STRLCPY/grype

should only use hermetic functions in templates (#1288)
```
Signed-off-by: Alex Goodman <[email protected]>
```
Alex Goodman committed with GitHub 12 months ago

d74e8538

1 parent 2c9a1740

■ ■ ■ ■ ■ ■

grype/presenter/template/presenter.go

		skipped 76 lines
77	77
78	78		// FuncMap is a function that returns template.FuncMap with custom functions available to template authors.
79	79		var FuncMap = func() template.FuncMap {
80		-	f := sprig.TxtFuncMap()
	80	+	f := sprig.HermeticTxtFuncMap()
81	81		f["getLastIndex"] = func(collection interface{}) int {
82	82		if v := reflect.ValueOf(collection); v.Kind() == reflect.Slice {
83	83		return v.Len() - 1
		skipped 16 lines

■ ■ ■ ■ ■ ■

grype/presenter/template/presenter_test.go

		skipped 4 lines
5	5		"flag"
6	6		"os"
7	7		"path"
8		-	"regexp"
9	8		"testing"
10	9
11	10		"github.com/stretchr/testify/assert"
	11	+	"github.com/stretchr/testify/require"
12	12
13	13		"github.com/anchore/go-testutils"
14	14		"github.com/anchore/grype/grype/presenter/models"
		skipped 1 lines
16	16		)
17	17
18	18		var update = flag.Bool("update", false, "update the *.golden files for template presenters")
19		-	var timestampRegexp = regexp.MustCompile(`Timestamp:\s*\d{4}-\d{2}-\d{2}`)
20	19
21	20		func TestPresenter_Present(t *testing.T) {
22	21		matches, packages, context, metadataProvider, appConfig, dbStatus := models.GenerateAnalysis(t, source.ImageScheme)
		skipped 21 lines
44	43		}
45	44
46	45		actual := buffer.Bytes()
47		-	actual = mustRedact(t, actual)
48	46
49	47		if *update {
50	48		testutils.UpdateGoldenFileContents(t, actual)
		skipped 3 lines
54	52		assert.Equal(t, string(expected), string(actual))
55	53		}
56	54
57		-	func mustRedact(t *testing.T, content []byte) []byte {
58		-	assert.True(t, timestampRegexp.Match(content))
59		-	return timestampRegexp.ReplaceAll(content, []byte(`Timestamp:`))
	55	+	func TestPresenter_SprigDate_Fails(t *testing.T) {
	56	+	matches, packages, context, metadataProvider, appConfig, dbStatus := models.GenerateAnalysis(t, source.ImageScheme)
	57	+	workingDirectory, err := os.Getwd()
	58	+	require.NoError(t, err)
	59	+
	60	+	// this template has the generic sprig date function, which is intentionally not supported for security reasons
	61	+	templateFilePath := path.Join(workingDirectory, "./test-fixtures/test.template.sprig.date")
	62	+
	63	+	pb := models.PresenterConfig{
	64	+	Matches: matches,
	65	+	Packages: packages,
	66	+	Context: context,
	67	+	MetadataProvider: metadataProvider,
	68	+	AppConfig: appConfig,
	69	+	DBStatus: dbStatus,
	70	+	}
	71	+
	72	+	templatePresenter := NewPresenter(pb, templateFilePath)
	73	+
	74	+	var buffer bytes.Buffer
	75	+	err = templatePresenter.Present(&buffer)
	76	+	require.ErrorContains(t, err, `function "now" not defined`)
60	77		}
61	78

■ ■ ■ ■ ■ ■

grype/presenter/template/test-fixtures/snapshot/TestPresenter_Present.golden

1 - Timestamp:
2 1 Identified distro as centos version 8.0.
3 2 Vulnerability: CVE-1999-0001
4 3 Severity: Low
skipped 10 lines

All occurrences

■ ■ ■ ■ ■ ■

grype/presenter/template/test-fixtures/test.template

1		-	Timestamp: {{ now \| date "2006-01-02" }}
2	1		Identified distro as {{.Distro.Name}} version {{.Distro.Version}}.
3	2		{{- range .Matches}}
4	3		Vulnerability: {{.Vulnerability.ID}}
		skipped 9 lines

■ ■ ■ ■ ■ ■

grype/presenter/template/test-fixtures/test.template.sprig.date

1	+	Identified distro as {{.Distro.Name}} version {{.Distro.Version}}.
2	+	Date: {{ now \| date "2006-01-02" }}
3	+	{{- range .Matches}}
4	+	Vulnerability: {{.Vulnerability.ID}}
5	+	Severity: {{.Vulnerability.Severity}}
6	+	Package: {{.Artifact.Name}} version {{.Artifact.Version}} ({{.Artifact.Type}})
7	+	CPEs: {{ toJson .Artifact.CPEs }}
8	+	{{- range .MatchDetails}}
9	+	Matched by: {{.Matcher}}
10	+	{{- end}}
11	+	{{- end}}
12	+

1		-	Timestamp:
2	1		Identified distro as centos version 8.0.
3	2		Vulnerability: CVE-1999-0001
4	3		Severity: Low
		skipped 10 lines

should only use hermetic functions in templates (#1288)