Skip to content

feat: add Dockerfile analysis for build command detection #1091

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 36 commits into
base: staging
Choose a base branch
from
Draft

feat: add Dockerfile analysis for build command detection #1091

wants to merge 36 commits into from

Conversation

achrafmag
Copy link
Member

Summary

Description of changes

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

Related issues

Draft Pull Request, does not target any particular issue

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

art1f1c3R and others added 21 commits April 9, 2025 16:26
@art1f1c3R
fix: fix incorrect skip result evaluation causing false positives in …
199809e 
…PyPI malware reporting (oracle#1031)

Resolved issue in ProbLog model where skip results were evaluated as false, causing many false positives. Rule IDs have also been added.

Signed-off-by: Carl Flottmann <[email protected]>
@benmss
chore: check for None type in error output (oracle#1049)
d1acab5 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@behnazh-w
chore: improve the PR template (oracle#1051)
8b592de 
Signed-off-by: behnazh-w <[email protected]>
@dependabot
chore(deps): bump actions/upload-artifact from 4.3.3 to 4.6.2 (oracle…
678d953 
…#1024)
@benmss
feat: check PyPI registry when deps.dev fails to find a source reposi…
6e41a3d 
…tory (oracle#982)

This PR adds a fallback option for PyPI PURLs in cases where deps.dev does not report their repositories. Instead, the PyPI registry is used to find the appropriate repository URL.

Signed-off-by: Ben Selwyn-Smith <[email protected]>
@dependabot
chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 (oracle#1058)
c32d340
@benmss
chore: disable latest purl finding for test (oracle#1062)
53dfba4 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@behnazh-w
feat: detect vulnerable GitHub Actions (oracle#1021)
32aa0cc 
This pull request introduces a new check mcn_githubactions_vulnerabilities_1 to detect vulnerable GitHub Actions, enhancing the security of workflows and automating the identification of potential risks in CI/CD pipelines. 

Signed-off-by: behnazh-w <[email protected]>
@dependabot
chore(deps): bump github/codeql-action from 3.28.10 to 3.28.15 (oracl…
87a151b 
…e#1048)
@behnazh-w
refactor: log the SLSA summary in verbose mode only (oracle#1063)
66c04ab 
Refactor logging behavior to print the SLSA summary only when verbose mode is enabled. We can revisit if the summary should be removed or improved in the verbose mode in the future.

Signed-off-by: behnazh-w <[email protected]>
@dependabot
chore(deps): bump actions/download-artifact from 4.1.7 to 4.2.1 (orac…
365054e 
…le#1054)
@behnazh-w
chore: add support for Git tag aliases in vuln GHA check (oracle#1065)
25484be 
This PR adds a utility function to identify the highest semantic version tag from a set of Git tags, specifically for cases where multiple tags point to the same commit SHA in a third-party GitHub Action. 

Signed-off-by: behnazh-w <[email protected]>
@behnazh-w
bump: release 0.15.0 → 0.16.0
e42408a 
Automatically generated by Commitizen.
@art1f1c3R
build: add built-from-source github action for semgrep (oracle#1073)
bbf80bf 
Signed-off-by: Carl Flottmann <[email protected]>
@benmss
feat: add pypi attestation discovery (oracle#1067)
4b20c18 
This PR adds discovery of PyPI attestation files for software components.

Signed-off-by: Ben Selwyn-Smith <[email protected]>
@behnazh-w
build: fix the Semgrep Docker image path (oracle#1078)
d1a7bb9 
Signed-off-by: behnazh-w <[email protected]>
@art1f1c3R
build: include semgrep in final docker image (oracle#1079)
979b05b 
add support for Semgrep in the final macaron docker build using multistage docker builds.

Signed-off-by: Carl Flottmann <[email protected]>
@benmss
chore: add small fixes (oracle#1081)
f051d8a 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@behnazh-w
docs: improve the README.md and summary in the documentation website (o…
dcc4af3 
…racle#1087)

Signed-off-by: behnazh-w <[email protected]>
@benmss
chore: improve testing of suffix indexing (oracle#1080)
44f7e96 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@achrafmag
chore: creating DockerNode for when Dockerfile is used as a build tool
0f6ae72 
Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

Signed-off-by: Achraf Maghous <[email protected]>
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label May 22, 2025
@behnazh-w behnazh-w marked this pull request as draft May 22, 2025 23:55
@behnazh-w behnazh-w changed the title chore: creating DockerNode for when Dockerfile is used as a build tool feat: add Dockerfile analysis for build command detection May 22, 2025
achrafmag added 3 commits May 23, 2025 10:22
@achrafmag
feat: add Dockerfile analysis for build command detection
c9dd8b0 
Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

Signed-off-by: Achraf Maghous <[email protected]>
@achrafmag
feat: add Dockerfile analysis for build command detection
b83c668 
Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

Signed-off-by: Achraf Maghous <[email protected]>
@achrafmag
feat: add Dockerfile analysis for build command detection
4643b74 
Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

Signed-off-by: Achraf Maghous <[email protected]>
benmss and others added 11 commits May 29, 2025 15:19
@benmss
chore: store provenance asset info (oracle#975)
256fd0c 
Signed-off-by: Ben Selwyn-Smith <[email protected]>
@AmineRaouane
feat(security): add package name typosquatting detection (oracle#1059)
1c65d5f 
Signed-off-by: Amine <[email protected]>
@art1f1c3R
refactor: improve experimental source code pattern analysis of pypi p…
612e27e 
…ackages (oracle#965)

Include support for using Semgrep for analysis of source code to detect malicious code patterns, specified using Semgrep's YAML files.

Signed-off-by: Carl Flottmann <[email protected]>
@benmss
feat: add GitHub attestation discovery (oracle#1020)
219903d 
This PR allows Macaron to discover GitHub attestation. To retrieve these attestations, the SHA256 hash of the related artefact is required. Hashes are computed from local artefact files if available, or from downloaded ones otherwise.

Signed-off-by: Ben Selwyn-Smith <[email protected]>
@behnazh-w
build: replace shared library with standalone cuevalidator binary (or…
06fd636 
…acle#1096)

This PR replaces the Go shared library previously used via C-bindings in Python with a standalone binary for the cuevalidator component. The binary can now be invoked as a subprocess, simplifying integration and improving portability.

Signed-off-by: behnazh-w <[email protected]>
@achrafmag
feat: add Dockerfile analysis for build command detection
7013775 
Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

-Parsing and storing build commands found in Dockerfiles

Signed-off-by: Achraf Maghous <[email protected]>
@art1f1c3R
fix: include inspector links with information on if they are reachabl…
35dd417 
…e. (oracle#1102)

The detail info containing inspector links now contains links as keys regardless of whether they are reachable, and includes a boolean value for reachability.

Signed-off-by: Carl Flottmann <[email protected]>
@art1f1c3R
docs: include source code analysis subsection in malicious package tu…
66ddb00 
…torial (oracle#1101)

Signed-off-by: Carl Flottmann <[email protected]>
@AmineRaouane
fix(pypi): update get_maintainers_of_package to avoid request blocking (
1813f82 
oracle#1097)

Signed-off-by: Amine <[email protected]>
@art1f1c3R
refactor: run source code analysis by default (oracle#1107)
77eac50 
--analyze-source CLI arg removed so Semgrep is now run by default. Automatic API docs update also run.

Signed-off-by: Carl Flottmann <[email protected]>
@achrafmag
feat: add Dockerfile analysis for build command detection
9da357e 
Changes:

-Function find_dockerfile_from_job: handles finding Dockerfile inside workflow in 2 cases of workflow jobs: -run and -uses.

-Simple DockerNode class, so far it stores mainly the dockerfile path retrieved from workflow

-Parsing Dockerfile using dockerfile-parse and RUN instruction commands using bashparser.py

-Parsing and storing build commands found in Dockerfiles

Signed-off-by: Achraf Maghous <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@behnazh-w behnazh-w Awaiting requested review from behnazh-w behnazh-w is a code owner

@tromai tromai Awaiting requested review from tromai tromai is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@achrafmag @art1f1c3R @benmss @behnazh-w @AmineRaouane