Upgrade editorconfig-checker + set ARGs at the beginning of dockerfile (

#3528) * Bump mstruebing/editorconfig-checker from 2.7.2 to v3.0.1 Bumps mstruebing/editorconfig-checker from 2.7.2 to v3.0.1. --- updated-dependencies: - dependency-name: mstruebing/editorconfig-checker dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Use latest version of editorconfig-checker * Reorder args * Build: Write ARG lines at the top of Dockerfiles if they are used by FROM variables Related to #3525 * cspell * [MegaLinter] Apply linters fixes * Fix ARM test cases * Remove workflow telemetry to improve perfs * Remove editorconfig trivy exception --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: nvuillam <nvuillam@users.noreply.github.com>
oxsecurity · Apr 30, 2024 · ac6bf96 · ac6bf96
1 parent c3a1f10
commit ac6bf96
Show file tree

Hide file tree

Showing 149 changed files with 1,466 additions and 171 deletions.
diff --git a/.automation/build.py b/.automation/build.py
@@ -418,6 +418,17 @@ def build_dockerfile(
     # Add ruby apk packages if gem packages are here
     if len(gem_packages) > 0:
         apk_packages += ["ruby", "ruby-dev", "ruby-bundler", "ruby-rdoc"]
+    # Separate args used in FROM instructions from others
+    all_from_instructions = "\n".join(list(dict.fromkeys(docker_from)))
+    docker_arg_top = []
+    docker_arg_main = []
+    for docker_arg_item in docker_arg:
+        match = re.match(r"ARG\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=?\s*", docker_arg_item)
+        arg_name = match.group(1)
+        if arg_name in all_from_instructions:
+            docker_arg_top += [docker_arg_item]
+        else:
+            docker_arg_main += [docker_arg_item]
     # Replace between tags in Dockerfile
     # Commands
     replace_in_file(
@@ -426,11 +437,17 @@ def build_dockerfile(
         "#FROM__END",
         "\n".join(list(dict.fromkeys(docker_from))),
     )
+    replace_in_file(
+        dockerfile,
+        "#ARGTOP__START",
+        "#ARGTOP__END",
+        "\n".join(list(dict.fromkeys(docker_arg_top))),
+    )
     replace_in_file(
         dockerfile,
         "#ARG__START",
         "#ARG__END",
-        "\n".join(list(dict.fromkeys(docker_arg))),
+        "\n".join(list(dict.fromkeys(docker_arg_main))),
     )
     replace_in_file(
         dockerfile,

diff --git a/.automation/test/arm/arm_good_1.json b/.automation/test/arm/arm_good_1.json
@@ -30,7 +30,7 @@
         {
             "name": "[variables('Network.Name')]",
             "type": "Microsoft.Network/virtualNetworks",
-            "apiVersion": "2022-05-01",
+            "apiVersion": "2023-04-01",
             "location": "[variables('Network.Location')]",
             "tags": "[variables('Network.Tags')]",
             "properties": {
@@ -47,7 +47,7 @@
     "outputs": {
         "state": {
             "type": "object",
-            "value": "[reference(resourceId('Microsoft.Network/virtualNetworks',variables('Network.Name')), '2022-05-01', 'Full')]"
+            "value": "[reference(resourceId('Microsoft.Network/virtualNetworks',variables('Network.Name')), '2023-04-01', 'Full')]"
         }
     }
 }
diff --git a/.cspell.json b/.cspell.json
@@ -16,6 +16,7 @@
         "report"
     ],
     "ignoreWords": [
+        "ARGTOP",
         "AROA47DSWDEZA3",
         "Chandan",
         "Cpageref",

diff --git a/.github/workflows/deploy-DEV-linters.yml b/.github/workflows/deploy-DEV-linters.yml
@@ -179,10 +179,10 @@ jobs:
     # Load all steps #
     ##################
     steps:
-      - name: Collect Workflow Telemetry
-        uses: runforesight/workflow-telemetry-action@v1
-        with:
-          comment_on_pr: false
+      # - name: Collect Workflow Telemetry
+      #   uses: runforesight/workflow-telemetry-action@v1
+      #   with:
+      #     comment_on_pr: false
 
       - name: Checkout Code
         uses: actions/checkout@v4

diff --git a/.trivyignore b/.trivyignore
@@ -5,10 +5,6 @@ CVE-2018-8292
 CVE-2023-29331
 CVE-2019-0820
 
-# editorconfig-checker
-# https://github.com/editorconfig-checker/editorconfig-checker/issues/342
-CVE-2023-39325
-
 # gitleaks
 # Solved in next gitleaks release: https://github.com/gitleaks/gitleaks/pull/1342
 CVE-2021-38561

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -33,6 +33,8 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l
   - Build: take in account disabled linters for workflow auto-update
   - Remove useless package-lock.json that was in python tests folder
   - Fix SARIF_REPORTER that was wrongly sent to `true` to format & fix test methods
+  - Build: Write ARG lines at the top of Dockerfiles if they are used by FROM variables
+  - Remove Github Actions Workflow telemetry to improve performances
 
 - Linter versions upgrades
   - [phpcs](https://github.com/PHPCSStandards/PHP_CodeSniffer) from 3.9.1 to **3.9.2** on 2024-04-23

diff --git a/Dockerfile b/Dockerfile
@@ -7,6 +7,13 @@
 
 # @not-generated
 
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+#ARGTOP__START
+ARG VERSION_EDITORCONFIG_CHECKER=latest
+#ARGTOP__END
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
@@ -19,7 +26,7 @@ FROM koalaman/shellcheck:stable as shellcheck
 # FROM koalaman/shellcheck:stable as shellcheck
 FROM mvdan/shfmt:latest-alpine as shfmt
 FROM hadolint/hadolint:v2.12.0-alpine as hadolint
-FROM mstruebing/editorconfig-checker:2.7.2 as editorconfig-checker
+FROM mstruebing/editorconfig-checker:$VERSION_EDITORCONFIG_CHECKER as editorconfig-checker
 FROM golang:1-alpine as revive
 ## The golang image used as a builder is a temporary workaround (https://github.com/mgechev/revive/issues/787)
 ## for the released revive binaries not returning version numbers (devel). 
@@ -50,7 +57,6 @@ FROM alpine/terragrunt:latest as terragrunt
 # Get base image #
 ##################
 FROM python:3.12.3-alpine3.19
-ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -67,6 +73,9 @@ ARG PMD_VERSION=7.1.0
 ARG PSSA_VERSION='latest'
 #ARG__END
 
+# Static args
+ARG GITHUB_TOKEN
+
 ####################
 # Run APK installs #
 ####################

diff --git a/flavors/c_cpp/Dockerfile b/flavors/c_cpp/Dockerfile
@@ -8,6 +8,13 @@
 
 # @not-generated
 
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+#ARGTOP__START
+ARG VERSION_EDITORCONFIG_CHECKER=latest
+#ARGTOP__END
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
@@ -20,7 +27,7 @@ FROM koalaman/shellcheck:stable as shellcheck
 # FROM koalaman/shellcheck:stable as shellcheck
 FROM mvdan/shfmt:latest-alpine as shfmt
 FROM hadolint/hadolint:v2.12.0-alpine as hadolint
-FROM mstruebing/editorconfig-checker:2.7.2 as editorconfig-checker
+FROM mstruebing/editorconfig-checker:$VERSION_EDITORCONFIG_CHECKER as editorconfig-checker
 FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
@@ -34,7 +41,6 @@ FROM lycheeverse/lychee:latest-alpine as lychee
 # Get base image #
 ##################
 FROM python:3.12.3-alpine3.19
-ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -43,6 +49,9 @@ ARG GITHUB_TOKEN
 
 #ARG__END
 
+# Static args
+ARG GITHUB_TOKEN
+
 ####################
 # Run APK installs #
 ####################

diff --git a/flavors/ci_light/Dockerfile b/flavors/ci_light/Dockerfile
@@ -8,6 +8,13 @@
 
 # @not-generated
 
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+#ARGTOP__START
+
+#ARGTOP__END
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
@@ -24,7 +31,6 @@ FROM trufflesecurity/trufflehog:latest as trufflehog
 # Get base image #
 ##################
 FROM python:3.12.3-alpine3.19
-ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -33,6 +39,9 @@ ARG GITHUB_TOKEN
 
 #ARG__END
 
+# Static args
+ARG GITHUB_TOKEN
+
 ####################
 # Run APK installs #
 ####################

diff --git a/flavors/cupcake/Dockerfile b/flavors/cupcake/Dockerfile
@@ -8,6 +8,13 @@
 
 # @not-generated
 
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+#ARGTOP__START
+ARG VERSION_EDITORCONFIG_CHECKER=latest
+#ARGTOP__END
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
@@ -20,7 +27,7 @@ FROM koalaman/shellcheck:stable as shellcheck
 # FROM koalaman/shellcheck:stable as shellcheck
 FROM mvdan/shfmt:latest-alpine as shfmt
 FROM hadolint/hadolint:v2.12.0-alpine as hadolint
-FROM mstruebing/editorconfig-checker:2.7.2 as editorconfig-checker
+FROM mstruebing/editorconfig-checker:$VERSION_EDITORCONFIG_CHECKER as editorconfig-checker
 FROM golang:1-alpine as revive
 ## The golang image used as a builder is a temporary workaround (https://github.com/mgechev/revive/issues/787)
 ## for the released revive binaries not returning version numbers (devel). 
@@ -45,7 +52,6 @@ FROM alpine/terragrunt:latest as terragrunt
 # Get base image #
 ##################
 FROM python:3.12.3-alpine3.19
-ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -54,6 +60,9 @@ ARG GITHUB_TOKEN
 ARG PMD_VERSION=7.1.0
 #ARG__END
 
+# Static args
+ARG GITHUB_TOKEN
+
 ####################
 # Run APK installs #
 ####################

diff --git a/flavors/documentation/Dockerfile b/flavors/documentation/Dockerfile
@@ -8,6 +8,13 @@
 
 # @not-generated
 
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+#ARGTOP__START
+ARG VERSION_EDITORCONFIG_CHECKER=latest
+#ARGTOP__END
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
@@ -20,7 +27,7 @@ FROM koalaman/shellcheck:stable as shellcheck
 # FROM koalaman/shellcheck:stable as shellcheck
 FROM mvdan/shfmt:latest-alpine as shfmt
 FROM hadolint/hadolint:v2.12.0-alpine as hadolint
-FROM mstruebing/editorconfig-checker:2.7.2 as editorconfig-checker
+FROM mstruebing/editorconfig-checker:$VERSION_EDITORCONFIG_CHECKER as editorconfig-checker
 FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
@@ -34,7 +41,6 @@ FROM lycheeverse/lychee:latest-alpine as lychee
 # Get base image #
 ##################
 FROM python:3.12.3-alpine3.19
-ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -43,6 +49,9 @@ ARG GITHUB_TOKEN
 
 #ARG__END
 
+# Static args
+ARG GITHUB_TOKEN
+
 ####################
 # Run APK installs #
 ####################

diff --git a/flavors/dotnet/Dockerfile b/flavors/dotnet/Dockerfile
@@ -8,6 +8,13 @@
 
 # @not-generated
 
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+#ARGTOP__START
+ARG VERSION_EDITORCONFIG_CHECKER=latest
+#ARGTOP__END
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
@@ -20,7 +27,7 @@ FROM koalaman/shellcheck:stable as shellcheck
 # FROM koalaman/shellcheck:stable as shellcheck
 FROM mvdan/shfmt:latest-alpine as shfmt
 FROM hadolint/hadolint:v2.12.0-alpine as hadolint
-FROM mstruebing/editorconfig-checker:2.7.2 as editorconfig-checker
+FROM mstruebing/editorconfig-checker:$VERSION_EDITORCONFIG_CHECKER as editorconfig-checker
 FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
@@ -34,7 +41,6 @@ FROM lycheeverse/lychee:latest-alpine as lychee
 # Get base image #
 ##################
 FROM python:3.12.3-alpine3.19
-ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -49,6 +55,9 @@ ARG BICEP_DIR='/usr/local/bin'
 ARG PSSA_VERSION='latest'
 #ARG__END
 
+# Static args
+ARG GITHUB_TOKEN
+
 ####################
 # Run APK installs #
 ####################

diff --git a/flavors/dotnetweb/Dockerfile b/flavors/dotnetweb/Dockerfile
@@ -8,6 +8,13 @@
 
 # @not-generated
 
+#############################################################################################
+## @generated by .automation/build.py using descriptor files, please do not update manually ##
+#############################################################################################
+#ARGTOP__START
+ARG VERSION_EDITORCONFIG_CHECKER=latest
+#ARGTOP__END
+
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
 #############################################################################################
@@ -20,7 +27,7 @@ FROM koalaman/shellcheck:stable as shellcheck
 # FROM koalaman/shellcheck:stable as shellcheck
 FROM mvdan/shfmt:latest-alpine as shfmt
 FROM hadolint/hadolint:v2.12.0-alpine as hadolint
-FROM mstruebing/editorconfig-checker:2.7.2 as editorconfig-checker
+FROM mstruebing/editorconfig-checker:$VERSION_EDITORCONFIG_CHECKER as editorconfig-checker
 FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform
 FROM mrtazz/checkmake:latest as checkmake
 FROM yoheimuta/protolint:latest as protolint
@@ -34,7 +41,6 @@ FROM lycheeverse/lychee:latest-alpine as lychee
 # Get base image #
 ##################
 FROM python:3.12.3-alpine3.19
-ARG GITHUB_TOKEN
 
 #############################################################################################
 ## @generated by .automation/build.py using descriptor files, please do not update manually ##
@@ -49,6 +55,9 @@ ARG BICEP_DIR='/usr/local/bin'
 ARG PSSA_VERSION='latest'
 #ARG__END
 
+# Static args
+ARG GITHUB_TOKEN
+
 ####################
 # Run APK installs #
 ####################