feature: Add support for Trivy in codacy-cli-v2

andrzej-janczak · andrzej-janczak · commit 873a5496fe4e · 2025-03-26T16:44:58.000+01:00
diff --git a/.codacy/codacy.yaml b/.codacy/codacy.yaml
@@ -2,3 +2,4 @@ runtimes:
     - node@22.2.0
 tools:
     - eslint@9.3.0
+    - trivy@0.46.0
diff --git a/.examples/code.js b/.examples/code.js
@@ -0,0 +1,10 @@
+import { tryInvoke } from '@ember/utils';
+
+class FooComponent extends Component {
+  foo() {
+    tryInvoke(this.args, 'bar', ['baz']);
+  }
+}
+
+
+var token = "github_rXGj85G0qUmzPu2ijX8msJsZRMzweyUuXaF0MeTvQEmGUP6AKSHeWuYn9Ue";
diff --git a/.examples/go.mod b/.examples/go.mod
@@ -0,0 +1,10 @@
+module trivy-example
+
+go 1.22.3
+
+require (
+	github.com/aquasecurity/trivy v0.49.1 // MEDIUM ERROR 
+	github.com/spf13/cobra v1.8.0
+    github.com/sirupsen/logrus v1.4.2    
+    github.com/dexidp/dex v0.0.0-20200121184102-3b39c6440888 // CRITICAL ERROR - CVE-2020-26160 - Insecure JWT implementation 
+)
diff --git a/.gitignore b/.gitignore
@@ -23,4 +23,7 @@ go.work.sum
 
 .idea/
 
-cli-v2
+cli-v2
+
+# ESLint config
+eslint.config.mjs
diff --git a/README.md b/README.md
@@ -4,15 +4,15 @@ This is a POC for what could be a new CLI for us. The idea is to rely on the nat
 
 ## Overview
 
-The `codacy-cli-v2` is a command-line tool for Codacy that supports analyzing code using ESLint and uploading the results in SARIF format to Codacy. It provides two main commands: `analyze` and `upload`.
+The `codacy-cli-v2` is a command-line tool for Codacy that supports analyzing code using ESLint, Trivy, and uploading the results in SARIF format to Codacy. It provides two main commands: `analyze` and `upload`.
 
 ### Commands
 
-- **`analyze` Command**: Runs ESLint analysis on the codebase.
+- **`analyze` Command**: Runs analysis tools on the codebase.
     - `--output, -o`: Output file for the results.
-    - `--tool, -t`: Specifies the tool to run analysis with (e.g., ESLint).
+    - `--tool, -t`: Specifies the tool to run analysis with (e.g., ESLint, Trivy).
     - `--format`: Output format (use 'sarif' for SARIF format to terminal).
-    - `--fix, -f`: Automatically fixes issues when possible.
+    - `--fix, -f`: Automatically fixes issues when possible (only applicable to certain tools).
     - `--new-pr`: Creates a new GitHub PR with fixed issues.
 
 - **`upload` Command With Project Token**: Uploads a SARIF file containing analysis results to Codacy.
@@ -30,14 +30,15 @@ The `codacy-cli-v2` is a command-line tool for Codacy that supports analyzing co
 
 ### Important Concepts
 
-- **`.codacy/codacy.yaml`**: Configuration file to specify `node` and `eslint` versions for the CLI.
+- **`.codacy/codacy.yaml`**: Configuration file to specify runtimes and tools versions for the CLI.
   ```yaml
   runtimes:
       - node@22.2.0
   tools:
       - eslint@9.3.0
+      - trivy@0.50.0
   
-- **`codacy-cli-v2 install`**: Command to install the specified node and eslint versions before running analysis.
+- **`codacy-cli-v2 install`**: Command to install the specified runtimes and tools before running analysis.
 
 ## Download
 
@@ -78,18 +79,32 @@ To run ESLint and output the results to the terminal:
 codacy-cli analyze --tool eslint
 ```
 
+To run Trivy vulnerability scanner:
+
+```bash
+codacy-cli analyze --tool trivy
+```
+
 To output results in SARIF format to the terminal:
 
 ```bash
 codacy-cli analyze --tool eslint --format sarif
 ```
 
+```bash
+codacy-cli analyze --tool trivy --format sarif
+```
+
 To store the results as SARIF in a file:
 
 ```bash
 codacy-cli analyze -t eslint -o eslint.sarif
 ```
 
+```bash
+codacy-cli analyze -t trivy -o trivy.sarif
+```
+
 ## Upload Results
 
 To upload a SARIF file to Codacy:
diff --git a/cmd/analyze.go b/cmd/analyze.go
@@ -202,8 +202,10 @@ var analyzeCmd = &cobra.Command{
 		switch toolToAnalyze {
 		case "eslint":
 			// nothing
+		case "trivy":
+			// nothing
 		case "":
-			log.Fatal("You need to specify a tool to run analysis with, e.g., '--tool eslint'", toolToAnalyze)
+			log.Fatal("You need to specify a tool to run analysis with, e.g., '--tool eslint' or '--tool trivy'")
 		default:
 			log.Fatal("Trying to run unsupported tool: ", toolToAnalyze)
 		}
@@ -215,19 +217,30 @@ var analyzeCmd = &cobra.Command{
 			failIfThereArePendingChanges()
 		}
 
-		eslint := config.Config.Tools()["eslint"]
-		eslintInstallationDirectory := eslint.Info()["installDir"]
-		nodeRuntime := config.Config.Runtimes()["node"]
-		nodeBinary := nodeRuntime.Info()["node"]
-
 		log.Printf("Running %s...\n", toolToAnalyze)
 		if outputFile != "" {
 			log.Println("Output will be available at", outputFile)
 		} else if outputFormat == "sarif" {
 			log.Println("Output will be in SARIF format")
 		}
 
-		tools.RunEslint(workDirectory, eslintInstallationDirectory, nodeBinary, args, autoFix, outputFile, outputFormat)
+		switch toolToAnalyze {
+		case "eslint":
+			eslint := config.Config.Tools()["eslint"]
+			eslintInstallationDirectory := eslint.Info()["installDir"]
+			nodeRuntime := config.Config.Runtimes()["node"]
+			nodeBinary := nodeRuntime.Info()["node"]
+
+			tools.RunEslint(workDirectory, eslintInstallationDirectory, nodeBinary, args, autoFix, outputFile, outputFormat)
+		case "trivy":
+			trivy := config.Config.Tools()["trivy"]
+			trivyBinary := trivy.Info()["trivy"]
+
+			err := tools.RunTrivy(workDirectory, trivyBinary, args, outputFile, outputFormat)
+			if err != nil {
+				log.Printf("Error running Trivy: %v", err)
+			}
+		}
 
 		if doNewPr {
 			utils.CreatePr(false)
diff --git a/cmd/init.go b/cmd/init.go
@@ -72,20 +72,23 @@ func createConfigurationFile(tools []tools.Tool) error {
 
 func configFileTemplate(tools []tools.Tool) string {
 
-	// Default version
+	// Default versions
 	eslintVersion := "9.3.0"
+	trivyVersion := "0.50.0" // Use the latest stable version
 
 	for _, tool := range tools {
 		if tool.Uuid == "f8b29663-2cb2-498d-b923-a10c6a8c05cd" {
 			eslintVersion = tool.Version
 		}
+		// If Codacy API provides UUID for Trivy, you would check it here
 	}
 
 	return fmt.Sprintf(`runtimes:
     - node@22.2.0
 tools:
     - eslint@%s
-`, eslintVersion)
+    - trivy@%s
+`, eslintVersion, trivyVersion)
 }
 
 func buildRepositoryConfigurationFiles(token string) error {
diff --git a/cmd/install.go b/cmd/install.go
@@ -52,6 +52,12 @@ func fetchTools(config *cfg.ConfigType) {
 				fmt.Println(err.Error())
 				log.Fatal(err)
 			}
+		case "trivy":
+			err := cfg.InstallTrivy(tool)
+			if err != nil {
+				fmt.Println(err.Error())
+				log.Fatal(err)
+			}
 		default:
 			log.Fatal("Unknown tool:", tool.Name())
 		}
diff --git a/config/runtime.go b/config/runtime.go
@@ -32,6 +32,8 @@ func (r *Runtime) populateInfo() {
 		r.info = genInfoNode(r)
 	case "eslint":
 		r.info = genInfoEslint(r)
+	case "trivy":
+		r.info = genInfoTrivy(r)
 	}
 }
 
diff --git a/config/trivy-utils.go b/config/trivy-utils.go
diff --git a/tools/trivyRunner.go b/tools/trivyRunner.go
diff --git a/utils/extract.go b/utils/extract.go
diff --git a/utils/file.go b/utils/file.go

-Original file line number
+Diff line change
     - [email protected]
 tools:
     - [email protected]
 +    - [email protected]
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,12 @@ func fetchTools(config *cfg.ConfigType) {`
`52`	`52`	`fmt.Println(err.Error())`
`53`	`53`	`log.Fatal(err)`
`54`	`54`	`}`
	`55`	`+ case "trivy":`
	`56`	`+ err := cfg.InstallTrivy(tool)`
	`57`	`+ if err != nil {`
	`58`	`+ fmt.Println(err.Error())`
	`59`	`+ log.Fatal(err)`
	`60`	`+ }`
`55`	`61`	`default:`
`56`	`62`	`log.Fatal("Unknown tool:", tool.Name())`
`57`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ func (r *Runtime) populateInfo() {`
`32`	`32`	`r.info = genInfoNode(r)`
`33`	`33`	`case "eslint":`
`34`	`34`	`r.info = genInfoEslint(r)`
	`35`	`+ case "trivy":`
	`36`	`+ r.info = genInfoTrivy(r)`
`35`	`37`	`}`
`36`	`38`	`}`
`37`	`39`