + +AVD-DS-0002 diff --git a/Dockerfile b/Dockerfile index 057792f..f112b26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,6 @@ # syntax=docker/dockerfile:1.4 +# kics false positive "Missing User Instruction": +# kics-scan ignore-line FROM mcr.microsoft.com/dotnet/nightly/aspnet:7.0.11-jammy-chiseled@sha256:8b2a9b9a8d3c424a368aa347f333d4653e9ed6eb78c9af70e450b5cc514bf3b8 AS runtime WORKDIR /opt/vfps EXPOSE 8080/tcp 8081/tcp 8082/tcp @@ -74,6 +76,7 @@ COPY tests/chaos/chaos.yaml /tmp/ COPY --from=build-stress-test /build/publish . # currently running into # when running as non-root. + # hadolint ignore=DL3002 USER 0:0 ENTRYPOINT ["dotnet"] diff --git a/README.md b/README.md index bc9854a..f1731a0 100644 --- a/README.md +++ b/README.md @@ -58,21 +58,21 @@ See for a production Available configuration options which can be set as environment variables: -| Variable | Type | Default | Description | -| -------------------------------------------------- | ------------ | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `ConnectionStrings__PostgreSQL` | `string` | `""` | Connection string to the PostgreSQL database. See for options. | -| `ForceRunDatabaseMigrations` | `bool` | `false` | Run database migrations as part of the startup. Only recommended when a single replica of the application is used. | -| `Tracing__IsEnabled` | `bool` | `false` | Enable distributed tracing support. | -| `Tracing__Exporter` | `string` | `"jaeger"` | The tracing export format. One of `jaeger`, `otlp`. | -| `Tracing__ServiceName` | `string` | `"vfps"` | Tracing service name. | -| `Tracing__RootSampler` | `string` | `"AlwaysOnSampler"` | Tracing parent root sampler. One of `AlwaysOnSampler`, `AlwaysOffSampler`, `TraceIdRatioBasedSampler` | -| `Tracing__SamplingProbability` | `double` | `0.1` | Sampling probability to use if `Tracing__RootSampler` is set to `TraceIdRatioBasedSampler`. | -| `Tracing__Jaeger` | `object` | `{}` | Jaeger exporter options. See . | -| `Tracing__Otlp__Endpoint` | `string` | `""` | The OTLP gRPC Endpoint URL. | -| `Pseudonymization__Caching__Namespaces__IsEnabled` | `bool` | `false` | Set to `true` to enable namespace caching. | -| `Pseudonymization__Caching__Pseudonyms__IsEnabled` | `bool` | `false` | Set to `true` to enable pseudonym caching. | -| `Pseudonymization__Caching__SizeLimit` | `int` | `65534` | Maximum number of entries in the cache. The cache is shared between the pseudonyms and namespaces. | -| `Pseudonymization__Caching__AbsoluteExpiration` | `D.HH:mm:nn` | `0.01:00:00` | Time after which a cache entry expires. | +| Variable | Type | Default | Description | +| -------------------------------------------------- | ------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| `ConnectionStrings__PostgreSQL` | `string` | `""` | Connection string to the PostgreSQL database. See for options. | +| `ForceRunDatabaseMigrations` | `bool` | `false` | Run database migrations as part of the startup. Only recommended when a single replica of the application is used. | +| `Tracing__IsEnabled` | `bool` | `false` | Enable distributed tracing support. | +| `Tracing__Exporter` | `string` | `"jaeger"` | The tracing export format. One of `jaeger`, `otlp`. | +| `Tracing__ServiceName` | `string` | `"vfps"` | Tracing service name. | +| `Tracing__RootSampler` | `string` | `"AlwaysOnSampler"` | Tracing parent root sampler. One of `AlwaysOnSampler`, `AlwaysOffSampler`, `TraceIdRatioBasedSampler` | +| `Tracing__SamplingProbability` | `double` | `0.1` | Sampling probability to use if `Tracing__RootSampler` is set to `TraceIdRatioBasedSampler`. | +| `Tracing__Jaeger` | `object` | `{}` | Jaeger exporter options. | +| `Tracing__Otlp__Endpoint` | `string` | `""` | The OTLP gRPC Endpoint URL. | +| `Pseudonymization__Caching__Namespaces__IsEnabled` | `bool` | `false` | Set to `true` to enable namespace caching. | +| `Pseudonymization__Caching__Pseudonyms__IsEnabled` | `bool` | `false` | Set to `true` to enable pseudonym caching. | +| `Pseudonymization__Caching__SizeLimit` | `int` | `65534` | Maximum number of entries in the cache. The cache is shared between the pseudonyms and namespaces. | +| `Pseudonymization__Caching__AbsoluteExpiration` | `D.HH:mm:nn` | `0.01:00:00` | Time after which a cache entry expires. | ## Observability diff --git a/docker-compose.yaml b/docker-compose.yaml index 70b0690..930bd3a 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,6 +1,6 @@ services: postgresql: - image: docker.io/library/postgres:15.4@sha256:33c234a3fa0147070cd8697cddac925e543a218e5a2fc92758f6d5296eef3d22 + image: docker.io/library/postgres:16.0@sha256:f1aaf6f8be5552bef66c5580efbd2942c37d7277cd0416ef4939fa34bf0baf31 restart: unless-stopped deploy: resources: @@ -13,6 +13,7 @@ services: - "no-new-privileges:true" privileged: false environment: + # kics-scan ignore-line POSTGRES_PASSWORD: postgres POSTGRES_DB: vfps ports: @@ -64,6 +65,7 @@ services: ForceRunDatabaseMigrations: "true" ConnectionStrings__PostgreSQL: "Host=postgresql:5432;Database=vfps;Timeout=60;Max Auto Prepare=5;Application Name=vfps;Maximum Pool Size=50;" PGUSER: postgres + # kics-scan ignore-line PGPASSWORD: postgres ports: # Http1, Http2, Http3 diff --git a/grpc-utils.Dockerfile b/grpc-utils.Dockerfile index 0543713..526b286 100644 --- a/grpc-utils.Dockerfile +++ b/grpc-utils.Dockerfile @@ -1,9 +1,9 @@ # syntax=docker/dockerfile:1.4 -FROM docker.io/library/ubuntu:22.10@sha256:e322f4808315c387868a9135beeb11435b5b83130a8599fd7d0014452c34f489 +FROM docker.io/library/ubuntu:22.04@sha256:9b8dec3bf938bc80fbe758d856e96fdfab5f56c39d44b0cff351e847bb1b01ea SHELL ["/bin/bash", "-eo", "pipefail", "-c"] -ENV GRPCURL_URL=https://github.com/fullstorydev/grpcurl/releases/download/v1.8.7/grpcurl_1.8.7_linux_x86_64.tar.gz \ - GHZ_URL=https://github.com/bojand/ghz/releases/download/v0.110.0/ghz-linux-x86_64.tar.gz +ENV GRPCURL_URL=https://github.com/fullstorydev/grpcurl/releases/download/v1.8.8/grpcurl_1.8.8_linux_x86_64.tar.gz \ + GHZ_URL=https://github.com/bojand/ghz/releases/download/v0.117.0/ghz-linux-x86_64.tar.gz # hadolint ignore=DL3008 RUN <