Closed andrewvaughan closed 11 months ago
It looks like this check might be failing for me for some reason? https://github.com/oxsecurity/megalinter/blob/main/entrypoint.sh#L11
I recieved this in my GitHub Action log:
Skipped setting git safe.directory DEFAULT_WORKSPACE: ...
For my local machine, I actually think DevSkim is trying to output the errors in the JSON and that is why this error is appearing over and over:
fatal: this operation must be run in a work tree
So there's something about how the container is configured that this is being output instead of seeing the error as-formatted from DevSkim. I imagine they tack the JSON on the end (or y'all have it configured to do so) regardless of output.
I don't see the errors in the JSON on GitHub.com, either, unfortunately - my guess is that the error of the safe directory is another, different failure happening on that enironment.
So I guess it comes down to... (a) why is that conditional failing and the safe directory is not being called? and (b) what's up with the local container via npx mega-linter-runner
(I'm using the global, large container with all flavors, just FYI) erroring out on display?
I think we'll deprecate this linter... too much problems for too few benefits...
You should disable it for now
Thanks. I was about to add, when I created my own JSON config, the reporting went from JSON barf to actual readability... might be another avenue to explore before nuking it if just creating a basic file like this in the Megalinter TEMPLATES will help:
{
"Globs": ["**/.git/**", "**/megalinter-reports/**"]
}
Also, I'd like to figure out why my git directory is being skipped from being added to a safe directory up front... I do think that will continue to cause me issues with the CVE.
@andrewvaughan indeed it's worth trying :)
Would you like to make a PR ? ^^
@andrewvaughan indeed it's worth trying :)
Would you like to make a PR ? ^^
On my todo list for today, hopefully - stay tuned.
It looks like the fix isn't working for me, I've disabled devskim for now.
Version :megalinter/flavors/security@v7
I also deactivate on all my repos :/
On my local environment, running DevSkim, this is the error I get:
So it seems that DevSkim via MegaLinter is outputting non-human-readable JSON results into both the error logs and the console... making it a pain to figure out what's going wrong. There also seems to be some major errors going on somewhere along the line with
this operation must be run in a work tree
, but I have no idea what that is about.Interestingly, on GitHub Actions, the behaviors and failures are different:
I believe what is happening here is that there are additional issues on DevSkim from CVE-2022–24765. Details here. I believe this can be avoided by simply ensuring this command is run on the environment when configuring git:
I will test this with
PRE_COMMANDS
and see if I have improvement.