Merge pull request #17 from scality/add_dependabot

👷 add dependabot and tests

Author: m4nch0t

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/devcontainers/base:jammy
+FROM mcr.microsoft.com/devcontainers/base:noble
 
 RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get update && \
@@ -8,14 +8,29 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
         bash-completion \
         curl \
         git \
+        libsqlite3-dev \
+        python3 \
         python3-pip \
+        python3-venv \
         p7zip-full \
         skopeo \
         tmux \
         vim \
         && \
     apt-get clean
+
+USER vscode
+
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
+
+# Create virtual environment
+ENV VIRTUAL_ENV=/home/vscode/venv
+RUN python3 -m venv $VIRTUAL_ENV
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
 COPY requirements.txt /tmp/requirements.txt
-RUN python3 -m pip install --no-cache-dir --upgrade pip && \
-    python3 -m pip install --no-cache-dir -r /tmp/requirements.txt
-USER vscode
+
+# Install python libs in the virtual environment
+RUN pip install --upgrade pip && \
+    pip install -r /tmp/requirements.txt

.devcontainer/requirements.txt

@@ -1,4 +1,5 @@
-requests==2.32.0
-GitPython==3.1.43
+requests==2.32.3
+GitPython==3.1.44
 pyunpack==0.3
-patool==2.2.0
+patool==4.0.0
+pre-commit==4.1.0

.devcontainer/setup.sh

@@ -2,7 +2,7 @@
 
 set -xe
 
-if [ "$CODESPACES" = "true" ]; then
+if [[ "${CODESPACES}" = "true" ]]; then
   # NOTE: This is the only way I managed to have the right
   # permissions files for git sources files
   # (Some salt pylint test check file permissions and expected 644
@@ -19,10 +19,11 @@ fi
 echo "Updating localtime"
 sudo ln -fs /usr/share/zoneinfo/UTC /etc/localtime
 
-# Install act
-gh extension install https://github.com/nektos/gh-act
+echo "Install pre-commit hooks"
+pre-commit install --install-hooks
 
-# Install dependencies
 echo "Installing dependencies"
-python3 src/main.py install
+# Run with sudo and preserved environment
+sudo PATH="${PATH}" python3 src/main.py install
+
 echo "End of setup"

.github/dependabot.yml

@@ -0,0 +1,33 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/.github/workflows"
+    schedule:
+      interval: "daily"
+    reviewers:
+      - "scality/metalk8s"
+
+  - package-ecosystem: "pip"
+    directory: "./requirements.txt"
+    schedule:
+      interval: "daily"
+    rebase-strategy: "auto"
+    reviewers:
+      - "scality/metalk8s"
+
+  - package-ecosystem: "npm"
+    directory: "/tests"
+    schedule:
+      interval: "daily"
+    labels: [test]
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/tests"
+    schedule:
+      interval: "daily"
+    labels: [test]
+    ignore:
+      - dependency-name: "*"

.github/scripts/update_scanners.py

@@ -0,0 +1,35 @@
+#!/usr/bin/env python3
+
+import re
+import requests
+
+# Define the scanners and their GitHub repositories
+scanners = {
+    "syft": "anchore/syft",
+    "grype": "anchore/grype",
+    "trivy": "aquasecurity/trivy"
+}
+
+def get_latest_release(repo):
+    url = f"https://api.github.com/repos/{repo}/releases/latest"
+    response = requests.get(url)
+    response.raise_for_status()
+    return response.json()["tag_name"].lstrip("v")
+
+def update_versions(file_path):
+    with open(file_path, "r") as file:
+        content = file.read()
+
+    for scanner, repo in scanners.items():
+        latest_version = get_latest_release(repo)
+        content = re.sub(
+            f'("{scanner}": ")([^"]+)',
+            lambda match: f'{match.group(1)}{latest_version}',
+            content
+        )
+
+    with open(file_path, "w") as file:
+        file.write(content)
+
+if __name__ == "__main__":
+    update_versions("src/lib/install.py")

.github/workflows/nightly.yaml

@@ -0,0 +1,87 @@
+---
+name: "nightly"
+run-name: "Nightly tests for ${{ github.ref_name }}"
+
+on:
+  schedule:
+    - cron: "22 0 * * *"  # Runs daily at 22:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  update-scanners:
+    runs-on: ubuntu-24.04
+    steps:
+
+      - name: Create github token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install dependencies
+        run: pip install requests
+
+      - name: Update scanner versions
+        run: python .github/scripts/update_scanners.py
+
+      - name: Create pull request  
+        uses: actions/github-script@v7  
+        with:  
+          script: |
+            const pr = await github.rest.pulls.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: "feature/deps-update",
+              base: "main",
+              title: ":arrow_up: Update scanner versions"
+            })
+
+  vuln-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          path: ./
+          format: cyclonedx-json
+          output-file: "${{ github.event.repository.name }}-sbom.cdx.json"
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@v6
+        id: scan
+        with:
+          sbom: "${{ github.event.repository.name }}-sbom.cdx.json"
+          output-format: sarif
+          fail-build: false
+          add-cpes-if-none: true
+          by-cve: true
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/tests.yaml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   test-as-action:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -23,15 +23,15 @@ jobs:
         with:
           target: ./
           output-dir: "/tmp/test/sbom"
-          syft-version: "1.1.0"
           vuln-report: True
 
       - name: Scan directory
         uses: ./
         with:
-          target: /etc
+          target: /usr/local/bin
           output-dir: "/tmp/test/sbom"
-          name: "ghactionetc"
+          syft-version: "1.10.0"
+          name: "usrlocalbin"
 
       - name: Scan iso
         uses: ./
@@ -42,6 +42,39 @@ jobs:
           name: "tinycorelinux"
           vuln-report: False
 
+      - name: Ensure generated sbom file for repo contains the expected content
+        shell: bash
+        run: |
+          if jq -e '.components[] | select(.name == "lodash")' /tmp/test/sbom/repo_sbom_*.json > /dev/null; then
+            echo "lodash is present in the JSON file."
+            exit 0
+          else
+            echo "lodash is NOT present in the JSON file."
+            exit 1
+          fi
+
+      - name: Ensure generated sbom file for iso contains the expected content
+        shell: bash
+        run: |
+          if jq -e '.components[] | select(.version == "6.6.8-tinycore")' /tmp/test/sbom/iso_tinycorelinux_15.0.json > /dev/null; then
+            echo "tinycore is present in the JSON file."
+            exit 0
+          else
+            echo "tinycore is NOT present in the JSON file."
+            exit 1
+          fi
+
+      - name: Ensure generated sbom file for dir contains the expected content
+        shell: bash
+        run: |
+          if jq -e '.components[] | select(.purl == "pkg:golang/github.com/anchore/syft@v1.10.0")' /tmp/test/sbom/dir_bin_undefined.json > /dev/null; then
+            echo "syft is present in the JSON file."
+            exit 0
+          else
+            echo "syft is NOT present in the JSON file."
+            exit 1
+          fi
+
       - name: Print the content of generated sbom file
         shell: bash
         run: |

.pre-commit-config.yaml

@@ -0,0 +1,30 @@
+---
+repos:
+  - repo: https://github.com/psf/black
+    rev: 25.1.0
+    hooks:
+      - id: black
+        files: src/.*\.py
+        name: Formatting Python
+      - id: black
+        files: src/.*\.py
+        # We want this hook to be part of "lint" so that if we run
+        # `pre-commit run lint` we include this hook
+        alias: lint
+        name: Checking Python formatting
+        args:
+          - --check
+          - --diff
+
+  - repo: https://github.com/pycqa/pylint
+    rev: v3.3.5
+    hooks:
+      - id: pylint
+        alias: lint
+        name: Lint Python (CLI)
+        files: src/.*\.py
+        additional_dependencies:
+          - 'requests~=2.32.3'
+          - 'GitPython~=3.1.44'
+          - 'pyunpack~=0.3'
+          - 'patool~=4.0.0'

CONTRIBUTING.md

@@ -15,7 +15,9 @@ It has been installed through the `gh` extension.
 To run the workflow locally, execute the following command:
 
 ```bash
-gh act push --rm --workflows=.github/workflows/tests.yaml -P ubuntu-22.04=ghcr.io/catthehacker/ubuntu:act-22.04
+docker login ghcr.io
+gh extension install https://github.com/nektos/gh-act
+gh act push --rm --workflows=.github/workflows/tests.yaml -P ubuntu-24.04=ghcr.io/catthehacker/ubuntu:act-22.04
 ```
 
 For more information on how to use `act`, please refer to the [official documentation] or run `gh act --help`.

action.yaml

@@ -1,3 +1,4 @@
+---
 name: "Scality SBOM Action"
 description: "Creates an SBOM (Software Bill Of Materials) from your code, and artifacts."
 author: "Scality"
@@ -73,7 +74,7 @@ runs:
           file \
           jq \
           p7zip-full \
-          python3-distutils
+          python3-setuptools
 
     - name: Run the scan
       shell: bash