diff --git a/.github/workflows/bump-trivy.yaml b/.github/workflows/bump-trivy.yaml index 4f4ce76..0ad310a 100644 --- a/.github/workflows/bump-trivy.yaml +++ b/.github/workflows/bump-trivy.yaml @@ -22,6 +22,9 @@ jobs: - name: Update Trivy versions run: make bump-trivy + - name: Update golden files + run: make update-golden + - name: Create PR id: create-pr uses: peter-evans/create-pull-request@v5 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 246ceae..50dd980 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -6,7 +6,7 @@ on: workflow_dispatch: env: - TRIVY_VERSION: 0.64.1 + TRIVY_VERSION: 0.65.0 BATS_LIB_PATH: '/usr/lib/' jobs: diff --git a/Makefile b/Makefile index a1b72d9..2cf081d 100644 --- a/Makefile +++ b/Makefile @@ -7,12 +7,26 @@ SED = gsed BATS_LIB_PATH = /opt/homebrew/lib endif +BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \ + GITHUB_REPOSITORY_OWNER=aquasecurity \ + TRIVY_CACHE_DIR=.cache \ + TRIVY_DISABLE_VEX_NOTICE=true \ + TRIVY_DEBUG=true + +BATS_FLAGS := --recursive --timing --verbose-run . + .PHONY: test -test: +test: init-cache + $(BATS_ENV) bats $(BATS_FLAGS) + +.PHONY: update-golden +update-golden: init-cache + UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS) + +.PHONY: init-cache +init-cache: mkdir -p .cache - BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\ - TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\ - bats --recursive --timing --verbose-run . + rm -f .cache/fanal/fanal.db bump-trivy: @[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 ) diff --git a/README.md b/README.md index b555718..c7cbbd9 100644 --- a/README.md +++ b/README.md @@ -215,7 +215,7 @@ jobs: uses: aquasecurity/setup-trivy@v0.2.0 with: cache: true - version: v0.64.1 + version: v0.65.0 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@master @@ -847,7 +847,7 @@ Following inputs can be used as `step.with` keys: | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) | -| `version` | String | `v0.64.1` | Trivy version to use, e.g. `latest` or `v0.64.1` | +| `version` | String | `v0.65.0` | Trivy version to use, e.g. `latest` or `v0.65.0` | | `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | | `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | diff --git a/action.yaml b/action.yaml index eedc7f8..714089d 100644 --- a/action.yaml +++ b/action.yaml @@ -98,7 +98,7 @@ inputs: version: description: 'Trivy version to use' required: false - default: 'v0.64.1' + default: 'v0.65.0' cache: description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.' required: false diff --git a/test/data/config-scan/report.json b/test/data/config-scan/report.json index f1ac724..b2cd4a4 100644 --- a/test/data/config-scan/report.json +++ b/test/data/config-scan/report.json @@ -2,18 +2,6 @@ "SchemaVersion": 2, "ArtifactName": "test/data/config-scan", "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, "Results": [ { "Target": ".", @@ -50,7 +38,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0086" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -90,8 +77,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -111,7 +97,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0087" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -151,8 +136,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -172,7 +156,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0088" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -212,8 +195,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -234,7 +216,6 @@ "https://avd.aquasec.com/misconfig/s3-bucket-logging" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -274,8 +255,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -295,7 +275,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0090" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket_versioning.bucket_versioning", "Provider": "AWS", @@ -416,7 +395,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0091" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -456,8 +434,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -477,7 +454,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0093" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -517,8 +493,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -538,7 +513,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0094" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -578,8 +552,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -599,7 +572,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0132" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -639,8 +611,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } } ] diff --git a/test/data/image-scan/report b/test/data/image-scan/report index 5b10bb1..993d79f 100644 --- a/test/data/image-scan/report +++ b/test/data/image-scan/report @@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ Windows Subsystem for... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ +│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │ +│ │ │ │ │ │ │ data integrity tests fail).... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │ diff --git a/test/data/secret-scan/report.json b/test/data/secret-scan/report.json index b7bc4dc..b22503e 100644 --- a/test/data/secret-scan/report.json +++ b/test/data/secret-scan/report.json @@ -3,16 +3,12 @@ "ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactType": "repository", "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } + "RepoURL": "https://github.com/krol3/demo-trivy/", + "Branch": "main", + "Commit": "547db823c73fdb3385871f6235e946c72291f734", + "CommitMsg": "chore: add gitignore", + "Author": "carolina valencia ", + "Committer": "carolina valencia " }, "Results": [ { @@ -68,8 +64,7 @@ } ] }, - "Match": "export GITHUB_PAT=****************************************", - "Layer": {} + "Match": "export GITHUB_PAT=****************************************" } ] } diff --git a/test/data/with-ignore-files/report b/test/data/with-ignore-files/report index c31dc97..d188c7f 100644 --- a/test/data/with-ignore-files/report +++ b/test/data/with-ignore-files/report @@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ Windows Subsystem for... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ +│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │ +│ │ │ │ │ │ │ data integrity tests fail).... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │ diff --git a/test/data/with-tf-vars/report.json b/test/data/with-tf-vars/report.json index 9a187ce..d7286e2 100644 --- a/test/data/with-tf-vars/report.json +++ b/test/data/with-tf-vars/report.json @@ -2,18 +2,6 @@ "SchemaVersion": 2, "ArtifactName": "test/data/with-tf-vars/main.tf", "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, "Results": [ { "Target": ".", diff --git a/test/data/with-trivy-yaml-cfg/report.json b/test/data/with-trivy-yaml-cfg/report.json index a68318e..64d26a9 100644 --- a/test/data/with-trivy-yaml-cfg/report.json +++ b/test/data/with-trivy-yaml-cfg/report.json @@ -1,6 +1,5 @@ { "SchemaVersion": 2, - "CreatedAt": "2025-06-03T01:26:45.367171-06:00", "ArtifactName": "alpine:3.10", "ArtifactType": "container_image", "Metadata": { @@ -72,7 +71,7 @@ "PkgID": "apk-tools@2.10.6-r0", "PkgName": "apk-tools", "PkgIdentifier": { - "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9", + "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9", "UID": "b7a64ae671a99195" }, "InstalledVersion": "2.10.6-r0", @@ -123,7 +122,7 @@ "https://www.cve.org/CVERecord?id=CVE-2021-36159" ], "PublishedDate": "2021-08-03T14:15:08.233Z", - "LastModifiedDate": "2023-11-07T03:36:43.337Z" + "LastModifiedDate": "2024-11-21T06:13:13.57Z" } ] } diff --git a/test/test.bats b/test/test.bats index e3e47c6..e3c10cc 100644 --- a/test/test.bats +++ b/test/test.bats @@ -57,9 +57,16 @@ function compare_files() { remove_github_fields "$file1" remove_github_fields "$file2" - run diff "$file1" "$file2" - echo "$output" - assert_files_equal "$file1" "$file2" + if [ "${UPDATE_GOLDEN}" = "1" ]; then + cp "$file1" "$file2" + echo "Updated golden file: $file2" + else + run diff "$file1" "$file2" + echo "$output" + assert_files_equal "$file1" "$file2" + fi + + rm -f "$file1" } @test "trivy repo with securityCheck secret only" {