Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to run Guideline_Enforcer #147

Merged
merged 5 commits into from
Oct 17, 2024
Merged

Allow to run Guideline_Enforcer #147

merged 5 commits into from
Oct 17, 2024

Conversation

cedelavergne-ledger
Copy link
Contributor

@cedelavergne-ledger cedelavergne-ledger commented Oct 4, 2024

Add script allowing to call the Guideline Enforcer checks from ledger-app-workflows repository.
Add missing packages in the container

Bump Speculos & Ragger to their latest version

@ledger-wiz-cspm-secret-detection
Copy link

ledger-wiz-cspm-secret-detection bot commented Oct 4, 2024

Wiz Scan Summary

Scan Module Critical High Medium Low Info Total
IaC Misconfigurations 0 0 1 1 1 3
Sensitive Data 0 0 0 0 0 0
Secrets 0 0 0 0 0 0
Total 0 0 1 1 1 3

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

@agrojean-ledger
Copy link
Contributor

agrojean-ledger commented Oct 10, 2024

@cedelavergne-ledger shouldn't the enforcer.sh live on ledger-app-workflows and be copied from there directly (via a clone of the repo during the image build in a tmp dir) ?

It seems to me the script is tightly linked to the workflows

@cedelavergne-ledger
Copy link
Contributor Author

@cedelavergne-ledger shouldn't the enforcer.sh live on ledger-app-workflows and be copied from there directly (via a clone of the repo during the image build in a tmp dir) ?

It seems to me the script is tightly linked to the workflows

No, because for the VSCode extension, we need a simple and straight forward method, ideally based on a script: The final usage, with the extension, will be to open the dev-tool container, with a bash command. This latter must be as simple as possible and moreover, generic. Using a script will allow to easily maintain/improve the mechanism in the future, if needed, just by updating the container, without needing to hardcode complexe command line in the extension itself.

@@ -19,5 +19,11 @@ ARG PYTHON_BUILD_DEPS=libffi-dev,python3-dev,py3-virtualenv
# Install the building dependencies.
RUN apk add $(echo -n "$PYTHON_BUILD_DEPS" | tr , ' ')

# Install packahes to allow Guideline Enforcer to run
RUN apk add imagemagick grep

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium Wiz IaC Finding

Details
Rule Unpinned Package Version in Apk Add
Rule ID 9b55ae16-9e49-41dc-885f-a59ee0bb54bd
Severity Medium
Resource FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{RUN apk add imagemagick grep}}

Details

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes

Expected: RUN instruction with 'apk add ' should use package pinning form 'apk add ='
Found: RUN instruction apk add imagemagick grep does not use package pinning form

RUN pip3 install --no-cache-dir "ragger[tests,all_backends]==1.24.0" "speculos==0.10.0"

# Add the enforcer script
ADD ./dev-tools/enforcer.sh /opt/enforcer.sh

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low Wiz IaC Finding

Details
Rule Add Instead of Copy
Rule ID d3b26264-01d2-4c17-aa13-e056403caf7a
Severity Low
Resource FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{ADD ./dev-tools/enforcer.sh /opt/enforcer.sh}}

Details

Should use COPY instead of ADD unless, running a tar file

Expected: 'COPY' ./dev-tools/enforcer.sh
Found: 'ADD' ./dev-tools/enforcer.sh

@@ -19,5 +19,11 @@ ARG PYTHON_BUILD_DEPS=libffi-dev,python3-dev,py3-virtualenv
# Install the building dependencies.
RUN apk add $(echo -n "$PYTHON_BUILD_DEPS" | tr , ' ')

# Install packahes to allow Guideline Enforcer to run
RUN apk add imagemagick grep

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium Wiz IaC Finding

Details
Rule Unpinned Package Version in Apk Add
Rule ID 9b55ae16-9e49-41dc-885f-a59ee0bb54bd
Severity Medium
Resource FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{RUN apk add imagemagick grep}}

Details

Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes

Expected: RUN instruction with 'apk add ' should use package pinning form 'apk add ='
Found: RUN instruction apk add imagemagick grep does not use package pinning form

RUN pip3 install --no-cache-dir "ragger[tests,all_backends]==1.24.0" "speculos==0.10.0"

# Add the enforcer script
ADD ./dev-tools/enforcer.sh /opt/enforcer.sh

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low Wiz IaC Finding

Details
Rule Add Instead of Copy
Rule ID d3b26264-01d2-4c17-aa13-e056403caf7a
Severity Low
Resource FROM={{ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder:latest}}.{{ADD ./dev-tools/enforcer.sh /opt/enforcer.sh}}

Details

Should use COPY instead of ADD unless, running a tar file

Expected: 'COPY' ./dev-tools/enforcer.sh
Found: 'ADD' ./dev-tools/enforcer.sh

@tdejoigny-ledger tdejoigny-ledger merged commit 66e7c1e into master Oct 17, 2024
10 checks passed
@tdejoigny-ledger tdejoigny-ledger deleted the cev/rule_enforcer branch October 17, 2024 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants