aquasecurity · knqyf263 · Sep 14, 2022 · Sep 13, 2022 · Sep 13, 2022 · Sep 13, 2022
@@ -13,7 +13,6 @@ on:
         type: string
 
 env:
-  GO_VERSION: "1.18"
   GH_USER: "aqua-bot"
 
 jobs:
@@ -63,7 +62,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: Checkout code
         uses: actions/checkout@v3
@@ -106,4 +105,4 @@ jobs:
           # use 'github.sha' to create a unique cache folder for each run.
           # use 'github.workflow' to create a unique cache folder if some runs have same commit sha.
           # e.g. build and release runs
-          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
+          key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}
@@ -10,8 +10,7 @@ on:
       - 'LICENSE'
   pull_request:
 env:
-  GO_VERSION: "1.18"
-  TINYGO_VERSION: "0.24.0"
+  TINYGO_VERSION: "0.25.0"
 jobs:
   test:
     name: Test
@@ -22,7 +21,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
 
       - name: go mod tidy
         run: |
@@ -35,7 +34,7 @@ jobs:
       - name: Lint
         uses: golangci/golangci-lint-action@v3.2.0
         with:
-          version: v1.45
+          version: v1.49
           args: --deadline=30m
           skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
 
@@ -51,36 +50,34 @@ jobs:
     name: Integration Test
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: ${{ env.GO_VERSION }}
-      id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
 
-    - name: Run integration tests
-      run: make test-integration
+      - name: Run integration tests
+        run: make test-integration
 
   module-test:
     name: Module Integration Test
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
+          go-version-file: go.mod
 
       - name: Install TinyGo
         run: |
           wget https://github.com/tinygo-org/tinygo/releases/download/v${TINYGO_VERSION}/tinygo_${TINYGO_VERSION}_amd64.deb
           sudo dpkg -i tinygo_${TINYGO_VERSION}_amd64.deb
 
-      - name: Checkout
-        uses: actions/checkout@v3
-
       - name: Run module integration tests
         run: |
           make test-module-integration
@@ -107,7 +104,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: ${{ env.GO_VERSION }}
+        go-version-file: go.mod
 
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v3

@@ -21,18 +21,17 @@ linters-settings:
     local-prefixes: github.com/aquasecurity
   gosec:
     excludes:
+      - G114
       - G204
       - G402
 
 linters:
   disable-all: true
   enable:
-    - structcheck
+    - unused
     - ineffassign
     - typecheck
     - govet
-    - varcheck
-    - deadcode
     - revive
     - gosec
     - unconvert
@@ -43,7 +42,7 @@ linters:
     - misspell
 
 run:
-  go: 1.18
+  go: 1.19
   skip-files:
     - ".*._mock.go$"
     - ".*._test.go$"

@@ -1,4 +1,4 @@
-FROM golang:1.18.4
+FROM golang:1.19.0
 
 # Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

@@ -26,7 +26,7 @@ $(GOBIN)/crane:
 	go install github.com/google/go-containerregistry/cmd/crane@v0.9.0
 
 $(GOBIN)/golangci-lint:
-	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.45.2
+	curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(GOBIN) v1.49.0
 
 $(GOBIN)/labeler:
 	go install github.com/knqyf263/labeler@latest

@@ -1,6 +1,6 @@
 module github.com/aquasecurity/trivy
 
-go 1.18
+go 1.19
 
 require (
 	github.com/CycloneDX/cyclonedx-go v0.6.0

@@ -160,10 +160,12 @@ func (a rpmPkgAnalyzer) parsePkgInfo(rc io.Reader) ([]types.Package, []string, e
 	return pkgs, installedFiles, nil
 }
 
-// splitFileName returns a name, version, release, epoch, arch
-// e.g.
-//    foo-1.0-1.i386.rpm returns foo, 1.0, 1, i386
-//    1:bar-9-123a.ia64.rpm returns bar, 9, 123a, 1, ia64
+// splitFileName returns a name, version, release, epoch, arch:
+//
+//	e.g.
+//		foo-1.0-1.i386.rpm => foo, 1.0, 1, i386
+//		1:bar-9-123a.ia64.rpm => bar, 9, 123a, 1, ia64
+//
 // https://github.com/rpm-software-management/yum/blob/043e869b08126c1b24e392f809c9f6871344c60d/rpmUtils/miscutils.py#L301
 func splitFileName(filename string) (name, ver, rel string, err error) {
 	if strings.HasSuffix(filename, ".rpm") {

@@ -13,7 +13,6 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/attestation"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
-	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	"github.com/aquasecurity/trivy/pkg/fanal/cache"
 	"github.com/aquasecurity/trivy/pkg/fanal/handler"
@@ -29,8 +28,7 @@ type Artifact struct {
 	analyzer       analyzer.AnalyzerGroup
 	handlerManager handler.Manager
 
-	artifactOption      artifact.Option
-	configScannerOption config.ScannerOption
+	artifactOption artifact.Option
 }
 
 func NewArtifact(filePath string, c cache.ArtifactCache, opt artifact.Option) (artifact.Artifact, error) {

@@ -241,6 +241,14 @@ func commonChecks(t *testing.T, detail types.ArtifactDetail, tc testCase) {
 }
 
 func checkOSPackages(t *testing.T, detail types.ArtifactDetail, tc testCase) {
+	// Sort OS packages for consistency
+	sort.Slice(detail.Packages, func(i, j int) bool {
+		if detail.Packages[i].Name != detail.Packages[j].Name {
+			return detail.Packages[i].Name < detail.Packages[j].Name
+		}
+		return detail.Packages[i].Version < detail.Packages[j].Version
+	})
+
 	splitted := strings.Split(tc.remoteImageName, ":")
 	goldenFile := fmt.Sprintf("testdata/goldens/packages/%s.json.golden", splitted[len(splitted)-1])
 

@@ -209,8 +209,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "3dbdc284",
-    "Release": "53674dd4",
+    "Version": "307e3d54",
+    "Release": "5aaa90a5",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {
@@ -219,8 +219,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "307e3d54",
-    "Release": "5aaa90a5",
+    "Version": "39db7c82",
+    "Release": "5847eb1f",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {
@@ -229,8 +229,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "39db7c82",
-    "Release": "5847eb1f",
+    "Version": "3dbdc284",
+    "Release": "53674dd4",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {

@@ -209,8 +209,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "39db7c82",
-    "Release": "5f68629b",
+    "Version": "307e3d54",
+    "Release": "5aaa90a5",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {
@@ -219,8 +219,8 @@
   },
   {
     "Name": "gpg-pubkey",
-    "Version": "307e3d54",
-    "Release": "5aaa90a5",
+    "Version": "39db7c82",
+    "Release": "5f68629b",
     "Arch": "None",
     "License": "pubkey",
     "Layer": {

@@ -9,14 +9,15 @@ import (
 	"golang.org/x/xerrors"
 )
 
-// e.g. config yaml
-// cache:
-//   clear: true
-//   backend: "redis://localhost:6379"
-//   redis:
-//    ca: ca-cert.pem
-//    cert: cert.pem
-//    key: key.pem
+// e.g. config yaml:
+//
+//	cache:
+//	  clear: true
+//	  backend: "redis://localhost:6379"
+//	redis:
+//	  ca: ca-cert.pem
+//	  cert: cert.pem
+//	  key: key.pem
 var (
 	ClearCacheFlag = Flag{
 		Name:       "clear-cache",

@@ -4,11 +4,12 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 )
 
-// e.g. config yaml
-// misconfiguration:
-//   trace: true
-//   config-policy: "custom-policy/policy"
-//   policy-namespaces: "user"
+// e.g. config yaml:
+//
+//	misconfiguration:
+//	  trace: true
+//	  config-policy: "custom-policy/policy"
+//	  policy-namespaces: "user"
 var (
 	IncludeNonFailuresFlag = Flag{
 		Name:       "include-non-failures",

@@ -289,7 +289,7 @@ func (f *Flags) Bind(cmd *cobra.Command) error {
 	return nil
 }
 
-//nolint: gocyclo
+// nolint: gocyclo
 func (f *Flags) ToOptions(appVersion string, args []string, globalFlags *GlobalFlagGroup, output io.Writer) (Options, error) {
 	var err error
 	opts := Options{

@@ -14,12 +14,11 @@ import (
 	"github.com/aquasecurity/trivy/pkg/result"
 )
 
-// e.g. config yaml
-// report:
-//   format: table
-//   dependency-tree: true
-//   exit-code: 1
-//   severity: HIGH,CRITICAL
+// e.g. config yaml:
+//
+//	format: table
+//	dependency-tree: true
+//	severity: HIGH,CRITICAL
 var (
 	FormatFlag = Flag{
 		Name:       "format",

@@ -93,8 +93,9 @@ func run(ctx context.Context, opts flag.Options, cluster string, artifacts []*ar
 // To show all the results, user needs to specify "--report all" explicitly
 // even though the default value of "--report" is "all".
 //
-// e.g. $ trivy k8s --report all cluster
-//      $ trivy k8s --report all all
+// e.g.
+// $ trivy k8s --report all cluster
+// $ trivy k8s --report all all
 //
 // Or they can use "--format json" with implicit "--report all".
 //

@@ -155,17 +155,16 @@ func parsePkgs(components []cdx.Component, seen map[string]struct{}) ([]ftypes.P
 }
 
 // walkDependencies takes all nested dependencies of the root component.
-//
-// e.g. Library A, B, C, D and E will be returned as dependencies of Application 1.
-// type: Application 1
-//   - type: Library A
-//     - type: Library B
-//   - type: Application 2
-//     - type: Library C
-//     - type: Application 3
-//       - type: Library D
-//       - type: Library E
 func (c *CycloneDX) walkDependencies(rootRef string) []cdx.Component {
+	// e.g. Library A, B, C, D and E will be returned as dependencies of Application 1.
+	// type: Application 1
+	//   - type: Library A
+	//     - type: Library B
+	//   - type: Application 2
+	//     - type: Library C
+	//     - type: Application 3
+	//       - type: Library D
+	//       - type: Library E
 	var components []cdx.Component
 	for _, dep := range c.dependencies[rootRef] {
 		component, ok := c.components[dep]