Merge pull request #3040 from returntocorp/lockfile-comment-fix

update use-frozen-lockfile rule
semgrep · Aug 14, 2023 · d39961c · d39961c
2 parents d5bec93 + 87478bb
commit d39961c
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 4 deletions.
diff --git a/.github/workflows/semgrep-rules-test-historical.yml b/.github/workflows/semgrep-rules-test-historical.yml
@@ -37,10 +37,7 @@ jobs:
     - name: grab historical semgrep version
       env:
         GH_TOKEN: ${{ github.token }}
-      run: |
-        SEMGREP_OLD_VERSION=$(gh api --method GET /repos/returntocorp/semgrep/releases | jq -r '.[].tag_name' | sed -n 10p | tr -d v)
-        echo $SEMGREP_OLD_VERSION
-        echo "SEMGREP_OLD_VERSION=$SEMGREP_OLD_VERSION" >> $GITHUB_ENV
+      run: semgrep-rules/scripts/historical-semgrep-version
     - name: validate rules on historical semgrep version
       run: |
         docker run --rm -v ${GITHUB_WORKSPACE}/semgrep-rules:/src returntocorp/semgrep:${SEMGREP_OLD_VERSION} semgrep --validate --config /src

diff --git a/generic/ci/security/use-frozen-lockfile.fixed.generic b/generic/ci/security/use-frozen-lockfile.fixed.generic
@@ -12,6 +12,9 @@ RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --n
 # ok: use-frozen-lockfile-yarn
 RUN yarn install --production --frozen-lockfile
 
+# ok: use-frozen-lockfile-npm
+# i am a comment, just to explain.. npm install
+
 RUN yarn install --frozen-lockfile
 RUN yarn install --immutable
 # ruleid: use-frozen-lockfile-yarn

diff --git a/generic/ci/security/use-frozen-lockfile.generic b/generic/ci/security/use-frozen-lockfile.generic
@@ -12,6 +12,9 @@ RUN yarn install --prod --frozen-lockfile --prefer-offline --ignore-optional --n
 # ok: use-frozen-lockfile-yarn
 RUN yarn install --production --frozen-lockfile
 
+# ok: use-frozen-lockfile-npm
+# i am a comment, just to explain.. npm install
+
 RUN yarn install --frozen-lockfile
 RUN yarn install --immutable
 # ruleid: use-frozen-lockfile-yarn

diff --git a/generic/ci/security/use-frozen-lockfile.yaml b/generic/ci/security/use-frozen-lockfile.yaml
@@ -50,6 +50,7 @@ rules:
       - pattern-not-regex: npm install -g
       - pattern-not-regex: npm install --global
       - pattern-not-regex: npm install [\w]+
+      - pattern-not-regex: \#(.*)
     fix: npm ci
     message: >-
       To ensure reproducible and deterministic builds, use `npm ci` rather than `npm install` in scripts.

diff --git a/scripts/historical-semgrep-version b/scripts/historical-semgrep-version
@@ -0,0 +1,17 @@
+#!/bin/bash
+HISTORICAL_VERSIONS=10
+RETRIES=3
+
+versions=$(gh api --method GET /repos/returntocorp/semgrep/releases | jq 'reverse' | jq -r '.[].tag_name' | tail "-n${HISTORICAL_VERSIONS}" | head -n "${RETRIES}" | tr -d v)
+
+for version in $(echo "${versions}"); do
+  docker pull "returntocorp/semgrep:${version}"
+  if [[ "$?" == 0 ]]; then
+    echo "${version}"
+    echo "SEMGREP_OLD_VERSION=${version}" >> "${GITHUB_ENV}"
+    exit 0
+  fi
+done
+
+echo "Could not determine historical version, tried: $(echo ${versions})"
+exit 1