Merge branch 'main' of https://github.com/elainechien/package-analysis …

…into create_test_package
ossf · Jul 7, 2023 · caf9f00 · caf9f00
2 parents 3d56120 + ff27d1e
commit caf9f00
Show file tree

Hide file tree

Showing 94 changed files with 3,684 additions and 1,715 deletions.
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     - name: setup-go
-      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         go-version: '1.19.1'
 
@@ -28,4 +28,4 @@ jobs:
         docker version -f '{{.Server.Experimental}}'
 
     - name: build_docker
-      run: make build_all_images
+      run: make build_prod_images
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -10,8 +10,8 @@ jobs:
     name:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-    - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+    - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         go-version: '1.19.1'
     - name: Install libpcap-dev

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -34,16 +34,16 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
+      uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
       with:
         languages: ${{ matrix.language }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
+      uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
+      uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -13,6 +13,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e # v3.0.4
+        uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -18,6 +18,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: 'Check scripts in all directories'
         run: make check_scripts
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,8 +11,8 @@ jobs:
   run-tests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-    - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+    - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         go-version: 1.19
     - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
@@ -25,9 +25,9 @@ jobs:
   run-linter:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-    - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+    - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         go-version: 1.19
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0 
+      uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
diff --git a/Makefile b/Makefile
@@ -24,7 +24,7 @@ endif
 # This recipe builds and pushes images for production. Note: RELEASE_TAG must be set
 #
 .PHONY: cloudbuild
-cloudbuild: require_release_tag push_all_images
+cloudbuild: require_release_tag push_prod_images
 
 .PHONY: require_release_tag
 require_release_tag:
@@ -55,26 +55,6 @@ build_scheduler_image: DIR=$(PREFIX)
 build_scheduler_image: DOCKERFILE=$(PREFIX)/cmd/scheduler/Dockerfile
 build_scheduler_image: IMAGE_NAME=scheduler
 
-build_node_sandbox: DIR=$(SANDBOX_DIR)/npm
-build_node_sandbox: DOCKERFILE=$(SANDBOX_DIR)/npm/Dockerfile
-build_node_sandbox: IMAGE_NAME=node
-
-build_python_sandbox: DIR=$(SANDBOX_DIR)/pypi
-build_python_sandbox: DOCKERFILE=$(SANDBOX_DIR)/pypi/Dockerfile
-build_python_sandbox: IMAGE_NAME=python
-
-build_ruby_sandbox: DIR=$(SANDBOX_DIR)/rubygems
-build_ruby_sandbox: DOCKERFILE=$(SANDBOX_DIR)/rubygems/Dockerfile
-build_ruby_sandbox: IMAGE_NAME=ruby
-
-build_packagist_sandbox: DIR=$(SANDBOX_DIR)/packagist
-build_packagist_sandbox: DOCKERFILE=$(SANDBOX_DIR)/packagist/Dockerfile
-build_packagist_sandbox: IMAGE_NAME=packagist
-
-build_crates_sandbox: DIR=$(SANDBOX_DIR)/crates.io
-build_crates_sandbox: DOCKERFILE=$(SANDBOX_DIR)/crates.io/Dockerfile
-build_crates_sandbox: IMAGE_NAME=crates.io
-
 build_static_analysis_sandbox: DIR=$(PREFIX)
 build_static_analysis_sandbox: DOCKERFILE=$(SANDBOX_DIR)/staticanalysis/Dockerfile
 build_static_analysis_sandbox: IMAGE_NAME=static-analysis
@@ -83,11 +63,8 @@ build_dynamic_analysis_sandbox: DIR=$(SANDBOX_DIR)/dynamicanalysis
 build_dynamic_analysis_sandbox: DOCKERFILE=$(SANDBOX_DIR)/dynamicanalysis/Dockerfile
 build_dynamic_analysis_sandbox: IMAGE_NAME=dynamic-analysis
 
-.PHONY: build_all_sandboxes
-build_all_sandboxes: build_node_sandbox build_python_sandbox build_ruby_sandbox build_packagist_sandbox build_crates_sandbox build_dynamic_analysis_sandbox build_static_analysis_sandbox
-
-.PHONY: build_all_images
-build_all_images: build_all_sandboxes build_analysis_image build_scheduler_image
+.PHONY: build_prod_images
+build_prod_images: build_dynamic_analysis_sandbox build_static_analysis_sandbox build_analysis_image build_scheduler_image
 
 #
 # Builds then pushes analysis and sandbox images
@@ -102,65 +79,35 @@ push_analysis_image: build_analysis_image
 push_scheduler_image: IMAGE_NAME=scheduler
 push_scheduler_image: build_scheduler_image
 
-push_node_sandbox: IMAGE_NAME=node
-push_node_sandbox: build_node_sandbox
-
-push_python_sandbox: IMAGE_NAME=python
-push_python_sandbox: build_python_sandbox
-
-push_ruby_sandbox: IMAGE_NAME=ruby
-push_ruby_sandbox: build_ruby_sandbox
-
-push_packagist_sandbox: IMAGE_NAME=packagist
-push_packagist_sandbox: build_packagist_sandbox
-
-push_crates_sandbox: IMAGE_NAME=crates.io
-push_crates_sandbox: build_crates_sandbox
-
 push_dynamic_analysis_sandbox: IMAGE_NAME=dynamic-analysis
 push_dynamic_analysis_sandbox: build_dynamic_analysis_sandbox
 
 push_static_analysis_sandbox: IMAGE_NAME=static-analysis
 push_static_analysis_sandbox: build_static_analysis_sandbox
 
-.PHONY: push_all_sandboxes
-push_all_sandboxes: push_node_sandbox push_python_sandbox push_ruby_sandbox push_packagist_sandbox push_crates_sandbox push_dynamic_analysis_sandbox push_static_analysis_sandbox
+.PHONY: push_prod_sandboxes
+push_prod_sandboxes: push_dynamic_analysis_sandbox push_static_analysis_sandbox
 
-.PHONY: push_all_images
-push_all_images: push_all_sandboxes push_analysis_image push_scheduler_image
+.PHONY: push_prod_images
+push_prod_images: push_prod_sandboxes push_analysis_image push_scheduler_image
 
 
 #
-# These update (sync) locally build sandbox images from Docker to podman.
-# This is needed for local analyses; in order to use these updated images,
+# These update (sync) locally built sandbox images from Docker to
+# podman. In order to use locally built sandbox images for analysis,
 # pass '-nopull' to scripts/run_analysis.sh
 #
 sync_%_sandbox:
 	sudo buildah pull docker-daemon:${REGISTRY}/${IMAGE_NAME}:$(TAG)
 
-sync_node_sandbox: IMAGE_NAME=node
-sync_node_sandbox: build_node_sandbox
-
-sync_python_sandbox: IMAGE_NAME=python
-sync_python_sandbox: build_python_sandbox
-
-sync_ruby_sandbox: IMAGE_NAME=ruby
-sync_ruby_sandbox: build_ruby_sandbox
-
-sync_packagist_sandbox: IMAGE_NAME=packagist
-sync_packagist_sandbox: build_packagist_sandbox
-
-sync_crates_sandbox: IMAGE_NAME=crates.io
-sync_crates_sandbox: build_crates_sandbox
-
 sync_dynamic_analysis_sandbox: IMAGE_NAME=dynamic-analysis
 sync_dynamic_analysis_sandbox: build_dynamic_analysis_sandbox
 
 sync_static_analysis_sandbox: IMAGE_NAME=static-analysis
 sync_static_analysis_sandbox: build_static_analysis_sandbox
 
-.PHONY: sync_all_sandboxes
-sync_all_sandboxes: sync_node_sandbox sync_python_sandbox sync_ruby_sandbox sync_packagist_sandbox sync_crates_sandbox sync_dynamic_analysis_sandbox sync_static_analysis_sandbox
+.PHONY: sync_prod_sandboxes
+sync_prod_sandboxes: sync_dynamic_analysis_sandbox sync_static_analysis_sandbox
 
 
 #

diff --git a/README.md b/README.md
@@ -101,8 +101,8 @@ Values should follow
 ## Local Analysis
 
 To run the analysis code locally, the easiest way is to use the Docker image
-`gcr.io/ossf-malware-analysis/analysis`. This can be built from
-`./build/build_docker.sh`, or the public images can be used instead.
+`gcr.io/ossf-malware-analysis/analysis`. This can be built with
+`make build_analysis_image`, or the public images can be used instead.
 
 This container uses `podman` to run a nested, sandboxed ([gVisor]) container for
 analysis.

diff --git a/build/build_docker.sh b/build/build_docker.sh