STRLCPY/grype

feat: add non-hermetic sprig functions (#1243) (#1273)

Because the general set of sprig functions can used to access
environment variables, explicitly warn users never to run untrusted
templates.

---------

Signed-off-by: James Neate <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Co-authored-by: Will Murphy <[email protected]>

James Neate committed with GitHub 12 months ago

0ace6b1a

1 parent 6f779ec4

Total 5 files Show one by one

■ ■ ■ ■ ■ ■

README.md

		skipped 268 lines
269	269
270	270		Example: You could make Grype output data in CSV format by writing a Go template that renders CSV data and then running `grype <image> -o template -t ~/path/to/csv.tmpl`.
271	271
	272	+	Please note: Templates can access information about the system they are running on, such as environment variables. You should never run untrusted templates.
	273	+
272	274		Here's what the `csv.tmpl` file might look like:
273	275
274	276		```gotemplate
		skipped 437 lines

■ ■ ■ ■ ■ ■

grype/presenter/template/presenter.go

		skipped 76 lines
77	77
78	78		// FuncMap is a function that returns template.FuncMap with custom functions available to template authors.
79	79		var FuncMap = func() template.FuncMap {
80		-	f := sprig.HermeticTxtFuncMap()
	80	+	f := sprig.TxtFuncMap()
81	81		f["getLastIndex"] = func(collection interface{}) int {
82	82		if v := reflect.ValueOf(collection); v.Kind() == reflect.Slice {
83	83		return v.Len() - 1
		skipped 16 lines

■ ■ ■ ■ ■ ■

grype/presenter/template/presenter_test.go

		skipped 4 lines
5	5		"flag"
6	6		"os"
7	7		"path"
	8	+	"regexp"
8	9		"testing"
9	10
10	11		"github.com/stretchr/testify/assert"
		skipped 4 lines
15	16		)
16	17
17	18		var update = flag.Bool("update", false, "update the *.golden files for template presenters")
	19	+	var timestampRegexp = regexp.MustCompile(`Timestamp:\s*\d{4}-\d{2}-\d{2}`)
18	20
19	21		func TestPresenter_Present(t *testing.T) {
20	22		matches, packages, context, metadataProvider, appConfig, dbStatus := models.GenerateAnalysis(t, source.ImageScheme)
		skipped 21 lines
42	44		}
43	45
44	46		actual := buffer.Bytes()
	47	+	actual = mustRedact(t, actual)
	48	+
45	49		if *update {
46	50		testutils.UpdateGoldenFileContents(t, actual)
47	51		}
		skipped 2 lines
50	54		assert.Equal(t, string(expected), string(actual))
51	55		}
52	56
	57	+	func mustRedact(t *testing.T, content []byte) []byte {
	58	+	assert.True(t, timestampRegexp.Match(content))
	59	+	return timestampRegexp.ReplaceAll(content, []byte(`Timestamp:`))
	60	+	}
	61	+

■ ■ ■ ■ ■ ■

grype/presenter/template/test-fixtures/snapshot/TestPresenter_Present.golden

1 + Timestamp:
1 2 Identified distro as centos version 8.0.
2 3 Vulnerability: CVE-1999-0001
3 4 Severity: Low
skipped 10 lines

All occurrences

■ ■ ■ ■ ■ ■

grype/presenter/template/test-fixtures/test.template

	1	+	Timestamp: {{ now \| date "2006-01-02" }}
1	2		Identified distro as {{.Distro.Name}} version {{.Distro.Version}}.
2	3		{{- range .Matches}}
3	4		Vulnerability: {{.Vulnerability.ID}}
		skipped 9 lines

	1	+	Timestamp:
1	2		Identified distro as centos version 8.0.
2	3		Vulnerability: CVE-1999-0001
3	4		Severity: Low
		skipped 10 lines