Merge branch 'main' into feature/add-terraform-docs

trunk-io · Jan 23, 2025 · db4f510 · db4f510
2 parents 986c5f5 + 0c95fa9
commit db4f510
Show file tree

Hide file tree

Showing 20 changed files with 1,030 additions and 97 deletions.
diff --git a/.github/actions/linter_tests/action.yaml b/.github/actions/linter_tests/action.yaml
@@ -20,6 +20,9 @@ inputs:
     description: Additional args to append to the test invocation
     required: false
     default: linters --
+  snyk-token:
+    description: Token to login for snyk test
+    required: true
   sourcery-token:
     description: Token to login for sourcery test
     required: true
@@ -103,6 +106,7 @@ runs:
         PLUGINS_TEST_LINTER_VERSION: ${{ inputs.linter-version }}
         PLUGINS_TEST_CLI_VERSION: ${{ inputs.cli-version }}
         PLUGINS_TEST_CLI_PATH: ${{ env.CLI_PATH }}
+        SNYK_TOKEN: ${{ inputs.snyk-token }}
         SOURCERY_TOKEN: ${{ inputs.sourcery-token }}
         # Debug recurrent eslint circular JSON errors
         DEBUG: Driver:eslint:*,Driver:nixpkgs-fmt:*,Driver:trunk-toolbox:*

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -34,15 +34,15 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         # Override language selection by uncommenting this and choosing your languages
         with:
           languages: javascript
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).
       - name: Autobuild
-        uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/autobuild@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -56,4 +56,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -67,6 +67,7 @@ jobs:
         with:
           linter-version: ${{ matrix.linter-version }}
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
           trunk-prod-token: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}
@@ -173,14 +174,15 @@ jobs:
           linter-version: ${{ matrix.linter-version }}
           append-args: linters -- --json --outputFile=${{ matrix.results-file }}-res.json
           ref-type: release
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
           trunk-prod-token: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}
 
       - name: Upload Test Outputs for Upload Job
         # Only upload results from latest. Always run, except when cancelled.
         if: (failure() || success()) && matrix.linter-version == 'Latest'
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: ${{ matrix.results-file }}-test-results
           path: ${{ matrix.results-file }}-res.json
@@ -198,6 +200,7 @@ jobs:
       TRUNK_API_TOKEN: ${{ secrets.TRUNK_API_TOKEN }}
       TRUNK_OPEN_PR_APP_ID: ${{ secrets.TRUNK_OPEN_PR_APP_ID }}
       TRUNK_OPEN_PR_APP_PRIVATE_KEY: ${{ secrets.TRUNK_OPEN_PR_APP_PRIVATE_KEY }}
+      TRUNK_SNYK_TOKEN: ${{ secrets.TRUNK_SNYK_TOKEN }}
       TRUNK_SOURCERY_TOKEN: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
       TRUNK_DEBUGGER_TOKEN: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
       TRUNK_ORG_PROD_TOKEN: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}
@@ -241,7 +244,7 @@ jobs:
       - name: Upload Test Outputs for Notification Job
         # Always run, except when cancelled.
         if: (failure() || success())
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: tools-${{ matrix.results-file }}-test-results
           path: ${{ matrix.results-file }}-res.json
@@ -254,6 +257,7 @@ jobs:
     uses: ./.github/workflows/upload_results.reusable.yaml
     secrets:
       TRUNKBOT_SLACK_BOT_TOKEN: ${{ secrets.TRUNKBOT_SLACK_BOT_TOKEN }}
+      TRUNK_SNYK_TOKEN: ${{ secrets.TRUNK_SNYK_TOKEN }}
       TRUNK_SOURCERY_TOKEN: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
       TRUNK_DEBUGGER_TOKEN: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
       TRUNK_ORG_PROD_TOKEN: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -151,6 +151,7 @@ jobs:
         with:
           linter-version: KnownGoodVersion
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           append-args:
             ${{ needs.detect_changes.outputs.all-linters }} ${{
@@ -167,6 +168,7 @@ jobs:
         with:
           linter-version: Latest
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           append-args: ${{ needs.detect_changes.outputs.linters-files }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
@@ -262,6 +264,7 @@ jobs:
         with:
           linter-version: Latest
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           cli-path: ${{ github.workspace }}\trunk.ps1
           append-args: ${{needs.detect_changes.outputs.linters-files }} -- --maxWorkers=5

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -57,14 +57,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: Upload artifact
-        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/upload_results.reusable.yaml b/.github/workflows/upload_results.reusable.yaml
@@ -34,6 +34,8 @@ on:
         required: false
       TRUNK_OPEN_PR_APP_PRIVATE_KEY:
         required: false
+      TRUNK_SNYK_TOKEN:
+        required: false
       TRUNK_SOURCERY_TOKEN:
         required: false
       TRUNK_DEBUGGER_TOKEN:
@@ -242,6 +244,7 @@ jobs:
           linter-version: Latest
           ref-type: main
           append-args: ${{ needs.upload_test_results.outputs.reruns }} -- -u
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           trunk-staging-token: ${{ secrets.TRUNK_DEBUGGER_TOKEN }}
           trunk-prod-token: ${{ secrets.TRUNK_ORG_PROD_TOKEN }}

diff --git a/.github/workflows/windows_nightly.yaml b/.github/workflows/windows_nightly.yaml
@@ -45,6 +45,7 @@ jobs:
         with:
           linter-version: ${{ matrix.linter-version }}
           ref-type: main
+          snyk-token: ${{ secrets.TRUNK_SNYK_TOKEN }}
           sourcery-token: ${{ secrets.TRUNK_SOURCERY_TOKEN }}
           cli-path: ${{ github.workspace }}\trunk.ps1
           # manually specify more parallelism to avoid bottlenecks

diff --git a/.gitignore b/.gitignore
@@ -8,3 +8,6 @@ node_modules/
 out/
 
 junit.xml
+
+# Snyk
+.dccache
diff --git a/README.md b/README.md
@@ -81,7 +81,7 @@ trunk check enable {linter}
 | Ruby            | [brakeman], [rubocop], [rufo], [semgrep], [standardrb]                                                                   |
 | Rust            | [clippy], [rustfmt]                                                                                                      |
 | Scala           | [scalafmt]                                                                                                               |
-| Security        | [checkov], [dustilock], [nancy], [osv-scanner], [tfsec], [trivy], [trufflehog], [terrascan]                              |
+| Security        | [checkov], [dustilock], [nancy], [osv-scanner], [snyk], [tfsec], [trivy], [trufflehog], [terrascan]                      |
 | SQL             | [sqlfluff], [sqlfmt], [sql-formatter], [squawk]                                                                          |
 | SVG             | [svgo]                                                                                                                   |
 | Swift           | [stringslint], [swiftlint], [swiftformat]                                                                                |
@@ -175,6 +175,7 @@ trunk check enable {linter}
 [sqlfluff]: https://github.com/sqlfluff/sqlfluff#readme
 [sqlfmt]: https://github.com/tconbeer/sqlfmt#readme
 [squawk]: https://github.com/sbdchd/squawk#readme
+[snyk]: https://github.com/snyk/cli#readme
 [standardrb]: https://github.com/testdouble/standard#readme
 [stringslint]: https://github.com/dral3x/StringsLint#readme
 [stylelint]: https://github.com/stylelint/stylelint#readme

diff --git a/linters/biome/plugin.yaml b/linters/biome/plugin.yaml
@@ -32,8 +32,8 @@ lint:
           read_output_from: stderr
         - name: fmt
           output: rewrite
-          run: biome format --write "${target}"
-          success_codes: [0]
+          run: biome check --fix "${target}"
+          success_codes: [0, 1]
           batch: true
           cache_results: true
           formatter: true

diff --git a/linters/ruff/test_data/ruff_nbqa_v0.9.2_basic_nb.check.shot b/linters/ruff/test_data/ruff_nbqa_v0.9.2_basic_nb.check.shot
@@ -0,0 +1,49 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+// trunk-upgrade-validation:RELEASE
+
+exports[`Testing linter ruff-nbqa test basic_nb 1`] = `
+{
+  "issues": [
+    {
+      "code": "error",
+      "file": "test_data/basic_nb.in.ipynb",
+      "issueClass": "ISSUE_CLASS_EXISTING",
+      "level": "LEVEL_HIGH",
+      "linter": "ruff-nbqa",
+      "message": "/tmp/plugins_/test_data/basic_nb.in.ipynb:cell_1:1:8: F401 [*] \`os\` imported but unused
+  |
+1 | # %%NBQA-CELL-SEP
+2 | import os
+  |        ^^ F401
+3 |
+4 | print("Hello World!")
+  |
+  = help: Remove unused import: \`os\`",
+      "targetType": "jupyter",
+    },
+  ],
+  "lintActions": [
+    {
+      "command": "lint",
+      "fileGroupName": "jupyter",
+      "linter": "ruff-nbqa",
+      "paths": [
+        "test_data/basic_nb.in.ipynb",
+      ],
+      "verb": "TRUNK_VERB_CHECK",
+    },
+    {
+      "command": "lint",
+      "fileGroupName": "jupyter",
+      "linter": "ruff-nbqa",
+      "paths": [
+        "test_data/basic_nb.in.ipynb",
+      ],
+      "upstream": true,
+      "verb": "TRUNK_VERB_CHECK",
+    },
+  ],
+  "taskFailures": [],
+  "unformattedFiles": [],
+}
+`;
diff --git a/linters/snyk/plugin.yaml b/linters/snyk/plugin.yaml
@@ -0,0 +1,66 @@
+version: 0.1
+downloads:
+  - name: snyk
+    downloads:
+      - url: https://downloads.snyk.io/cli/v${version}/snyk-${os}-${cpu}
+        cpu: arm_64
+        os:
+          macos: macos
+          linux: linux
+      - url: https://downloads.snyk.io/cli/v${version}/snyk-${os}
+        cpu: x86_64
+        os:
+          macos: macos
+          linux: linux
+      - url: https://downloads.snyk.io/cli/v${version}/snyk-win.exe
+        os: windows
+tools:
+  definitions:
+    - name: snyk
+      download: snyk
+      known_good_version: 1.1295.0
+      shims: [snyk]
+      health_checks:
+        - command: snyk --version
+          parse_regex: ${semver}
+lint:
+  definitions:
+    - name: snyk
+      tools: [snyk]
+      suggest_if: config_present
+      description: Security scanning tool for code, dependencies and containers
+      known_good_version: 1.1295.0
+      commands:
+        - name: test
+          files: [lockfile]
+          output: sarif
+          run: snyk test --sarif --skip-unresolved --file=${target}
+          success_codes: [0, 1] # Snyk returns 1 when vulnerabilities are found
+          read_output_from: stdout
+          batch: false
+          is_security: true
+        - name: code
+          files: [javascript, typescript, java, python]
+          output: sarif
+          run: snyk code test --sarif .
+          run_from: ${parent}
+          success_codes: [0, 1]
+          read_output_from: stdout
+          sandbox_type: copy_targets
+          batch: true
+          is_security: true
+        - name: container
+          files: [docker]
+          output: sarif
+          run: snyk container test --sarif ${target}
+          success_codes: [0, 1]
+          read_output_from: stdout
+          batch: true
+          is_security: true
+      direct_configs: [.snyk]
+      environment:
+        - name: SNYK_TOKEN
+          optional: true
+          value: ${env.SNYK_TOKEN}
+        - name: PATH
+          list: ["${linter}", "${env.PATH}"]
diff --git a/linters/snyk/snyk.test.ts b/linters/snyk/snyk.test.ts
@@ -0,0 +1,4 @@
+import { customLinterCheckTest } from "tests";
+import { TEST_DATA } from "tests/utils";
+
+customLinterCheckTest({ linterName: "snyk", args: TEST_DATA, testName: "basic" });
diff --git a/linters/snyk/test_data/SqlInjectionLess4.java b/linters/snyk/test_data/SqlInjectionLess4.java
@@ -0,0 +1,77 @@
+
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+ package org.owasp.webgoat.sql_injection.introduction;
+
+ import org.owasp.webgoat.assignments.AssignmentEndpoint;
+ import org.owasp.webgoat.assignments.AssignmentHints;
+ import org.owasp.webgoat.assignments.AttackResult;
+ import org.springframework.web.bind.annotation.PostMapping;
+ import org.springframework.web.bind.annotation.RequestParam;
+ import org.springframework.web.bind.annotation.ResponseBody;
+ import org.springframework.web.bind.annotation.RestController;
+
+ import javax.sql.DataSource;
+ import java.sql.*;
+
+ import static java.sql.ResultSet.*;
+
+
+ @RestController
+ @AssignmentHints(value = {"SqlStringInjectionHint4-1", "SqlStringInjectionHint4-2", "SqlStringInjectionHint4-3"})
+ public class SqlInjectionLesson4 extends AssignmentEndpoint {
+
+     private final DataSource dataSource;
+
+     public SqlInjectionLesson4(DataSource dataSource) {
+         this.dataSource = dataSource;
+     }
+
+     @PostMapping("/SqlInjection/attack4")
+     @ResponseBody
+     public AttackResult completed(@RequestParam String query) {
+         return injectableQuery(query);
+     }
+
+     protected AttackResult injectableQuery(String query) {
+         try (Connection connection = dataSource.getConnection()) {
+             try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) {
+                 statement.executeUpdate(query);
+                 connection.commit();
+                 ResultSet results = statement.executeQuery("SELECT phone from employees;");
+                 StringBuffer output = new StringBuffer();
+                 // user completes lesson if column phone exists
+                 if (results.first()) {
+                     output.append("<span class='feedback-positive'>" + query + "</span>");
+                     return success(this).output(output.toString()).build();
+                 } else {
+                     return failed(this).output(output.toString()).build();
+                 }
+             } catch (SQLException sqle) {
+                 return failed(this).output(sqle.getMessage()).build();
+             }
+         } catch (Exception e) {
+             return failed(this).output(this.getClass().getName() + " : " + e.getMessage()).build();
+         }
+     }
+ }
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,3 +8,6 @@ node_modules/ @@
     out/
     junit.xml
+    # Snyk
+    .dccache