chore(deps): bump github.com/aquasecurity/trivy from 0.49.1 to 0.52.0 (…

…#61) * chore(deps): bump github.com/aquasecurity/trivy from 0.49.1 to 0.52.0 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.49.1 to 0.52.0. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md) - [Commits](aquasecurity/trivy@v0.49.1...v0.52.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * chore: add tests for all supported languages * fix: Fix test type error * chore: Add test for secret scanning of a specific language * chore: Add reminder for unsupported languages --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rafael Cortês <[email protected]>
codacy · Jun 5, 2024 · cfcb570 · cfcb570
1 parent c3b8084
commit cfcb570
Show file tree

Hide file tree

Showing 25 changed files with 1,004 additions and 596 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -7,9 +7,9 @@ orbs:
 references:
   install_trivy_and_download_dbs: &install_trivy_and_download_dbs
     persist_to_workspace: true
-    # https://aquasecurity.github.io/trivy/v0.49/getting-started/installation/#install-script
+    # https://aquasecurity.github.io/trivy/v0.52/getting-started/installation/#install-script
     cmd: |
-      curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . v0.49.1
+      curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . v0.52.0
       mkdir cache
       ./trivy --cache-dir ./cache image --download-db-only
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.21-alpine as builder
+FROM golang:1.22-alpine as builder
 
 WORKDIR /src
 

diff --git a/docs/multiple-tests/all-patterns/results.xml b/docs/multiple-tests/all-patterns/results.xml
@@ -1,10 +1,14 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <checkstyle version="1.5">
     <file name="aws-config.txt">
-        <error source="secret" line="1" message="Possible hardcoded secret: AWS Secret Access Key" severity="error" />
-        <error source="secret" line="2" message="Possible hardcoded secret: AWS Access Key ID" severity="error" />
+        <error source="secret" line="1" message="Possible hardcoded secret: AWS Secret Access Key"
+            severity="error" />
+        <error source="secret" line="2" message="Possible hardcoded secret: AWS Access Key ID"
+            severity="error" />
     </file>
-    <file name="dart/pubspec.lock">
-        <error source="vulnerability" line="20" message="Insecure dependency [email protected] (CVE-2021-31402: dio vulnerable to CRLF injection with HTTP method string) (update to 5.0.0)" severity="error" />
+    <file name="gradle/gradle.lockfile">
+        <error source="vulnerability" line="1"
+            message="Insecure dependency org.apache.logging.log4j:log4j-core:2.17.0 (CVE-2021-44832: log4j-core: remote code execution via JDBC Appender) (update to 2.3.2, 2.12.4, 2.17.1)"
+            severity="error" />
     </file>
-</checkstyle>
+</checkstyle>
diff --git a/docs/multiple-tests/all-patterns/src/dart/pubspec.lock b/docs/multiple-tests/all-patterns/src/dart/pubspec.lock
diff --git a/docs/multiple-tests/all-patterns/src/gradle/gradle.lockfile b/docs/multiple-tests/all-patterns/src/gradle/gradle.lockfile
@@ -0,0 +1 @@
+org.apache.logging.log4j:log4j-core:2.17.0
diff --git a/docs/multiple-tests/pattern-secret/results.xml b/docs/multiple-tests/pattern-secret/results.xml
@@ -1,7 +1,14 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <checkstyle version="1.5">
+    <file name="dart/hello-world.dart">
+        <error source="secret" line="2" message="Possible hardcoded secret: AWS Access Key ID"
+            severity="error" />
+    </file>
+
     <file name="aws-config.txt">
-        <error source="secret" line="1" message="Possible hardcoded secret: AWS Secret Access Key" severity="error" />
-        <error source="secret" line="2" message="Possible hardcoded secret: AWS Access Key ID" severity="error" />
+        <error source="secret" line="1" message="Possible hardcoded secret: AWS Secret Access Key"
+            severity="error" />
+        <error source="secret" line="2" message="Possible hardcoded secret: AWS Access Key ID"
+            severity="error" />
     </file>
-</checkstyle>
+</checkstyle>
diff --git a/docs/multiple-tests/pattern-secret/src/dart/hello-world.dart b/docs/multiple-tests/pattern-secret/src/dart/hello-world.dart
@@ -0,0 +1,4 @@
+void main() {
+    var AWS_ACCESS_KEY_ID="AKIA0123456789ABCDEF"
+    print('Hello, World!')
+}
diff --git a/docs/multiple-tests/pattern-vulnerability/results.xml b/docs/multiple-tests/pattern-vulnerability/results.xml
@@ -1,26 +1,123 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <checkstyle version="1.5">
+    <!--
     <file name="dart/pubspec.lock">
-        <error source="vulnerability" line="20" message="Insecure dependency [email protected] (CVE-2021-31402: dio vulnerable to CRLF injection with HTTP method string) (update to 5.0.0)" severity="error" />
+        <error source="vulnerability" line="20"
+            message="Insecure dependency [email protected] (CVE-2021-31402: dio vulnerable to CRLF injection with HTTP
+    method string) (update to 5.0.0)"
+            severity="error" />
     </file>
+
+    <file
+    name="golang/go.mod">
+        <error source="vulnerability" line="5" message="Insecure dependency golang.org/x/[email protected]
+    (CVE-2023-45288: golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes
+    DoS) (update to 0.23.0)" severity="error" />
+        <error source="vulnerability" line="5" message="Insecure dependency golang.org/x/[email protected]
+    (CVE-2023-39325: golang: net/http, x/net/http2: rapid stream resets can cause excessive work
+    (CVE-2023-44487)) (update to 0.17.0)" severity="error" />
+        <error source="vulnerability" line="5" message="Insecure dependency golang.org/x/[email protected]
+    (CVE-2023-44487: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack
+    (Rapid Reset Attack)) (update to 0.17.0)" severity="error" />
+    </file>
+-->
+
+    <file name="dart/pubspec.lock">
+        <!-- TODO: If this tests fail, dart can now be supported. Update the Language file and
+        docs. -->
+        <error message="Line numbers not supported"></error>
+    </file>
+
     <file name="golang/go.mod">
-        <error source="vulnerability" line="5" message="Insecure dependency golang.org/x/[email protected] (CVE-2023-45288: golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS) (update to 0.23.0)" severity="error" />
-        <error source="vulnerability" line="5" message="Insecure dependency golang.org/x/[email protected] (CVE-2023-39325: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)) (update to 0.17.0)" severity="error" />
-        <error source="vulnerability" line="5" message="Insecure dependency golang.org/x/[email protected] (CVE-2023-44487: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)) (update to 0.17.0)" severity="error" />
+        <!-- TODO: If this tests fail, golang can now be supported. Update the Language file and
+        docs. -->
+        <error message="Line numbers not supported"></error>
     </file>
+
     <file name="gradle/gradle.lockfile">
-        <error source="vulnerability" line="1" message="Insecure dependency org.apache.logging.log4j:log4j-core:2.17.0 (CVE-2021-44832: log4j-core: remote code execution via JDBC Appender) (update to 2.3.2, 2.12.4, 2.17.1)" severity="error" />
+        <error source="vulnerability" line="1"
+            message="Insecure dependency org.apache.logging.log4j:log4j-core:2.17.0 (CVE-2021-44832: log4j-core: remote code execution via JDBC Appender) (update to 2.3.2, 2.12.4, 2.17.1)"
+            severity="error" />
+    </file>
+
+    <file name="java/pom.xml">
+        <error source="vulnerability" line="13"
+            message="Insecure dependency org.apache.logging.log4j:log4j-core:2.17.0 (CVE-2021-44832: log4j-core: remote code execution via JDBC Appender) (update to 2.3.2, 2.12.4, 2.17.1)"
+            severity="error" />
+    </file>
+
+    <file name="javascript/package-lock.json">
+        <error source="vulnerability" line="14"
+            message="Insecure dependency [email protected] (CVE-2020-28168: nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address) (update to 0.21.1)"
+            severity="error" />
+        <error source="vulnerability" line="14"
+            message="Insecure dependency [email protected] (CVE-2021-3749: nodejs-axios: Regular expression denial of service in trim function) (update to 0.21.2)"
+            severity="error" />
+        <error source="vulnerability" line="14"
+            message="Insecure dependency [email protected] (CVE-2023-45857: axios: exposure of confidential data stored in cookies) (update to 1.6.0, 0.28.0)"
+            severity="error" />
+    </file>
+
+    <file name="javascript/yarn.lock">
+        <error source="vulnerability" line="5"
+            message="Insecure dependency [email protected] (CVE-2020-28168: nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address) (update to 0.21.1)"
+            severity="error" />
+        <error source="vulnerability" line="5"
+            message="Insecure dependency [email protected] (CVE-2021-3749: nodejs-axios: Regular expression denial of service in trim function) (update to 0.21.2)"
+            severity="error" />
+        <error source="vulnerability" line="5"
+            message="Insecure dependency [email protected] (CVE-2023-45857: axios: exposure of confidential data stored in cookies) (update to 1.6.0, 0.28.0)"
+            severity="error" />
     </file>
-    <file name="python/requirements.txt">
-        <error source="vulnerability" line="2" message="Insecure dependency [email protected] (CVE-2023-32681: python-requests: Unintended leak of Proxy-Authorization header) (update to 2.31.0)" severity="error" />
+
+    <file
+        name="python/Pipfile.lock">
+        <error source="vulnerability" line="123"
+            message="Insecure dependency [email protected] (CVE-2024-3651: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()) (update to 3.7)"
+            severity="error" />
+        <error source="vulnerability" line="131"
+            message="Insecure dependency [email protected] (CVE-2023-32681: python-requests: Unintended leak of Proxy-Authorization header) (update to 2.31.0)"
+            severity="error" />
+        <error source="vulnerability" line="131"
+            message="Insecure dependency [email protected] (CVE-2024-35195: requests: subsequent requests to the same host ignore cert verification) (update to 2.32.0)"
+            severity="error" />
     </file>
-    <file name="python/requirements.txt">
-        <error source="vulnerability" line="2" message="Insecure dependency [email protected] (CVE-2024-35195: requests: subsequent requests to the same host ignore cert verification) (update to 2.32.0)" severity="error" />
+
+    <file
+        name="python/requirements.txt">
+        <error source="vulnerability" line="2"
+            message="Insecure dependency [email protected] (CVE-2023-32681: python-requests: Unintended leak of Proxy-Authorization header) (update to 2.31.0)"
+            severity="error" />
+        <error source="vulnerability" line="2"
+            message="Insecure dependency [email protected] (CVE-2024-35195: requests: subsequent requests to the same host ignore cert verification) (update to 2.32.0)"
+            severity="error" />
     </file>
+
     <file name="ruby/Gemfile.lock">
-        <error source="vulnerability" line="4" message="Insecure dependency [email protected] (CVE-2023-40175: rubygem-puma: HTTP request smuggling when parsing chunked transfer encoding bodies and zero-length content-length headers) (update to ~> 5.6.7, >= 6.3.1)" severity="error" />
+        <error source="vulnerability" line="4"
+            message="Insecure dependency [email protected] (CVE-2023-40175: rubygem-puma: HTTP request smuggling when parsing chunked transfer encoding bodies and zero-length content-length headers) (update to ~> 5.6.7, >= 6.3.1)"
+            severity="error" />
+        <error source="vulnerability" line="4"
+            message="Insecure dependency [email protected] (CVE-2024-21647: rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies) (update to ~> 5.6.8, >= 6.4.2)"
+            severity="error" />
     </file>
-        <file name="ruby/Gemfile.lock">
-        <error source="vulnerability" line="4" message="Insecure dependency [email protected] (CVE-2024-21647: rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies) (update to ~> 5.6.8, >= 6.4.2)" severity="error" />
+
+
+    <file name="swift/Package.resolved">
+        <error source="vulnerability" line="67"
+            message="Insecure dependency github.com/apple/[email protected] (CVE-2022-0618: Denial of service via HTTP/2 HEADERS frames padding) (update to 1.20)"
+            severity="error" />
+        <error source="vulnerability" line="67"
+            message="Insecure dependency github.com/apple/[email protected] (CVE-2022-24666: swift-nio-http2 vulnerable to denial of service via invalid HTTP/2 HEADERS frame length) (update to 1.19.2)"
+            severity="error" />
+        <error source="vulnerability" line="67"
+            message="Insecure dependency github.com/apple/[email protected] (CVE-2022-24667: swift-nio-http2 vulnerable to denial of service via mishandled HPACK variable length integer encoding) (update to 1.19.2)"
+            severity="error" />
+        <error source="vulnerability" line="67"
+            message="Insecure dependency github.com/apple/[email protected] (CVE-2022-24668: swift-nio-http2 vulnerable to denial of service via ALTSVC or ORIGIN frames) (update to 1.19.2)"
+            severity="error" />
+        <error source="vulnerability" line="67"
+            message="Insecure dependency github.com/apple/[email protected] (CVE-2023-44487: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)) (update to 1.28.0)"
+            severity="error" />
     </file>
-</checkstyle>
+</checkstyle>
diff --git a/docs/multiple-tests/pattern-vulnerability/src/c/conan.lock b/docs/multiple-tests/pattern-vulnerability/src/c/conan.lock
diff --git a/docs/multiple-tests/pattern-vulnerability/src/csharp/packages.lock.json b/docs/multiple-tests/pattern-vulnerability/src/csharp/packages.lock.json
diff --git a/docs/multiple-tests/pattern-vulnerability/src/csharp/sample.deps.json b/docs/multiple-tests/pattern-vulnerability/src/csharp/sample.deps.json
diff --git a/docs/multiple-tests/pattern-vulnerability/src/elixir/mix.lock b/docs/multiple-tests/pattern-vulnerability/src/elixir/mix.lock
diff --git a/docs/multiple-tests/pattern-vulnerability/src/java/pom.xml b/docs/multiple-tests/pattern-vulnerability/src/java/pom.xml
@@ -0,0 +1,19 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example</groupId>
+    <artifactId>happy</artifactId>
+    <version>1.0.0</version>
+
+    <name>happy</name>
+    <description>Example</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>2.17.0</version>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/docs/multiple-tests/pattern-vulnerability/src/javascript/package-lock.json b/docs/multiple-tests/pattern-vulnerability/src/javascript/package-lock.json
diff --git a/docs/multiple-tests/pattern-vulnerability/src/javascript/package.json b/docs/multiple-tests/pattern-vulnerability/src/javascript/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "node-js-sample",
+  "version": "0.2.0",
+  "main": "index.js",
+  "dependencies": {
+    "axios": "0.21.0"
+  }
+}
diff --git a/docs/multiple-tests/pattern-vulnerability/src/javascript/yarn.lock b/docs/multiple-tests/pattern-vulnerability/src/javascript/yarn.lock
@@ -0,0 +1,15 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+[email protected]:
+  version "0.21.0"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-0.21.0.tgz#26df088803a2350dff2c27f96fef99fe49442aca"
+  integrity sha512-fmkJBknJKoZwem3/IKSSLpkdNXZeBu5Q7GA/aRsr2btgrptmSCxi2oFjZHqGdK9DoTil9PIHlPIZw2EcRJXRvw==
+  dependencies:
+    follow-redirects "^1.10.0"
+
+follow-redirects@^1.10.0:
+  version "1.15.6"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b"
+  integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
diff --git a/docs/multiple-tests/pattern-vulnerability/src/php/composer.lock b/docs/multiple-tests/pattern-vulnerability/src/php/composer.lock
diff --git a/docs/multiple-tests/pattern-vulnerability/src/python/Pipfile b/docs/multiple-tests/pattern-vulnerability/src/python/Pipfile
@@ -0,0 +1,12 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[packages]
+requests = "==v2.30.0"
+
+[dev-packages]
+
+[requires]
+python_version = "3.11"