diff --git a/.cspell.json b/.cspell.json index cfb25fc6e28..e481be9a3b1 100644 --- a/.cspell.json +++ b/.cspell.json @@ -240,6 +240,7 @@ "Cres", "Csrf", "C\u00e9dric", + "codesniffer", "DARTANALYZER", "DEVSKIM", "DIRC", diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b3a9685b4d..e4aeff6e0f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - Linters - `API_SPECTRAL` was added as replacement for `OPENAPI_SPECTRAL` (deprecated), supporting AsyncAPI and OpenAPI by default. Uses Spectral's standard config file name `.spectral.yaml` instead of `.openapirc.yml` with a default config with rulesets for AsyncAPI and OpenAPI enabled. Fixes [#3387](https://github.com/oxsecurity/megalinter/issues/3387) - Disable SQL_TSQLLINT until security issues are solved. Related to + - PHP linters (PHP_PHPCS, PHP_PHPLINT, PHP_PHPSTAN) add support to SARIF report output format with help of - Reporters diff --git a/Dockerfile b/Dockerfile index f8421a16e15..54d187f1679 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,7 +35,6 @@ RUN GOBIN=/usr/bin go install github.com/mgechev/revive@latest FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform FROM ghcr.io/assignuser/chktex-alpine:latest as chktex -FROM ghcr.io/phpstan/phpstan:latest-php8.3 as phpstan FROM yoheimuta/protolint:latest as protolint FROM golang:alpine as dustilock RUN GOBIN=/usr/bin go install github.com/checkmarx/dustilock@v1.2.0 @@ -112,6 +111,7 @@ RUN apk add --no-cache \ php83-curl \ php83-dom \ php83-opcache \ + php83-openssl \ php83-common \ php83-simplexml \ dpkg \ @@ -311,6 +311,7 @@ RUN echo 'gem: --no-document' >> ~/.gemrc && \ ############################################################################################# #COPY__START +COPY --from=composer/composer:2-bin /composer /usr/bin/composer COPY --link --from=actionlint /usr/local/bin/actionlint /usr/bin/actionlint # shellcheck is a dependency for actionlint @@ -323,7 +324,6 @@ COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checke COPY --link --from=revive /usr/bin/revive /usr/bin/revive COPY --link --from=kubeconform /kubeconform /usr/bin/ COPY --link --from=chktex /usr/bin/chktex /usr/bin/ -COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=dustilock /usr/bin/dustilock /usr/bin/dustilock COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ @@ -467,6 +467,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GI && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 +# Managed with COPY --from=composer/composer:2-bin /composer /usr/bin/composer +ENV PATH="/root/.composer/vendor/bin:${PATH}" # POWERSHELL installation RUN curl -L https://github.com/PowerShell/PowerShell/releases/download/v7.4.2/powershell-7.4.2-linux-musl-x64.tar.gz -o /tmp/powershell.tar.gz \ @@ -630,12 +632,11 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P # phpcs installation -RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install phpcs -g --trust-gpg-keys 31C7E470E2138192,95DE904AB800754A11D80B605E6DDE998AB73B8E +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require squizlabs/php_codesniffer bartlett/sarif-php-sdk # phpstan installation -# Managed with COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan -RUN chmod +x /usr/bin/phpstan +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require phpstan/phpstan bartlett/sarif-php-sdk # psalm installation RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install psalm -g --trust-gpg-keys 8A03EA3B385DBAA1,12CE0F1D262429A5 diff --git a/TEMPLATES/phpstan.neon.dist b/TEMPLATES/phpstan.neon.dist index 7229da62eb4..84fca4e1172 100644 --- a/TEMPLATES/phpstan.neon.dist +++ b/TEMPLATES/phpstan.neon.dist @@ -1,2 +1,6 @@ parameters: level: 0 + +services: + errorFormatter.sarif: + class: Bartlett\Sarif\Converter\PhpStanConverter diff --git a/flavors/cupcake/Dockerfile b/flavors/cupcake/Dockerfile index b4ab87d55dc..1936cfe9243 100644 --- a/flavors/cupcake/Dockerfile +++ b/flavors/cupcake/Dockerfile @@ -35,7 +35,6 @@ FROM golang:1-alpine as revive RUN GOBIN=/usr/bin go install github.com/mgechev/revive@latest FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform -FROM ghcr.io/phpstan/phpstan:latest-php8.3 as phpstan FROM zricethezav/gitleaks:v8.18.2 as gitleaks FROM checkmarx/kics:alpine as kics FROM trufflesecurity/trufflehog:latest as trufflehog @@ -96,6 +95,7 @@ RUN apk add --no-cache \ php83-curl \ php83-dom \ php83-opcache \ + php83-openssl \ php83-common \ php83-simplexml \ dpkg \ @@ -277,6 +277,7 @@ RUN echo 'gem: --no-document' >> ~/.gemrc && \ ############################################################################################# #COPY__START +COPY --from=composer/composer:2-bin /composer /usr/bin/composer COPY --link --from=actionlint /usr/local/bin/actionlint /usr/bin/actionlint # shellcheck is a dependency for actionlint @@ -288,7 +289,6 @@ COPY --link --from=hadolint /bin/hadolint /usr/bin/hadolint COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checker COPY --link --from=revive /usr/bin/revive /usr/bin/revive COPY --link --from=kubeconform /kubeconform /usr/bin/ -COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ COPY --link --from=kics /app/bin/kics /usr/bin/kics COPY --from=kics /app/bin/assets /usr/bin/assets @@ -374,6 +374,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GI && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 +# Managed with COPY --from=composer/composer:2-bin /composer /usr/bin/composer +ENV PATH="/root/.composer/vendor/bin:${PATH}" # actionlint installation # Managed with COPY --link --from=actionlint /usr/local/bin/actionlint /usr/bin/actionlint @@ -457,12 +459,11 @@ RUN wget --quiet https://github.com/pmd/pmd/releases/download/pmd_releases%2F${P # phpcs installation -RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install phpcs -g --trust-gpg-keys 31C7E470E2138192,95DE904AB800754A11D80B605E6DDE998AB73B8E +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require squizlabs/php_codesniffer bartlett/sarif-php-sdk # phpstan installation -# Managed with COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan -RUN chmod +x /usr/bin/phpstan +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require phpstan/phpstan bartlett/sarif-php-sdk # psalm installation RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install psalm -g --trust-gpg-keys 8A03EA3B385DBAA1,12CE0F1D262429A5 diff --git a/flavors/php/Dockerfile b/flavors/php/Dockerfile index 809fcc66d18..73068baa364 100644 --- a/flavors/php/Dockerfile +++ b/flavors/php/Dockerfile @@ -29,7 +29,6 @@ FROM mvdan/shfmt:latest-alpine as shfmt FROM hadolint/hadolint:v2.12.0-alpine as hadolint FROM mstruebing/editorconfig-checker:$VERSION_EDITORCONFIG_CHECKER as editorconfig-checker FROM ghcr.io/yannh/kubeconform:latest-alpine as kubeconform -FROM ghcr.io/phpstan/phpstan:latest-php8.3 as phpstan FROM yoheimuta/protolint:latest as protolint FROM zricethezav/gitleaks:v8.18.2 as gitleaks FROM trufflesecurity/trufflehog:latest as trufflehog @@ -84,6 +83,7 @@ RUN apk add --no-cache \ php83-curl \ php83-dom \ php83-opcache \ + php83-openssl \ php83-common \ php83-simplexml \ dpkg \ @@ -227,6 +227,7 @@ RUN echo 'gem: --no-document' >> ~/.gemrc && \ ############################################################################################# #COPY__START +COPY --from=composer/composer:2-bin /composer /usr/bin/composer COPY --link --from=actionlint /usr/local/bin/actionlint /usr/bin/actionlint # shellcheck is a dependency for actionlint @@ -237,7 +238,6 @@ COPY --link --from=shfmt /bin/shfmt /usr/bin/ COPY --link --from=hadolint /bin/hadolint /usr/bin/hadolint COPY --link --from=editorconfig-checker /usr/bin/ec /usr/bin/editorconfig-checker COPY --link --from=kubeconform /kubeconform /usr/bin/ -COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan COPY --link --from=protolint /usr/local/bin/protolint /usr/bin/ COPY --link --from=gitleaks /usr/bin/gitleaks /usr/bin/ COPY --link --from=trufflehog /usr/bin/trufflehog /usr/bin/ @@ -269,6 +269,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GI && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 +# Managed with COPY --from=composer/composer:2-bin /composer /usr/bin/composer +ENV PATH="/root/.composer/vendor/bin:${PATH}" # actionlint installation # Managed with COPY --link --from=actionlint /usr/local/bin/actionlint /usr/bin/actionlint @@ -320,12 +322,11 @@ RUN curl --retry 5 --retry-delay 5 -sSLO https://github.com/pinterest/ktlint/rel # phpcs installation -RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install phpcs -g --trust-gpg-keys 31C7E470E2138192,95DE904AB800754A11D80B605E6DDE998AB73B8E +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require squizlabs/php_codesniffer bartlett/sarif-php-sdk # phpstan installation -# Managed with COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan -RUN chmod +x /usr/bin/phpstan +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require phpstan/phpstan bartlett/sarif-php-sdk # psalm installation RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install psalm -g --trust-gpg-keys 8A03EA3B385DBAA1,12CE0F1D262429A5 diff --git a/linters/php_phpcs/Dockerfile b/linters/php_phpcs/Dockerfile index 3aa679492ae..0ce14faa2ee 100644 --- a/linters/php_phpcs/Dockerfile +++ b/linters/php_phpcs/Dockerfile @@ -67,6 +67,7 @@ RUN apk add --no-cache \ php83-curl \ php83-dom \ php83-opcache \ + php83-openssl \ php83-common \ php83-simplexml \ dpkg \ @@ -136,7 +137,7 @@ ENV PATH="/node-deps/node_modules/.bin:${PATH}" \ ############################################################################################# #COPY__START - +COPY --from=composer/composer:2-bin /composer /usr/bin/composer #COPY__END ############################################################################################# @@ -159,9 +160,11 @@ RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GI && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 +# Managed with COPY --from=composer/composer:2-bin /composer /usr/bin/composer +ENV PATH="/root/.composer/vendor/bin:${PATH}" # phpcs installation -RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install phpcs -g --trust-gpg-keys 31C7E470E2138192,95DE904AB800754A11D80B605E6DDE998AB73B8E +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require squizlabs/php_codesniffer bartlett/sarif-php-sdk #OTHER__END diff --git a/linters/php_phplint/Dockerfile b/linters/php_phplint/Dockerfile index 2bfb277e027..7fab641d414 100644 --- a/linters/php_phplint/Dockerfile +++ b/linters/php_phplint/Dockerfile @@ -67,6 +67,7 @@ RUN apk add --no-cache \ php83-curl \ php83-dom \ php83-opcache \ + php83-openssl \ php83-common \ php83-simplexml \ dpkg \ @@ -136,7 +137,7 @@ ENV PATH="/node-deps/node_modules/.bin:${PATH}" \ ############################################################################################# #COPY__START - +COPY --from=composer/composer:2-bin /composer /usr/bin/composer #COPY__END ############################################################################################# @@ -159,6 +160,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GI && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 +# Managed with COPY --from=composer/composer:2-bin /composer /usr/bin/composer +ENV PATH="/root/.composer/vendor/bin:${PATH}" # phplint installation RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install overtrue/phplint --force-accept-unsigned -g diff --git a/linters/php_phpstan/Dockerfile b/linters/php_phpstan/Dockerfile index 8991df52ec2..653888b9abc 100644 --- a/linters/php_phpstan/Dockerfile +++ b/linters/php_phpstan/Dockerfile @@ -18,7 +18,7 @@ ## @generated by .automation/build.py using descriptor files, please do not update manually ## ############################################################################################# #FROM__START -FROM ghcr.io/phpstan/phpstan:latest-php8.3 as phpstan + #FROM__END ################## @@ -67,6 +67,7 @@ RUN apk add --no-cache \ php83-curl \ php83-dom \ php83-opcache \ + php83-openssl \ php83-common \ php83-simplexml \ dpkg \ @@ -136,7 +137,7 @@ ENV PATH="/node-deps/node_modules/.bin:${PATH}" \ ############################################################################################# #COPY__START -COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan +COPY --from=composer/composer:2-bin /composer /usr/bin/composer #COPY__END ############################################################################################# @@ -159,10 +160,11 @@ RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GI && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 +# Managed with COPY --from=composer/composer:2-bin /composer /usr/bin/composer +ENV PATH="/root/.composer/vendor/bin:${PATH}" # phpstan installation -# Managed with COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan -RUN chmod +x /usr/bin/phpstan +RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require phpstan/phpstan bartlett/sarif-php-sdk #OTHER__END diff --git a/linters/php_psalm/Dockerfile b/linters/php_psalm/Dockerfile index 58251ae47dd..8e8eca52eed 100644 --- a/linters/php_psalm/Dockerfile +++ b/linters/php_psalm/Dockerfile @@ -67,6 +67,7 @@ RUN apk add --no-cache \ php83-curl \ php83-dom \ php83-opcache \ + php83-openssl \ php83-common \ php83-simplexml \ dpkg \ @@ -136,7 +137,7 @@ ENV PATH="/node-deps/node_modules/.bin:${PATH}" \ ############################################################################################# #COPY__START - +COPY --from=composer/composer:2-bin /composer /usr/bin/composer #COPY__END ############################################################################################# @@ -159,6 +160,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GI && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 +# Managed with COPY --from=composer/composer:2-bin /composer /usr/bin/composer +ENV PATH="/root/.composer/vendor/bin:${PATH}" # psalm installation RUN --mount=type=secret,id=GITHUB_TOKEN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install psalm -g --trust-gpg-keys 8A03EA3B385DBAA1,12CE0F1D262429A5 diff --git a/megalinter/descriptors/php.megalinter-descriptor.yml b/megalinter/descriptors/php.megalinter-descriptor.yml index ee7861ec23f..639d0022199 100644 --- a/megalinter/descriptors/php.megalinter-descriptor.yml +++ b/megalinter/descriptors/php.megalinter-descriptor.yml @@ -17,6 +17,7 @@ install: - php83-curl - php83-dom - php83-opcache + - php83-openssl - php83-common - php83-simplexml - dpkg @@ -36,10 +37,13 @@ install: && mv phive.phar /usr/local/bin/phive \ && rm phive.phar.asc \ && update-alternatives --install /usr/bin/php php /usr/bin/php83 110 + - COPY --from=composer/composer:2-bin /composer /usr/bin/composer + - ENV PATH="/root/.composer/vendor/bin:${PATH}" linters: # PHPCS - linter_name: phpcs name: PHP_PHPCS + can_output_sarif: true linter_url: https://github.com/PHPCSStandards/PHP_CodeSniffer linter_repo: https://github.com/PHPCSStandards/PHP_CodeSniffer linter_rules_configuration_url: https://github.com/PHPCSStandards/PHP_CodeSniffer/wiki/Advanced-Usage#using-a-default-configuration-file @@ -49,6 +53,8 @@ linters: config_file_name: phpcs.xml cli_lint_mode: list_of_files cli_config_arg_name: "--standard=" + cli_sarif_args: + - "--report=\\Bartlett\\Sarif\\Converter\\PhpCsConverter" cli_lint_errors_count: regex_number cli_lint_errors_regex: "FOUND ([0-9]+) ERRORS" examples: @@ -58,7 +64,7 @@ linters: install: dockerfile: - | - RUN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && phive --no-progress install phpcs -g --trust-gpg-keys 31C7E470E2138192,95DE904AB800754A11D80B605E6DDE998AB73B8E + RUN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require squizlabs/php_codesniffer bartlett/sarif-php-sdk ide: atom: - name: linter-phpcs @@ -79,6 +85,7 @@ linters: # PHP Stan - linter_name: phpstan name: PHP_PHPSTAN + can_output_sarif: true linter_url: https://phpstan.org/ linter_repo: https://github.com/phpstan/phpstan linter_image_url: https://i.imgur.com/WaRKPlC.png @@ -92,6 +99,8 @@ linters: - "--no-ansi" - "--memory-limit" - "1G" + cli_sarif_args: + - "--error-format=sarif" cli_lint_errors_count: regex_number cli_lint_errors_regex: "Found ([0-9]+) error" examples: @@ -101,9 +110,7 @@ linters: - "phpstan analyse --no-progress --no-ansi mydir1/ mydir2/ myfile.php" install: dockerfile: - - FROM ghcr.io/phpstan/phpstan:latest-php8.3 as phpstan - - COPY --link --from=phpstan /composer/vendor/phpstan/phpstan/phpstan.phar /usr/bin/phpstan - - RUN chmod +x /usr/bin/phpstan + - RUN GITHUB_AUTH_TOKEN="$(cat /run/secrets/GITHUB_TOKEN)" && export GITHUB_AUTH_TOKEN && composer global require phpstan/phpstan bartlett/sarif-php-sdk idea: - name: PHPStan / Psalm / Generics url: https://plugins.jetbrains.com/plugin/12754-phpstan--psalm--generics @@ -149,10 +156,13 @@ linters: url: https://marketplace.visualstudio.com/items?itemName=getpsalm.psalm-vscode-plugin # PHPLint - linter_name: phplint + can_output_sarif: true linter_url: https://github.com/overtrue/phplint linter_repo: https://github.com/overtrue/phplint config_file_name: .phplint.yml cli_lint_mode: list_of_files + cli_sarif_args: + - "--log-sarif={{SARIF_OUTPUT_FILE}}" examples: - "phplint myfile.php" - "phplint mydir"