diff --git a/README.md b/README.md index c9b1997..907be39 100644 --- a/README.md +++ b/README.md @@ -21,5 +21,13 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v4.1.1 - - uses: 030/trivyignore-validator@v0.1.0 + - uses: 030/trivyignore-validator-action@v0.1.0 +``` + +## unit tests + +```bash +docker run -it -v "${PWD}:/code" --entrypoint=bash bats/bats:v1.10.0 +apk add --no-cache coreutils +bats --tap test --print-output-on-failure ``` diff --git a/action.yml b/action.yml index e1bbdcd..cce4b94 100644 --- a/action.yml +++ b/action.yml @@ -4,34 +4,5 @@ description: trivyignore-validator runs: using: 'composite' steps: - - run: | - filename=.trivyignore - if test -f ${filename}; then - echo "found a ${filename} file..."; - - while read -r line; do - if echo ${line} | grep -qE "^CVE\-"; then - echo "found a 'CVE-' entry in the ${filename}..."; - echo "checking whether an expiry has been attached..." - if ! echo ${line} | grep -qE "^CVE\-.*exp:[0-9]{4}(\-[0-9]{2}){2}$"; then - echo "no expiry associated to: '${line}'. Add it by adding: 'exp:yyyy-mm-dd'" - exit 1 - fi - - echo "checking whether the expiry will take place in one month..." - current=$(echo "${line}" | sed -e "s|CVE.*exp:\(.*\)|\1|g") - max=$(date +"%F" --date="$(date +%F) next month") - if [[ "${current}" > "${max}" ]]; then - echo "current date: '${current}' in line: '${line}' exceeds" - echo "the maximum date of one month. Choose a new date that is" - echo "before: ${max}" - exit 1 - fi - fi - done < "${filename}" - - exit 0 - fi - - echo "no ${filename} file found" + - run: ${GITHUB_ACTION_PATH}/src/action.sh shell: bash diff --git a/src/action.sh b/src/action.sh new file mode 100755 index 0000000..45a414a --- /dev/null +++ b/src/action.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash + +readonly filename=".trivyignore" + +createEmptyDotTrivyignoreIfAbsent() { + if test -f "${filename}"; then + echo "found a ${filename} file..."; + return + fi + + echo "no ${filename} file found. Creating empty one..." + touch "${filename}" + exit 0 +} + +inspectCveExpiry() { + echo "checking whether an expiry has been attached..." + + if ! echo ${1} | grep -qE "^CVE\-.*exp:[0-9]{4}(\-[0-9]{2}){2}$"; then + echo "no expiry associated to: '${1}'. Add it by adding: 'exp:yyyy-mm-dd'" + exit 1 + fi +} + +inspectCveExpiryMaxOneMonth() { + echo "checking whether the expiry will take place in one month..." + current=$(echo "${1}" | sed -e "s|CVE\-.*exp:\(.*\)|\1|g") + max=$(date +"%F" --date="$(date +%F) next month") + + if [[ "${current}" > "${max}" ]]; then + echo "current date: '${current}' in line: '${1}' exceeds" + echo "the maximum date of one month. Choose a new date that is" + echo "before: ${max}" + exit 1 + fi +} + +inspectCveExpiryAndMaxOneMonth() { + while read -r line; do + if echo "${line}" | grep -qE "^CVE\-"; then + echo "found a 'CVE-' entry in the ${filename}..."; + + inspectCveExpiry "${line}" + inspectCveExpiryMaxOneMonth "${line}" + fi + done < "${filename}" +} + +main() { + createEmptyDotTrivyignoreIfAbsent + inspectCveExpiryAndMaxOneMonth +} + +main diff --git a/test/create-empty-dot-trivyignore-if-absent.bats b/test/create-empty-dot-trivyignore-if-absent.bats new file mode 100644 index 0000000..a8086ef --- /dev/null +++ b/test/create-empty-dot-trivyignore-if-absent.bats @@ -0,0 +1,15 @@ +setup() { + filename=".trivyignore" +} + +teardown() { + echo "found filename: '${filename}'. Removing it..." + rm "${filename}" +} + +@test "create empty dot trivyignore if absent" { + run ./src/action.sh + [ "$status" -eq 0 ] + regex=".*no ${filename} file found. Creating empty one.*" + [[ "$output" =~ $regex ]] +} diff --git a/test/inspect-cve-expiry-max-one-month.bats b/test/inspect-cve-expiry-max-one-month.bats new file mode 100644 index 0000000..be8cbc1 --- /dev/null +++ b/test/inspect-cve-expiry-max-one-month.bats @@ -0,0 +1,17 @@ +setup() { + filename=".trivyignore" + + echo -en "CVE-123 exp:2124-02-15\nCVE-456 exp:2124-02-16" > "${filename}" +} + +teardown() { + echo "found filename: '${filename}'. Removing it..." + rm "${filename}" +} + +@test "inspect cve expiry max one month" { + run ./src/action.sh + [ "$status" -eq 1 ] + regex=".*current date: '2124-02-15' in line: 'CVE-123 exp:2124-02-15' exceeds.*the maximum date of one month. Choose a new date that is.*before: .*" + [[ "$output" =~ $regex ]] +} diff --git a/test/inspect-cve-expiry.bats b/test/inspect-cve-expiry.bats new file mode 100644 index 0000000..d10ed82 --- /dev/null +++ b/test/inspect-cve-expiry.bats @@ -0,0 +1,17 @@ +setup() { + filename=".trivyignore" + + echo -en "CVE-123\nCVE-456 exp:2124-02-16" > "${filename}" +} + +teardown() { + echo "found filename: '${filename}'. Removing it..." + rm "${filename}" +} + +@test "inspect cve expiry" { + run ./src/action.sh + [ "$status" -eq 1 ] + regex=".*no expiry associated to: 'CVE-123'. Add it by adding: 'exp:yyyy-mm-dd'.*" + [[ "$output" =~ $regex ]] +}