search

oxsecurity / megalinter

🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
https://megalinter.io
GNU Affero General Public License v3.0
1.8k stars 215 forks source link

bug: DevSkim - Fixes fatal error and override path #3673

Closed TommyE123 closed 1 week ago

TommyE123 commented 1 week ago

DevSkim Fatal errors and config override fix

Fixes #3611 and #2849

Context:

DevSkim on scanning was throwing various issues:

fatal: this operation must be run in a work tree

git config --global --add safe.directory /github/workspace fatal: detected dubious ownership in repository at '/github/workspace' To add an exception for this directory, call:

It appears the --skip-git-ignored-files is causing this issue. On doing a bit of searching on github it appears no one is using it apart from a few references in other megalinter configs.

I’ve tested it with a simple github workflow outside of megalinter and also running the commands locally and the error remains when using this option. So I strongly suspect unless im missing something that its an issue with the DevSkim code.

The second issue is simply that Devskim was using the default -c to specify the config path so as far as I can tell, It would’nt have worked without overriding the config arguement.

Changes:

• Added cli_config_arg_name: "--options-json" to devskim descriptor. • Removed --skip-git-ignored-files from devskim descriptor.

Testing:

AZURE – no .devskim.json present so uses default megalinter config.

image

GITHUB – .devskim.json in default folder with no megalinter devskim specific fixes

image

GITLAB – .devskim.json in config folder

megalinter config entry image

Output: image

Additional Notes:

• Please note I’ve not tried to cleanup the Sarif report in this PR which is currently outputting terribly!

If there are any issues or concerns, please let me know, and I will address them promptly. Thank you for reviewing this PR. Looking forward to your feedback.

Tom

TommyE123 commented 1 week ago

I've also raised a bug with Microsoft here https://github.com/microsoft/DevSkim/issues/620 to see if they are aware of the issue or how to address it.

echoix commented 1 week ago

I'll have time to review your recent PRs starting late tomorrow. I'm attending a code sprint for another project, so I have way more to review than I can do.

echoix commented 1 week ago

I've also raised a bug with Microsoft here https://github.com/microsoft/DevSkim/issues/620 to see if they are aware of the issue or how to address it.

Perfect, we've often had users having issues with this linter.

echoix commented 1 week ago

Thanks again for your PR, getting it merged as soon as possible!