File tree Expand file tree Collapse file tree 5 files changed +165
-0
lines changed
Expand file tree Collapse file tree 5 files changed +165
-0
lines changed Original file line number Diff line number Diff line change 1+ name : Trivy Plugin Test
2+
3+ permissions :
4+ contents : write
5+
6+ on :
7+ push :
8+ paths :
9+ - ' plugins/tools/trivy/**'
10+ - ' .github/workflows/trivy-plugin-test.yml'
11+ pull_request :
12+ paths :
13+ - ' plugins/tools/trivy/**'
14+ - ' .github/workflows/trivy-plugin-test.yml'
15+
16+ jobs :
17+ test :
18+ needs : build
19+ runs-on : ubuntu-latest
20+ steps :
21+ - name : Checkout code
22+ uses : actions/checkout@v4
23+
24+ - name : Download CLI binaries
25+ uses : actions/download-artifact@v4
26+ with :
27+ name : cli-binaries
28+ path : .
29+
30+ - name : Select Linux binary
31+ run : mv cli-v2-linux cli-v2
32+
33+ - name : Make binary executable
34+ run : chmod +x cli-v2
35+
36+ - name : Run Trivy plugin tests
37+ run : |
38+ cd plugins/tools/trivy/test
39+ # Install the plugin
40+ ../../../cli-v2 install
41+ # Run analysis
42+ ../../../cli-v2 analyze --tool trivy --format sarif --output actual.sarif
43+ # Compare with expected output
44+ diff expected.sarif actual.sarif
45+ # Clean up
46+ rm actual.sarif
Original file line number Diff line number Diff line change 1+ {
2+ "version" : " 2.1.0"
3+ "$schema" : " https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json"
4+ "runs" : [
5+ {
6+ "tool" : {
7+ "driver" : {
8+ "name" : " Trivy"
9+ "version" : " 0.59.1"
10+ "informationUri" : " https://github.com/aquasecurity/trivy"
11+ "rules" : [
12+ {
13+ "id" : " CVE-2021-23343"
14+ "shortDescription" : {
15+ "text" : " Command injection in lodash"
16+ },
17+ "properties" : {
18+ "tags" : [
19+ " security"
20+ " external/cwe/cwe-78"
21+ ],
22+ "precision" : " very-high"
23+ }
24+ },
25+ {
26+ "id" : " CVE-2020-28500"
27+ "shortDescription" : {
28+ "text" : " Regular Expression Denial of Service in moment"
29+ },
30+ "properties" : {
31+ "tags" : [
32+ " security"
33+ " external/cwe/cwe-400"
34+ ],
35+ "precision" : " very-high"
36+ }
37+ }
38+ ]
39+ }
40+ },
41+ "results" : [
42+ {
43+ "ruleId" : " CVE-2021-23343"
44+ "level" : " error"
45+ "message" : {
46+ "text" : " Command injection in lodash"
47+ },
48+ "locations" : [
49+ {
50+ "physicalLocation" : {
51+ "artifactLocation" : {
52+ "uri" : " package.json"
53+ },
54+ "region" : {
55+ "startLine" : 7 ,
56+ "startColumn" : 5
57+ }
58+ }
59+ }
60+ ]
61+ },
62+ {
63+ "ruleId" : " CVE-2020-28500"
64+ "level" : " error"
65+ "message" : {
66+ "text" : " Regular Expression Denial of Service in moment"
67+ },
68+ "locations" : [
69+ {
70+ "physicalLocation" : {
71+ "artifactLocation" : {
72+ "uri" : " package.json"
73+ },
74+ "region" : {
75+ "startLine" : 9 ,
76+ "startColumn" : 5
77+ }
78+ }
79+ }
80+ ]
81+ }
82+ ]
83+ }
84+ ]
85+ }
Original file line number Diff line number Diff line change 1+ runtimes :
2+ tools :
3+
Original file line number Diff line number Diff line change 1+ FROM node:12.0.0
2+
3+ # Using an old version of npm that has known vulnerabilities
4+ RUN npm install -g
[email protected] 5+
6+ # Copy application files
7+ WORKDIR /app
8+ COPY package*.json ./
9+
10+ # Install dependencies with known vulnerabilities
11+ 12+
13+ # Copy source code
14+ COPY . .
15+
16+ # Expose port
17+ EXPOSE 3000
18+
19+ # Start the application
20+ CMD ["node" , "app.js" ]
Original file line number Diff line number Diff line change 1+ {
2+ "name" : " trivy-test-app"
3+ "version" : " 1.0.0"
4+ "description" : " Test application for Trivy vulnerability scanning"
5+ "main" : " app.js"
6+ "dependencies" : {
7+ "express" : " 4.16.4"
8+ "lodash" : " 4.17.15"
9+ "moment" : " 2.24.0"
10+ }
11+ }
You can’t perform that action at this time.
0 commit comments