Bug and touch-ups for trivy v0.51.2 (with a proposed fix)

[bobsrac]

Description

Bug and touch-ups for trivy v0.51.2 (with a proposed fix)

• bug: Misconfigurations without a location cause a large error to be filed as a diagnostic
• clean-up: Change from '--scanners config' to '--scanners misconfig' to eliminate deprecation log message
• clean-up: Add '--quiet' flag to suppress log output, which is unused by trivy.lua

Expected Behavior

Expected each misconfiguration from trivy to result in a well-formed diagnostic in neovim

Expected that Misconfigurations without location information would still show up as diagnostics, and they would default to the top of the file

Actual Behavior

$ cat Dockerfile
FROM ubuntu:24.04
LABEL maintainer="Matt Mahin <matt.mahin@gmail.com"

When I open the Dockerfile above, I see a long error message from trivy as a diagnostic:

Parser Failed. Error message:
<path_to_trivy.lua>:29: attempt to perform arithmetic on field 'StartLine' (a nil value)

Output from linter:
{
...
}

Environment

OS: Ubuntu 24.04 LTS trivy installed from nix unstable channel: 2yz2gcghw8pzbvhyihlls1m31ra1hn19-trivy-0.51.2

$ trivy --version
Version: v0.51.2
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-23 03:59:36.949766554 +0000 UTC

$  nvim --version
NVIM v0.10.0
Build type: Release
LuaJIT 2.1.1693350652
Run "nvim -V1 -v" for more info

Reproduction Steps

1. Install trivy v0.51.2
2. Open a dockerfile that does not have a HEALTHCHECK instruction -- this will yield a Misconfiguration whose CauseMetadata lacks "StartLine" and "EndLine" fields
3. View diagnostics for the buffer and note the entire stdout from trivy appears as a diagnostic.

Diagnosis

The cause is in /lua/lint/linters/trivy.lua. It creates a diagnostic reading StartLine and EndLine as integers without checking that they existed in the output from trivy. My proposed fix is to:

Proposed Fix

• check for all required fields from the parsed JSON needed to create a useful diagnostic from each Misconfiguration.
• create defaults for col, end_col, lnum, end_lnum all initialized to 0, then override from StartLine and EndLine as before if those fields exist.

Two other minor notes:

• trivy stdout is processed as a JSON, therefore the log lines are not useful. trivy has a '--quiet' flag to suppress the log
• trivy complains the cli arg '--scanners config' is deprecated. The updated arg: '--scanners misconfig'

Proposed Patch

diff is from commit: commit e19842a05aae484957ad20710444757bc0a61d63 (origin/master, origin/HEAD, master) Author: Dung Duc Huynh (Kaka) 870029+jellydn@users.noreply.github.com Date: Thu May 23 04:19:12 2024 +0800

Add oxlint (#585)

$  git diff e19842a05aae484957ad20710444757bc0a61d63
diff --git a/lua/lint/linters/trivy.lua b/lua/lint/linters/trivy.lua
index 8d21b81..d3ea6ef 100644
--- a/lua/lint/linters/trivy.lua
+++ b/lua/lint/linters/trivy.lua
@@ -8,7 +8,7 @@ return {
   cmd = "trivy",
   stdin = false,
   append_fname = true,
-  args = { "--scanners", "config", "--format", "json", "fs" },
+  args = { "--quiet", "--scanners", "misconfig", "--format", "json", "fs" },
   stream = "stdout",
   ignore_exitcode = false,
   parser = function(output, bufnr)
@@ -21,17 +21,39 @@ return {
     for _, result in ipairs(decoded and decoded.Results or {}) do
       if result.Target == fpath then
         for _, misconfig in ipairs(result.Misconfigurations or {}) do
-          local err = {
-            source = "trivy",
-            message = string.format("%s %s", misconfig.Title, misconfig.Description),
-            col = misconfig.CauseMetadata.StartLine,
-            end_col = misconfig.CauseMetadata.EndLine,
-            lnum = misconfig.CauseMetadata.StartLine - 1,
-            end_lnum = misconfig.CauseMetadata.EndLine - 1,
-            code = misconfig.ID,
-            severity = severity_map[misconfig.Severity],
-          }
-          table.insert(diagnostics, err)
+          if
+            misconfig.Title
+            and misconfig.Description
+            and misconfig.CauseMetadata
+            and misconfig.ID
+            and misconfig.Severity
+          then
+            local col = 0
+            local lnum = 0
+            if misconfig.CauseMetadata.StartLine then
+              col = misconfig.CauseMetadata.StartLine
+              lnum = misconfig.CauseMetadata.StartLine - 1
+            end
+
+            local end_col = 0
+            local end_lnum = 0
+            if misconfig.CauseMetadata.EndLine then
+              end_col = misconfig.CauseMetadata.EndLine
+              end_lnum = misconfig.CauseMetadata.EndLine - 1
+            end
+
+            local err = {
+              source = "trivy",
+              message = string.format("%s %s", misconfig.Title, misconfig.Description),
+              col = col,
+              end_col = enc_col,
+              lnum = lnum,
+              end_lnum = end_lnum,
+              code = misconfig.ID,
+              severity = severity_map[misconfig.Severity],
+            }
+            table.insert(diagnostics, err)
+          end
         end
       end
     end

[mfussenegger]

Just send a PR. All the linters are community maintained

[mfussenegger]

https://github.com/mfussenegger/nvim-lint/pull/589 was merged