search

oxsecurity / megalinter

🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
https://megalinter.io
GNU Affero General Public License v3.0
1.9k stars 231 forks source link

DevSkim failing both locally and on GH Actions #3017

Closed andrewvaughan closed 11 months ago

andrewvaughan commented 11 months ago

On my local environment, running DevSkim, this is the error I get:

Results of devskim linter (version 1.0.22)
See documentation on https://megalinter.io/7.4.0/descriptors/repository_devskim/
-----------------------------------------------

❌ [ERROR] for workspace /tmp/lint
Linter raw log:
git version 2.40.1
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
fatal: this operation must be run in a work tree
{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.6.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"devskim","fullName":"Microsoft DevSkim Command Line Interface","version":"1.0.22+c8c65ea813","informationUri":"https://github.com/microsoft/DevSkim/","rules":[{"id":"DS176209","name":"SuspiciousComment","fullDescription":{"text":"Suspicious comment: A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"help":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md) for guidance on this issue."},"shortDescription":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md","properties":{"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"id":"DS126858","name":"WeakbrokenHashAlgorithm","fullDescription":{"text":"Weak/Broken Hash Algorithm: A weak or broken hash algorithm was detected."},"help":{"text":"Consider switching to use SHA-256 or SHA-512 instead.","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS126858.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS126858.md) for guidance on this issue."},"shortDescription":{"text":"A weak or broken hash algorithm was detected."},"defaultConfiguration":{"level":"error"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS126858.md","properties":{"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}}]}},"results":[{"ruleId":"DS126858","level":"error","message":{"text":"Weak/Broken Hash Algorithm"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"region":{"startLine":70,"startColumn":18,"endLine":70,"endColumn":22,"charOffset":1998,"charLength":4,"snippet":{"text":"SHA1","rendered":{"text":"SHA1","markdown":"`SHA1`"}},"sourceLanguage":"yaml"}}}],"fixes":[{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1998,"charLength":4},"insertedContent":{"text":"SHA256"}}]}]},{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1998,"charLength":4},"insertedContent":{"text":"SHA512"}}]}]}],"properties":{"tags":["Cryptography.BannedHashAlgorithm"],"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS126858","level":"error","message":{"text":"Weak/Broken Hash Algorithm"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"region":{"startLine":70,"startColumn":8,"endLine":70,"endColumn":13,"charOffset":1988,"charLength":5,"snippet":{"text":"SHA-1","rendered":{"text":"SHA-1","markdown":"`SHA-1`"}},"sourceLanguage":"yaml"}}}],"fixes":[{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1988,"charLength":5},"insertedContent":{"text":"SHA256"}}]}]},{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1988,"charLength":5},"insertedContent":{"text":"SHA512"}}]}]}],"properties":{"tags":["Cryptography.BannedHashAlgorithm"],"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS126858","level":"error","message":{"text":"Weak/Broken Hash Algorithm"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"region":{"startLine":70,"startColumn":2,"endLine":70,"endColumn":6,"charOffset":1982,"charLength":4,"snippet":{"text":"SHA1","rendered":{"text":"SHA1","markdown":"`SHA1`"}},"sourceLanguage":"yaml"}}}],"fixes":[{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1982,"charLength":4},"insertedContent":{"text":"SHA256"}}]}]},{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1982,"charLength":4},"insertedContent":{"text":"SHA512"}}]}]}],"properties":{"tags":["Cryptography.BannedHashAlgorithm"],"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":130,"startColumn":36,"endLine":130,"endColumn":40,"charOffset":5145,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":130,"startColumn":5,"endLine":130,"endColumn":9,"charOffset":5114,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":129,"startColumn":28,"endLine":129,"endColumn":32,"charOffset":5092,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":127,"startColumn":69,"endLine":127,"endColumn":73,"charOffset":5012,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/Acronyms.yml"},"region":{"startLine":56,"startColumn":4,"endLine":56,"endColumn":8,"charOffset":751,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":127,"startColumn":61,"endLine":127,"endColumn":65,"charOffset":5004,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}}],"columnKind":"utf16CodeUnits"}]}

So it seems that DevSkim via MegaLinter is outputting non-human-readable JSON results into both the error logs and the console... making it a pain to figure out what's going wrong. There also seems to be some major errors going on somewhere along the line with this operation must be run in a work tree, but I have no idea what that is about.

Interestingly, on GitHub Actions, the behaviors and failures are different:

❌ Linted [REPOSITORY] files with [devskim]: Found 9 error(s) - (1.59s) (expand for details)
  - Using [devskim v1.0.18] https://megalinter.io/7.3.0/descriptors/repository_devskim
  - MegaLinter key: [REPOSITORY_DEVSKIM]
  - Rules config: identified by [devskim]
  --Error detail:
  git version 2.38.5
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  fatal: detected dubious ownership in repository at '/github/workspace/.git'
  To add an exception for this directory, call:

    git config --global --add safe.directory /github/workspace/.git
  {"$schema":"https://www.schemastore.org/schemas/json/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"devskim","fullName":"Microsoft DevSkim Command Line Interface","version":"1.0.18+fba56c26b8","informationUri":"https://github.com/microsoft/DevSkim/","rules":[{"id":"DS176[209](https://github.com/andrewvaughan/template-core/actions/runs/6551575924/job/17793054905#step:4:219)","name":"SuspiciousComment","fullDescription":{"text":"Suspicious comment: A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"help":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md) for guidance on this issue."},"shortDescription":{"text":"A \"TODO\" or similar was left in source code, possibly indicating incomplete functionality"},"defaultConfiguration":{"level":"note"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS176209.md","properties":{"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"id":"DS126858","name":"WeakbrokenHashAlgorithm","fullDescription":{"text":"Weak/Broken Hash Algorithm: A weak or broken hash algorithm was detected."},"help":{"text":"Consider switching to use SHA-256 or SHA-512 instead.","markdown":"Visit [https://github.com/Microsoft/DevSkim/blob/main/guidance/DS126858.md](https://github.com/Microsoft/DevSkim/blob/main/guidance/DS126858.md) for guidance on this issue."},"shortDescription":{"text":"A weak or broken hash algorithm was detected."},"defaultConfiguration":{"level":"error"},"helpUri":"https://github.com/Microsoft/DevSkim/blob/main/guidance/DS126858.md","properties":{"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}}]}},"versionControlProvenance":[{"repositoryUri":"https://github.com/andrewvaughan/template-core","revisionId":"fdf41cdba058f4181bd2f2a24486ecf6eb1e0533","branch":"(no branch)"}],"results":[{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/Acronyms.yml"},"region":{"startLine":56,"startColumn":4,"endLine":56,"endColumn":8,"charOffset":751,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"yaml"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS126858","level":"error","message":{"text":"Weak/Broken Hash Algorithm"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"region":{"startLine":70,"startColumn":18,"endLine":70,"endColumn":22,"charOffset":1998,"charLength":4,"snippet":{"text":"SHA1","rendered":{"text":"SHA1","markdown":"`SHA1`"}},"sourceLanguage":"yaml"}}}],"fixes":[{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1998,"charLength":4},"insertedContent":{"text":"SHA256"}}]}]},{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1998,"charLength":4},"insertedContent":{"text":"SHA512"}}]}]}],"properties":{"tags":["Cryptography.BannedHashAlgorithm"],"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS126858","level":"error","message":{"text":"Weak/Broken Hash Algorithm"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"region":{"startLine":70,"startColumn":8,"endLine":70,"endColumn":13,"charOffset":1988,"charLength":5,"snippet":{"text":"SHA-1","rendered":{"text":"SHA-1","markdown":"`SHA-1`"}},"sourceLanguage":"yaml"}}}],"fixes":[{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1988,"charLength":5},"insertedContent":{"text":"SHA256"}}]}]},{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1988,"charLength":5},"insertedContent":{"text":"SHA512"}}]}]}],"properties":{"tags":["Cryptography.BannedHashAlgorithm"],"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS126858","level":"error","message":{"text":"Weak/Broken Hash Algorithm"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"region":{"startLine":70,"startColumn":2,"endLine":70,"endColumn":6,"charOffset":1982,"charLength":4,"snippet":{"text":"SHA1","rendered":{"text":"SHA1","markdown":"`SHA1`"}},"sourceLanguage":"yaml"}}}],"fixes":[{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1982,"charLength":4},"insertedContent":{"text":"SHA256"}}]}]},{"description":{"text":"A weak or broken hash algorithm was detected."},"artifactChanges":[{"artifactLocation":{"uri":".config/linters/vale/styles/Google/WordList.yml"},"replacements":[{"deletedRegion":{"charOffset":1982,"charLength":4},"insertedContent":{"text":"SHA512"}}]}]}],"properties":{"tags":["Cryptography.BannedHashAlgorithm"],"DevSkimSeverity":"Critical","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":130,"startColumn":36,"endLine":130,"endColumn":40,"charOffset":5145,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":130,"startColumn":5,"endLine":130,"endColumn":9,"charOffset":5114,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":129,"startColumn":28,"endLine":129,"endColumn":32,"charOffset":5092,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":127,"startColumn":69,"endLine":127,"endColumn":73,"charOffset":5012,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}},{"ruleId":"DS176209","level":"note","message":{"text":"Suspicious comment"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":".vscode/settings.json"},"region":{"startLine":127,"startColumn":61,"endLine":127,"endColumn":65,"charOffset":5004,"charLength":4,"snippet":{"text":"TODO","rendered":{"text":"TODO","markdown":"`TODO`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Hygiene.Comment.Suspicious"],"DevSkimSeverity":"ManualReview","DevSkimConfidence":"Unspecified"}}],"columnKind":"utf16CodeUnits"}]}

I believe what is happening here is that there are additional issues on DevSkim from CVE-2022–24765. Details here. I believe this can be avoided by simply ensuring this command is run on the environment when configuring git:

git config --global --add safe.directory /github/workspace

I will test this with PRE_COMMANDS and see if I have improvement.

andrewvaughan commented 11 months ago

It looks like this check might be failing for me for some reason? https://github.com/oxsecurity/megalinter/blob/main/entrypoint.sh#L11

I recieved this in my GitHub Action log:

Skipped setting git safe.directory DEFAULT_WORKSPACE:  ...
andrewvaughan commented 11 months ago

For my local machine, I actually think DevSkim is trying to output the errors in the JSON and that is why this error is appearing over and over:

fatal: this operation must be run in a work tree

So there's something about how the container is configured that this is being output instead of seeing the error as-formatted from DevSkim. I imagine they tack the JSON on the end (or y'all have it configured to do so) regardless of output.

I don't see the errors in the JSON on GitHub.com, either, unfortunately - my guess is that the error of the safe directory is another, different failure happening on that enironment.

So I guess it comes down to... (a) why is that conditional failing and the safe directory is not being called? and (b) what's up with the local container via npx mega-linter-runner (I'm using the global, large container with all flavors, just FYI) erroring out on display?

nvuillam commented 11 months ago

I think we'll deprecate this linter... too much problems for too few benefits...

nvuillam commented 11 months ago

You should disable it for now

andrewvaughan commented 11 months ago

Thanks. I was about to add, when I created my own JSON config, the reporting went from JSON barf to actual readability... might be another avenue to explore before nuking it if just creating a basic file like this in the Megalinter TEMPLATES will help:

{
  "Globs": ["**/.git/**", "**/megalinter-reports/**"]
}

Also, I'd like to figure out why my git directory is being skipped from being added to a safe directory up front... I do think that will continue to cause me issues with the CVE.

nvuillam commented 11 months ago

@andrewvaughan indeed it's worth trying :)

Would you like to make a PR ? ^^

andrewvaughan commented 11 months ago

@andrewvaughan indeed it's worth trying :)

Would you like to make a PR ? ^^

On my todo list for today, hopefully - stay tuned.

Jayllyz commented 8 months ago

It looks like the fix isn't working for me, I've disabled devskim for now. Version :megalinter/flavors/security@v7

image

nvuillam commented 7 months ago

I also deactivate on all my repos :/