Skip to content

Commit

Permalink
Merge pull request Threagile#57 from joreiche/master
Browse files Browse the repository at this point in the history
support for split model files, restructured to allow import by other projects, improved command line syntax by use of `cobra`, and more...
  • Loading branch information
cschneider4711 authored Feb 3, 2024
2 parents a7552d9 + 5e900c6 commit b6c2924
Show file tree
Hide file tree
Showing 223 changed files with 31,458 additions and 20,186 deletions.
7 changes: 6 additions & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
**/.git
**/.gitignore
**/.DS_Store
**/*.tmp
**/*.tmp

.github
.dockerignore
Dockerfile
Dockerfile.*
35 changes: 21 additions & 14 deletions .github/workflows/anchore-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,17 +21,24 @@ jobs:
Anchore-Build-Scan:
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
uses: anchore/scan-action@v3
with:
image-reference: "localbuild/testimage:latest"
dockerfile-path: "Dockerfile"
acs-report-enable: true
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build the Docker image
uses: docker/build-push-action@v5
with:
tags: localbuild/threagile:latest
file: Dockerfile.local
push: false
load: true

- name: Scan image
uses: anchore/scan-action@v3
with:
image: "localbuild/threagile:latest"
fail-build: false

- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
8 changes: 4 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
# a pull request then we can check out the head.
fetch-depth: 2

- name: Install Go
Expand All @@ -39,14 +39,14 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -60,4 +60,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@v3
24 changes: 24 additions & 0 deletions .github/workflows/gosec-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Security Static Analysis

on:
push:
branches: [master]
pull_request:
# The branches below must be a subset of the branches above
branches: [master]
schedule:
- cron: '0 0 1 * *'

jobs:
analyze:
name: GoSec
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Run Gosec
uses: securego/gosec@master
with:
args: ./...
8 changes: 7 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,11 @@ stats.json
# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# build artifacts
/vendor/
/bin/
/out*/

# IDE stuff
.idea/
/.idea/
/config.json
47 changes: 47 additions & 0 deletions .grype.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
ignore:
- vulnerability: CVE-2023-42363
reason:
busybox(1.36.1-r15) - no upstream fix available
busybox-binsh(1.36.1-r15) - no upstream fix available
- vulnerability: CVE-2023-42364
reason:
busybox(1.36.1-r15) - no upstream fix available
busybox-binsh(1.36.1-r15) - no upstream fix available
- vulnerability: CVE-2023-42365
reason:
busybox(1.36.1-r15) - no upstream fix available
busybox-binsh(1.36.1-r15) - no upstream fix available
- vulnerability: CVE-2023-42366
reason:
busybox(1.36.1-r15) - no upstream fix available
busybox-binsh(1.36.1-r15) - no upstream fix available
- vulnerability: CVE-2014-9157
reason:
graphviz(8.0.5-r1) - no upstream fix available
graphviz-libs(8.0.5-r1) - no upstream fix available
- vulnerability: CVE-2023-37769
reason: pixman(0.42.2-r1) - no upstream fix available
- vulnerability: CVE-2023-43789
reason: libxpm(3.5.16-r1) - no upstream fix available
- vulnerability: CVE-2023-42363
reason: ssl_client(1.36.1-r5) - no upstream fix available
- vulnerability: CVE-2023-42364
reason: ssl_client(1.36.1-r5) - no upstream fix available
- vulnerability: CVE-2023-42365
reason: ssl_client(1.36.1-r5) - no upstream fix available
- vulnerability: CVE-2015-7313
reason: tiff( 4.5.1-r0) - no upstream fix available
- vulnerability: CVE-2023-3164
reason: tiff( 4.5.1-r0) - no upstream fix available
- vulnerability: CVE-2023-40745
reason: tiff( 4.5.1-r0) - no upstream fix available
- vulnerability: CVE-2023-41175
reason: tiff( 4.5.1-r0) - no upstream fix available
- vulnerability: CVE-2023-6228
reason: tiff( 4.5.1-r0) - no upstream fix available
- vulnerability: CVE-2023-6277
reason: tiff( 4.5.1-r0) - no upstream fix available
- vulnerability: CVE-2023-52355
reason: tiff( 4.5.1-r0) - no upstream fix available
- vulnerability: CVE-2023-52356
reason: tiff( 4.5.1-r0) - no upstream fix available
84 changes: 39 additions & 45 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@


######
## Stage 1: Clone the Git repository
######
FROM alpine/git as clone
WORKDIR /app

RUN git clone https://github.com/threagile/threagile.git


Expand All @@ -12,76 +15,67 @@ RUN git clone https://github.com/threagile/threagile.git
## Stage 2: Build application with Go's build tools
######
FROM golang as build
WORKDIR /app

ENV GO111MODULE=on

# https://stackoverflow.com/questions/36279253/go-compiled-binary-wont-run-in-an-alpine-docker-container-on-ubuntu-host
#ENV CGO_ENABLED=0 # cannot be set as otherwise plugins don't run
WORKDIR /app
COPY --from=clone /app/threagile /app

RUN go version
RUN go test ./...
RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -buildmode=plugin -o raa.so raa/raa/raa.go
RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -buildmode=plugin -o dummy.so raa/dummy/dummy.go
RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -buildmode=plugin -o demo-rule.so risks/custom/demo/demo-rule.go
RUN GOOS=linux go build -a -trimpath -ldflags="-s -w -X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile
RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_calc cmd/raa/main.go
RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o raa_dummy cmd/raa_dummy/main.go
RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o risk_demo_rule cmd/risk_demo/main.go
RUN GOOS=linux go build -ldflags="-X main.buildTimestamp=$(date '+%Y%m%d%H%M%S')" -o threagile
# add the -race parameter to go build call in order to instrument with race condition detector: https://blog.golang.org/race-detector
# NOTE: copy files with final name to send to final build
RUN cp /app/demo/example/threagile.yaml /app/demo/example/threagile-example-model.yaml && \
cp /app/demo/stub/threagile.yaml /app/demo/stub/threagile-stub-model.yaml
RUN cp /app/demo/example/threagile.yaml /app/demo/example/threagile-example-model.yaml
RUN cp /app/demo/stub/threagile.yaml /app/demo/stub/threagile-stub-model.yaml

######
## Stage 3: Copy needed files into desired folder structure
######

FROM scratch AS files

COPY --from=build --chown=1000:1000 \
/app/threagile \
/app/raa.so \
/app/dummy.so \
/app/demo-rule.so \
/app/LICENSE.txt \
/app/report/template/background.pdf \
/app/support/openapi.yaml \
/app/support/schema.json \
/app/support/live-templates.txt \
/app/support/render-data-asset-diagram.sh \
/app/support/render-data-flow-diagram.sh \
/app/demo/example/threagile-example-model.yaml \
/app/demo/stub/threagile-stub-model.yaml \
\
/app/

COPY --from=build --chown=1000:1000 /app/server /app/server

######
## Stage 4: Make final small image
## Stage 3: Make final small image
######
FROM alpine
FROM alpine as deploy
WORKDIR /app

# label used in other scripts to filter
LABEL type="threagile"

# add certificates
RUN apk add --update --no-cache ca-certificates \
# add graphviz, fonts \
graphviz ttf-freefont \
# https://stackoverflow.com/questions/66963068/docker-alpine-executable-binary-not-found-even-if-in-path \
libc6-compat && \
RUN apk add --update --no-cache ca-certificates
# add graphviz, fonts
RUN apk add --update --no-cache graphviz ttf-freefont
# https://stackoverflow.com/questions/66963068/docker-alpine-executable-binary-not-found-even-if-in-path
RUN apk add libc6-compat
# https://stackoverflow.com/questions/34729748/installed-go-binary-not-found-in-path-on-alpine-linux-docker
# RUN mkdir -p /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
# clean apk cache
rm -rf /var/cache/apk/* && \
# create application and data directories
mkdir -p /app /data && \
chown -R 1000:1000 /app /data
RUN rm -rf /var/cache/apk/*

COPY --from=files / /
RUN mkdir -p /app /data
RUN chown -R 1000:1000 /app /data

COPY --from=build --chown=1000:1000 /app/threagile /app/
COPY --from=build --chown=1000:1000 /app/raa_calc /app/
COPY --from=build --chown=1000:1000 /app/raa_dummy /app/
COPY --from=build --chown=1000:1000 /app/risk_demo_rule /app/
COPY --from=build --chown=1000:1000 /app/LICENSE.txt /app/
COPY --from=build --chown=1000:1000 /app/report/template/background.pdf /app/
COPY --from=build --chown=1000:1000 /app/support/openapi.yaml /app/
COPY --from=build --chown=1000:1000 /app/support/schema.json /app/
COPY --from=build --chown=1000:1000 /app/support/live-templates.txt /app/
COPY --from=build --chown=1000:1000 /app/demo/example/threagile-example-model.yaml /app/
COPY --from=build --chown=1000:1000 /app/demo/stub/threagile-stub-model.yaml /app/
COPY --from=build --chown=1000:1000 /app/server /app/server

USER 1000:1000
WORKDIR /app

ENV PATH=/app:$PATH \
GIN_MODE=release
ENV PATH=/app:$PATH GIN_MODE=release

ENTRYPOINT ["/app/threagile"]
CMD ["-help"]
CMD ["help"]
Loading

0 comments on commit b6c2924

Please sign in to comment.