-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update Linter and Fix Vulnerable Dependency (#121)
It looks like `esbuild` 0.23.0 was flagged as containing vulnerabilities when scanning with Grype. This PR updates the linting process to use a different linter with additional security checks. It also pins esbuild to a later version, fixing the flagged vulnerability.
- Loading branch information
Showing
21 changed files
with
1,728 additions
and
1,529 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,7 @@ | ||
.env | ||
.DS_Store | ||
coverage | ||
megalinter-reports | ||
node_modules | ||
npm-debug.log* | ||
reports | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,151 @@ | ||
# enable/disable checking for application updates on startup | ||
# same as GRYPE_CHECK_FOR_APP_UPDATE env var | ||
# check-for-app-update: true | ||
|
||
# allows users to specify which image source should be used to generate the sbom | ||
# valid values are: registry, docker, podman | ||
# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var | ||
# default-image-pull-source: "" | ||
|
||
# same as --name; set the name of the target being analyzed | ||
# name: "" | ||
|
||
# upon scanning, if a severity is found at or above the given severity then the return code will be 1 | ||
# default is unset which will skip this validation (options: negligible, low, medium, high, critical) | ||
# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var | ||
fail-on-severity: 'high' | ||
|
||
# the output format of the vulnerability report (options: table, json, cyclonedx) | ||
# same as -o ; GRYPE_OUTPUT env var | ||
# output: "table" | ||
|
||
# suppress all output (except for the vulnerability list) | ||
# same as -q ; GRYPE_QUIET env var | ||
quiet: true | ||
|
||
# write output report to a file (default is to write to stdout) | ||
# same as --file; GRYPE_FILE env var | ||
# file: "" | ||
|
||
# a list of globs to exclude from scanning, for example: | ||
exclude: | ||
- '**/__fixtures__' | ||
- '**/.git' | ||
- '**/megalinter-reports' | ||
# same as --exclude ; GRYPE_EXCLUDE env var | ||
# exclude: [] | ||
|
||
# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64") | ||
# same as --platform; GRYPE_PLATFORM env var | ||
# platform: "" | ||
|
||
# If using SBOM input, automatically generate CPEs when packages have none | ||
# add-cpes-if-none: false | ||
|
||
# Explicitly specify a linux distribution to use as <distro>:<version> like alpine:3.10 | ||
# distro: | ||
|
||
# external-sources: | ||
# enable: false | ||
# maven: | ||
# search-upstream-by-sha1: true | ||
# base-url: https://search.maven.org/solrsearch/select | ||
|
||
# db: | ||
# check for database updates on execution | ||
# same as GRYPE_DB_AUTO_UPDATE env var | ||
# auto-update: true | ||
|
||
# location to write the vulnerability database cache | ||
# same as GRYPE_DB_CACHE_DIR env var | ||
# cache-dir: "$XDG_CACHE_HOME/grype/db" | ||
|
||
# URL of the vulnerability database | ||
# same as GRYPE_DB_UPDATE_URL env var | ||
# update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json" | ||
|
||
# it ensures db build is no older than the max-allowed-built-age | ||
# set to false to disable check | ||
# validate-age: true | ||
|
||
# Max allowed age for vulnerability database, | ||
# age being the time since it was built | ||
# Default max age is 120h (or five days) | ||
# max-allowed-built-age: "120h" | ||
|
||
# search: | ||
# the search space to look for packages (options: all-layers, squashed) | ||
# same as -s ; GRYPE_SEARCH_SCOPE env var | ||
# scope: "squashed" | ||
|
||
# search within archives that do contain a file index to search against (zip) | ||
# note: for now this only applies to the java package cataloger | ||
# same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var | ||
# indexed-archives: true | ||
|
||
# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc) | ||
# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed | ||
# note: for now this only applies to the java package cataloger | ||
# same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var | ||
# unindexed-archives: false | ||
|
||
# options when pulling directly from a registry via the "registry:" scheme | ||
# registry: | ||
# skip TLS verification when communicating with the registry | ||
# same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var | ||
# insecure-skip-tls-verify: false | ||
# use http instead of https when connecting to the registry | ||
# same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var | ||
# insecure-use-http: false | ||
|
||
# credentials for specific registries | ||
# auth: | ||
# - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.) | ||
# same as GRYPE_REGISTRY_AUTH_AUTHORITY env var | ||
# authority: "" | ||
# same as GRYPE_REGISTRY_AUTH_USERNAME env var | ||
# username: "" | ||
# same as GRYPE_REGISTRY_AUTH_PASSWORD env var | ||
# password: "" | ||
# note: token and username/password are mutually exclusive | ||
# same as GRYPE_REGISTRY_AUTH_TOKEN env var | ||
# token: "" | ||
# - ... # note, more credentials can be provided via config file only | ||
|
||
# log: | ||
# use structured logging | ||
# same as GRYPE_LOG_STRUCTURED env var | ||
# structured: false | ||
|
||
# the log level; note: detailed logging suppress the ETUI | ||
# same as GRYPE_LOG_LEVEL env var | ||
# Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging | ||
# level: "error" | ||
|
||
# location to write the log file (default is not to have a log file) | ||
# same as GRYPE_LOG_FILE env var | ||
# file: "" | ||
|
||
# match: | ||
# sets the matchers below to use cpes when trying to find | ||
# vulnerability matches. The stock matcher is the default | ||
# when no primary matcher can be identified | ||
# java: | ||
# using-cpes: true | ||
# python: | ||
# using-cpes: true | ||
# javascript: | ||
# using-cpes: true | ||
# ruby: | ||
# using-cpes: true | ||
# dotnet: | ||
# using-cpes: true | ||
# golang: | ||
# using-cpes: true | ||
# stock: | ||
# using-cpes: true | ||
|
||
# ignore: | ||
# # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail | ||
# # @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225 | ||
# - vulnerability: CVE-2018-20225 |
Oops, something went wrong.