Release 20251200 (#5894)

Author: pkippes

.githooks/pre-commit

@@ -1,12 +1,31 @@
 #!/usr/bin/env sh
 set -eu
 
-# ensure gitleaks is available
-if ! command -v gitleaks >/dev/null 2>&1; then
-  echo "Error: gitleaks is not installed or not in PATH." >&2
-  echo "Install: https://github.com/gitleaks/gitleaks#install" >&2
+# Directory containing the scripts (relative to this script's location)
+DIR="$(dirname "$0")/pre-commit.d"
+
+# Variable to keep track of the highest exit code
+max_exit_code=0
+
+# Check if the directory exists
+if [ ! -d "$DIR" ]; then
+  echo "Error: directory '$DIR' does not exist." >&2
   exit 1
 fi
 
-# scan for secrets before commit
-gitleaks detect --no-git --verbose
+# Execute each .sh file in the directory
+for script in "$DIR"/*.sh; do
+  # Skip if no .sh files are found
+  [ -e "$script" ] || { echo "no pre-commit hook found, maybe check $DIR folder for executable .sh files" ; exit 1 ; }
+
+  echo "Running $script ..."
+  /bin/bash "$script"
+  exit_code=$?
+
+  # Update the highest exit code if necessary
+  if [ "$exit_code" -gt "$max_exit_code" ]; then
+    max_exit_code=$exit_code
+  fi
+done
+
+exit $max_exit_code

.githooks/pre-commit.d/20_plugins.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# global errors counter
+errors=0
+
+function info() {
+    echo -e "${GREEN}INFO${NC}: $*"
+}
+
+function warning() {
+    echo -e "${YELLOW}WARNING${NC}: $*"
+}
+
+function error() {
+    echo -e "${RED}ERROR${NC}: $*"
+    : $((errors++))
+}
+
+function fatal() {
+    echo -e "${RED}FATAL${NC}: $*"
+    exit 1
+}
+
+function check_tabs() {
+    local file="$1"
+    info "--> Checking BASH indentation"
+    grep -P '^\t' "$file" >/dev/null 2>&1 && warning "--> File $file contains leading tab character (suspected bad indentation)."
+}
+
+jq=$(type -p jq) || fatal "Could not locate jq command"
+# Determining the robotidy command
+robotidy_path=$(type -p robocop) || robotidy_path=$(type -p robotidy) || fatal "Could not locate either robocop nor robotidy. Cannot check robot lint"
+robotidy_exe="${robotidy_path##*/}"
+info "Robot lint tool is $robotidy_exe"
+# Options depend on the use binary
+declare -A robotidy_opts=([robotidy]="-->-check --skip-keyword-call Examples:" [robocop]="check" )
+# Get list of committed files
+mapfile -t committed_files < <(git diff --cached --name-only --diff-filter=ACMR)
+info "Starting plugins pre-commit hooks for ${#committed_files[@]} files"
+for file in "${committed_files[@]}"; do
+    info "--> $file:"
+    file_extension="${file##*.}"
+    case "$file_extension" in
+        pm|pl)
+            # check that the perl file compiles
+            info "--> Checking that file compiles"
+            PERL5LIB="$PERL5LIB:./src/" perl -c "$file" >/dev/null 2>&1 || error "File $file does not compile with perl -c"
+            # check the copyright year
+            info "--> Checking that file copyright is OK"
+            grep "Copyright 20..-Present Centreon" "$file" >/dev/null || error "Copyright in $file does not contain \"Copyright $(date +%Y)-Present Centreon\""
+            # check that no help is written as --warning-* --critical-*
+            info "--> Checking there's no unsplitted '--warning-*' / '--critical-*'"
+            grep -- '--warning-\*\|--critical-\*' "$file"  >/dev/null && error "File $file contains help that is written as --warning-* or --critical-*"
+            # check spelling
+            info "--> Checking that spelling in file is OK"
+            perl .github/scripts/pod_spell_check.t "$file" ./tests/resources/spellcheck/stopwords.txt >/dev/null 2>&1 || error "Spellcheck error on file $file"
+            check_tabs "$file"
+            ;;
+        txt)
+            if [[ "${file##*/}" == "stopwords.txt" ]]; then
+                # sort file and check if it makes a difference
+                info "--> Checking that stopwords.txt is sorted "
+                sort -ui "$file" >/tmp/sorted_stopwords
+                diff "$file" /tmp/sorted_stopwords >/dev/null || error "stopwords.txt not sorted properly"
+            fi
+            ;;
+        robot)
+            info "--> Checking robot lint"
+            $robotidy_path ${robotidy_opts[$robotidy_exe]} "$file" >/dev/null 2>&1 || warning "--> Robot lint errors found in $file"
+            check_tabs "$file"
+            ;;
+        sh)
+            check_tabs "$file"
+          ;;
+        json)
+            info "--> Checking JSON validity"
+            jq '' "$file" >/dev/null 2>&1 || error "JSON file $file is not valid"
+            check_tabs "$file"
+          ;;
+        *)
+            info "File extension '.${file_extension}' has no checks"
+            ;;
+    esac
+done
+(( errors > 0 )) && fatal "$errors errors found in pre-commit checks"
+info "All plugins pre-commit checks passed"

.githooks/pre-commit.d/80_gitleaks.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env sh
+set -eu
+
+# ensure gitleaks is available
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "Error: gitleaks is not installed or not in PATH." >&2
+  echo "Install: https://github.com/gitleaks/gitleaks#install" >&2
+  exit 1
+fi
+
+# scan for secrets before commit
+gitleaks detect --no-git --verbose

.github/CODEOWNERS

@@ -21,7 +21,10 @@ tests/**                            @centreon/owners-robot-e2e
 packaging/**                        @centreon/owners-perl
 selinux/**                          @centreon/owners-pipelines
 .github/scripts/pod_spell_check.t   @centreon/owners-perl
+.githooks/**                        @centreon/owners-perl
 
+.githooks/pre-commit.d/gitleaks.sh  @centreon/owners-security
+.githooks/pre-commit                @centreon/owners-security
 .gitleaks.toml                      @centreon/owners-security
 .gitleaksignore                     @centreon/owners-security
-**/security-checks.yml              @centreon/owners-security
+**/secu-*.yml                       @centreon/owners-security

.github/actions/merge-artifacts/action.yml

@@ -18,14 +18,14 @@ runs:
   using: 'composite'
   steps:
     - name: Download Artifacts
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         pattern: ${{ inputs.source_name_pattern }}*
         path: ${{ inputs.target_name }}
         merge-multiple: true
 
     - name: Upload the Regrouped Artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ inputs.target_name }}
         path: |

.github/actions/package-nfpm/action.yml

@@ -130,7 +130,7 @@ runs:
     # Add to your PR the label upload-artifacts to get packages as artifacts
     - if: ${{ contains(github.event.pull_request.labels.*.name, 'upload-artifacts') }}
       name: Upload package artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: packages-${{ inputs.distrib }}
         path: ./*.${{ inputs.package_extension}}

.github/actions/test-plugins/action.yml

@@ -27,7 +27,7 @@ runs:
         fail-on-cache-miss: true
 
     - name: Get the cached plugins.json
-      uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: ./plugins.json
         key: ${{ inputs.plugins-json-cache-key }}

.github/dependabot.yml

@@ -94,6 +94,10 @@
             'centreon/plugins/templates/counter.pm',
             'centreon/plugins/templates/hardware.pm'
         );
+        if (grep 'snmp_standard/modes/listinterfaces.pm', @{$config->{files}}) {
+            my %temp_map = map {$_ => 1 } (@{$config->{files}}, "snmp_standard/mode/resources/");
+            @{$config->{files}} = sort keys %temp_map;
+        }
         foreach my $file ((@common_files, @{$config->{files}})) {
             if (-f $file) {
                 File::Copy::Recursive::fcopy($file, 'lib/' . $file);

.github/scripts/plugins-source.container.pl

@@ -183,7 +183,7 @@ def remove_plugin(plugin, archi):
     print(f"{nb_plugins} plugins tested.\n      there was {error_install} installation error, {error_tests} test "
           f"errors, and {error_purge} removal error list of error : {list_plugin_error}", )
 
-    command = "ps -ax | grep snmpsim-command-respond | cut -dp -f1 | xargs kill"
+    command = "ps -ax | grep sn[m]psim-command-respond | awk '{print $1}' | xargs kill"
     subprocess.run(command, shell=True, check=False)
 
     if error_install != 0 or error_tests != 0 or error_purge != 0: