Merge pull request #57 from joreiche/master

support for split model files, restructured to allow import by other projects, improved command line syntax by use of `cobra`, and more...
Threagile · Feb 3, 2024 · 240f881 · 240f881
2 parents 474cab9 + 5f76e14
commit 240f881
Show file tree

Hide file tree

Showing 223 changed files with 31,458 additions and 20,186 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,4 +1,9 @@
 **/.git
 **/.gitignore
 **/.DS_Store
-**/*.tmp
+**/*.tmp
+
+.github
+.dockerignore
+Dockerfile
+Dockerfile.*
diff --git a/.github/workflows/anchore-analysis.yml b/.github/workflows/anchore-analysis.yml
@@ -21,17 +21,24 @@ jobs:
   Anchore-Build-Scan:
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout the code
-      uses: actions/checkout@v4
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag localbuild/testimage:latest      
-    - name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
-      uses: anchore/scan-action@v3
-      with:
-        image-reference: "localbuild/testimage:latest"
-        dockerfile-path: "Dockerfile"
-        acs-report-enable: true
-    - name: Upload Anchore Scan Report
-      uses: github/codeql-action/upload-sarif@v1
-      with:
-        sarif_file: results.sarif
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build the Docker image
+        uses: docker/build-push-action@v5
+        with:
+          tags: localbuild/threagile:latest
+          file: Dockerfile.local
+          push: false
+          load: true
+
+      - name: Scan image
+        uses: anchore/scan-action@v3
+        with:
+          image: "localbuild/threagile:latest"
+          fail-build: false
+
+      - name: Upload Anchore Scan Report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -28,7 +28,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
+        # a pull request then we can check out the head.
         fetch-depth: 2
 
     - name: Install Go
@@ -39,14 +39,14 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -60,4 +60,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/gosec-analysis.yml b/.github/workflows/gosec-analysis.yml
@@ -0,0 +1,24 @@
+name: Security Static Analysis
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 0 1 * *'
+
+jobs:
+  analyze:
+    name: GoSec
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - name: Run Gosec
+        uses: securego/gosec@master
+        with:
+          args: ./...
diff --git a/.gitignore b/.gitignore
@@ -23,5 +23,11 @@ stats.json
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
+# build artifacts
+/vendor/
+/bin/
+/out*/
+
 # IDE stuff
-.idea/
+/.idea/
+/config.json
diff --git a/.grype.yaml b/.grype.yaml
@@ -0,0 +1,47 @@
+ignore:
+  - vulnerability: CVE-2023-42363
+    reason:
+      busybox(1.36.1-r15) - no upstream fix available
+      busybox-binsh(1.36.1-r15) - no upstream fix available
+  - vulnerability: CVE-2023-42364
+    reason:
+      busybox(1.36.1-r15) - no upstream fix available
+      busybox-binsh(1.36.1-r15) - no upstream fix available
+  - vulnerability: CVE-2023-42365
+    reason:
+      busybox(1.36.1-r15) - no upstream fix available
+      busybox-binsh(1.36.1-r15) - no upstream fix available
+  - vulnerability: CVE-2023-42366
+    reason:
+      busybox(1.36.1-r15) - no upstream fix available
+      busybox-binsh(1.36.1-r15) - no upstream fix available
+  - vulnerability: CVE-2014-9157
+    reason:
+      graphviz(8.0.5-r1) - no upstream fix available
+      graphviz-libs(8.0.5-r1) - no upstream fix available
+  - vulnerability: CVE-2023-37769
+    reason: pixman(0.42.2-r1) - no upstream fix available
+  - vulnerability: CVE-2023-43789
+    reason: libxpm(3.5.16-r1) - no upstream fix available
+  - vulnerability: CVE-2023-42363
+    reason: ssl_client(1.36.1-r5) - no upstream fix available
+  - vulnerability: CVE-2023-42364
+    reason: ssl_client(1.36.1-r5) - no upstream fix available
+  - vulnerability: CVE-2023-42365
+    reason: ssl_client(1.36.1-r5) - no upstream fix available
+  - vulnerability: CVE-2015-7313
+    reason: tiff( 4.5.1-r0) - no upstream fix available
+  - vulnerability: CVE-2023-3164
+    reason: tiff( 4.5.1-r0) - no upstream fix available
+  - vulnerability: CVE-2023-40745
+    reason: tiff( 4.5.1-r0) - no upstream fix available
+  - vulnerability: CVE-2023-41175
+    reason: tiff( 4.5.1-r0) - no upstream fix available
+  - vulnerability: CVE-2023-6228
+    reason: tiff( 4.5.1-r0) - no upstream fix available
+  - vulnerability: CVE-2023-6277
+    reason: tiff( 4.5.1-r0) - no upstream fix available
+  - vulnerability: CVE-2023-52355
+    reason: tiff( 4.5.1-r0) - no upstream fix available
+  - vulnerability: CVE-2023-52356
+    reason: tiff( 4.5.1-r0) - no upstream fix available
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,11 @@
+
+
 ######
 ## Stage 1: Clone the Git repository
 ######
 FROM alpine/git as clone
 WORKDIR /app
+
 RUN git clone https://github.com/threagile/threagile.git
 
 
@@ -12,76 +15,67 @@ RUN git clone https://github.com/threagile/threagile.git
 ## Stage 2: Build application with Go's build tools
 ######
 FROM golang as build
+WORKDIR /app
+
 ENV GO111MODULE=on
+
 # https://stackoverflow.com/questions/36279253/go-compiled-binary-wont-run-in-an-alpine-docker-container-on-ubuntu-host
 #ENV CGO_ENABLED=0 # cannot be set as otherwise plugins don't run
-WORKDIR /app
 COPY --from=clone /app/threagile /app
+
 RUN go version
 RUN go test ./...
-RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -buildmode=plugin -o raa.so raa/raa/raa.go
-RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -buildmode=plugin -o dummy.so raa/dummy/dummy.go
-RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -buildmode=plugin -o demo-rule.so risks/custom/demo/demo-rule.go
-RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile
+RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_calc cmd/raa/main.go
+RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_dummy cmd/raa_dummy/main.go
+RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o risk_demo_rule cmd/risk_demo/main.go
+RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile
 # add the -race parameter to go build call in order to instrument with race condition detector: https://blog.golang.org/race-detector
 # NOTE: copy files with final name to send to final build
-RUN cp /app/demo/example/threagile.yaml /app/demo/example/threagile-example-model.yaml && \
-    cp /app/demo/stub/threagile.yaml /app/demo/stub/threagile-stub-model.yaml
+RUN cp /app/demo/example/threagile.yaml /app/demo/example/threagile-example-model.yaml
+RUN cp /app/demo/stub/threagile.yaml /app/demo/stub/threagile-stub-model.yaml
 
-######
-## Stage 3: Copy needed files into desired folder structure
-######
 
-FROM scratch AS files
-
-COPY --from=build --chown=1000:1000 \
-    /app/threagile \
-    /app/raa.so \
-    /app/dummy.so \
-    /app/demo-rule.so \
-    /app/LICENSE.txt \
-    /app/report/template/background.pdf \
-    /app/support/openapi.yaml \
-    /app/support/schema.json \
-    /app/support/live-templates.txt \
-    /app/support/render-data-asset-diagram.sh \
-    /app/support/render-data-flow-diagram.sh \
-    /app/demo/example/threagile-example-model.yaml \
-    /app/demo/stub/threagile-stub-model.yaml \
-    \
-    /app/
 
-COPY --from=build --chown=1000:1000 /app/server /app/server
 
 ######
-## Stage 4: Make final small image
+## Stage 3: Make final small image
 ######
-FROM alpine
+FROM alpine as deploy
+WORKDIR /app
 
 # label used in other scripts to filter
 LABEL type="threagile"
 
 # add certificates
-RUN apk add --update --no-cache ca-certificates \
-# add graphviz, fonts \
-    graphviz ttf-freefont \
-# https://stackoverflow.com/questions/66963068/docker-alpine-executable-binary-not-found-even-if-in-path \
-    libc6-compat && \
+RUN apk add --update --no-cache ca-certificates
+# add graphviz, fonts
+RUN apk add --update --no-cache graphviz ttf-freefont
+# https://stackoverflow.com/questions/66963068/docker-alpine-executable-binary-not-found-even-if-in-path
+RUN apk add libc6-compat
 # https://stackoverflow.com/questions/34729748/installed-go-binary-not-found-in-path-on-alpine-linux-docker
 # RUN mkdir -p /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
 # clean apk cache
-    rm -rf /var/cache/apk/* && \
-# create application and data directories
-    mkdir -p /app /data && \
-    chown -R 1000:1000 /app /data
+RUN rm -rf /var/cache/apk/*
 
-COPY --from=files / /
+RUN mkdir -p /app /data
+RUN chown -R 1000:1000 /app /data
+
+COPY --from=build --chown=1000:1000 /app/threagile /app/
+COPY --from=build --chown=1000:1000 /app/raa_calc /app/
+COPY --from=build --chown=1000:1000 /app/raa_dummy /app/
+COPY --from=build --chown=1000:1000 /app/risk_demo_rule /app/
+COPY --from=build --chown=1000:1000 /app/LICENSE.txt /app/
+COPY --from=build --chown=1000:1000 /app/report/template/background.pdf /app/
+COPY --from=build --chown=1000:1000 /app/support/openapi.yaml /app/
+COPY --from=build --chown=1000:1000 /app/support/schema.json /app/
+COPY --from=build --chown=1000:1000 /app/support/live-templates.txt /app/
+COPY --from=build --chown=1000:1000 /app/demo/example/threagile-example-model.yaml /app/
+COPY --from=build --chown=1000:1000 /app/demo/stub/threagile-stub-model.yaml /app/
+COPY --from=build --chown=1000:1000 /app/server /app/server
 
 USER 1000:1000
-WORKDIR /app
 
-ENV PATH=/app:$PATH \
-    GIN_MODE=release
+ENV PATH=/app:$PATH GIN_MODE=release
 
 ENTRYPOINT ["/app/threagile"]
-CMD ["-help"]
+CMD ["help"]