Merge main

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/go.yml

@@ -19,11 +19,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
@@ -38,11 +38,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
@@ -60,11 +60,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
@@ -84,11 +84,11 @@ jobs:
       contents: write
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
         egress-policy: audit
 
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
 

.github/workflows/golangci-lint.yml

@@ -25,11 +25,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ matrix.go }}

.github/workflows/goreportcard.yaml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
         egress-policy: audit
 
@@ -28,7 +28,7 @@ jobs:
         go-version: ${{ matrix.go }}
         cache: false
     - name: Checkout gojp/goreportcard repo
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         repository: gojp/goreportcard
         path: goreportcard
@@ -51,7 +51,7 @@ jobs:
         # Install goreportcard-cli binary
         go install ./cmd/goreportcard-cli
     - name: Checkout Boeing/config-file-validator repo
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Run goreportcard
       run: |
         # Failure threshold is set to 100% to fail at any errors. Default is 75%.

.github/workflows/release.yml

@@ -30,20 +30,41 @@ jobs:
       contents: write
 
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-    - uses: wangyoucao577/go-release-action@8fa1e8368c8465264d64e0198208e10f71474c87 # v1.50
-      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
-        goos: ${{ matrix.goos }}
-        goarch: ${{ matrix.goarch }}
-        go_version: 1.22
-        binary_name: "validator"
-        ldflags: -w -s -extldflags "-static" -X github.com/Boeing/config-file-validator.version=${{ github.event.release.tag_name }}
-        build_tags: -tags netgo
-        project_path: cmd/validator
-        extra_files: LICENSE README.md
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: wangyoucao577/go-release-action@2aa2977ad6a4534f9179e22bd0ff146a1e1d3466 # v1.52
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          goos: ${{ matrix.goos }}
+          goarch: ${{ matrix.goarch }}
+          go_version: 1.22
+          binary_name: "validator"
+          ldflags: -w -s -extldflags "-static" -X github.com/Boeing/config-file-validator.version=${{ github.event.release.tag_name }}
+          build_tags: -tags netgo
+          project_path: cmd/validator
+          extra_files: LICENSE README.md
+
+  aur-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Publish AUR package
+        uses: KSXGitHub/github-actions-deploy-aur@9dfe151cf48f26a957bbd0379c120e79cb990e13 # v2.7.2
+        with:
+          pkgname: config-file-validator
+          pkgbuild: ./PKGBUILD
+          commit_username: ${{ secrets.AUR_USERNAME }}
+          commit_email: ${{ secrets.AUR_EMAIL }}
+          ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+          commit_message: Update AUR package
+          ssh_keyscan_types: rsa,ecdsa,ed25519

.github/workflows/scorecard.yml

@@ -30,12 +30,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
@@ -54,7 +54,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@c24449f33cd45d4826c6702db7e49f7cdb9b551d # v3.pre.node20
         with:
           name: SARIF file
           path: results.sarif
@@ -63,6 +63,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           sarif_file: results.sarif

PKGBUILD

@@ -0,0 +1,37 @@
+# Maintainer: Clayton Kehoe <clayton.j.kehoe at boeing dot com>
+# Contributor : wiz64 <wiz64 dot com>
+pkgname=config-file-validator
+pkgver=1.7.1
+pkgrel=1
+pkgdesc="A tool to validate the syntax of configuration files"
+arch=('x86_64')
+url="https://github.com/Boeing/config-file-validator"
+license=('Apache 2.0')
+depends=('glibc')
+makedepends=('go>=1.21' 'git' 'sed')
+source=("git+https://github.com/Boeing/config-file-validator.git")
+sha256sums=('SKIP')
+md5sums=('SKIP')
+
+pkgver() {
+  cd "$srcdir/$pkgname"
+  git describe --tags --abbrev=0 | sed 's/^v//'
+}
+
+build() {
+  cd "$srcdir/$pkgname"
+  CGO_ENABLED=0 \
+  GOOS=linux \
+  GOARCH=amd64 \
+  go build \
+  -ldflags="-w -s -extldflags '-static' \
+  -X github.com/Boeing/config-file-validator.version=$pkgver" \
+  -tags netgo \
+  -o validator \
+  cmd/validator/validator.go
+}
+
+package() {
+  cd "$srcdir/$pkgname"
+  install -Dm755 validator "$pkgdir/usr/bin/validator"
+}

README.md

@@ -5,7 +5,7 @@
 </div>
 
 <p align="center">
-<img id="cov" src="https://img.shields.io/badge/Coverage-95.6%25-brightgreen" alt="Code Coverage">
+<img id="cov" src="https://img.shields.io/badge/Coverage-95.1%25-brightgreen" alt="Code Coverage">
 
   <a href="https://scorecard.dev/viewer/?uri=github.com/Boeing/config-file-validator">
     <img src="https://api.scorecard.dev/projects/github.com/Boeing/config-file-validator/badge" alt="OpenSSF Scorecard">
@@ -116,6 +116,20 @@ optional flags:
     	Version prints the release version of validator
 ```
 
+### Environment Variables
+
+The config-file-validator supports setting options via environment variables. If both command-line flags and environment variables are set, the command-line flags will take precedence. The supported environment variables are as follows:
+
+| Environment Variable | Equivalent Flag |
+|----------------------|-----------------|
+| `CFV_DEPTH`          | `-depth`        |
+| `CFV_EXCLUDE_DIRS`   | `-exclude-dirs` |
+| `CFV_EXCLUDE_FILE_TYPES` | `-exclude-file-types` |
+| `CFV_OUTPUT`         | `-output`       |
+| `CFV_REPORTER`       | `-reporter`     |
+| `CFV_GROUPBY`        | `-groupby`      |
+| `CFV_QUIET`          | `-quiet`        |
+
 ### Examples
 #### Standard Run
 If the search path is omitted it will search the current directory

cmd/validator/validator.go

@@ -20,7 +20,7 @@ optional flags:
   -output
      	Destination of a file to outputting results
   -reporter string
-    	Format of the printed report. Options are standard and json (default "standard")
+    	Format of the printed report. Options are standard, json, junit and sarif (default "standard")
   -version
     	Version prints the release version of validator
 */
@@ -103,11 +103,28 @@ func getFlags() (validatorConfig, error) {
 		excludeDirsPtr      = flag.String("exclude-dirs", "", "Subdirectories to exclude when searching for configuration files")
 		excludeFileTypesPtr = flag.String("exclude-file-types", "", "A comma separated list of file types to ignore.\nValid options: "+strings.Join(getFileTypes(), ", "))
 		outputPtr           = flag.String("output", "", "Destination to a file to output results")
-		reportTypePtr       = flag.String("reporter", "standard", "Format of the printed report. Options are standard and json")
+		reportTypePtr       = flag.String("reporter", "standard", "Format of the printed report. Options are standard, json, junit and sarif")
 		versionPtr          = flag.Bool("version", false, "Version prints the release version of validator")
 		groupOutputPtr      = flag.String("groupby", "", "Group output by filetype, directory, pass-fail. Supported for Standard and JSON reports")
-		quietPrt            = flag.Bool("quiet", false, "If quiet flag is set. It doesn't print any output to stdout.")
+		quietPtr            = flag.Bool("quiet", false, "If quiet flag is set. It doesn't print any output to stdout.")
 	)
+
+	flagsEnvMap := map[string]string{
+		"depth":              "CFV_DEPTH",
+		"exclude-dirs":       "CFV_EXCLUDE_DIRS",
+		"exclude-file-types": "CFV_EXCLUDE_FILE_TYPES",
+		"output":             "CFV_OUTPUT",
+		"reporter":           "CFV_REPORTER",
+		"groupby":            "CFV_GROUPBY",
+		"quiet":              "CFV_QUIET",
+	}
+
+	for flagName, envVar := range flagsEnvMap {
+		if err := setFlagFromEnvIfNotSet(flagName, envVar); err != nil {
+			return validatorConfig{}, err
+		}
+	}
+
 	flag.Parse()
 
 	searchPaths := make([]string, 0)
@@ -121,12 +138,16 @@ func getFlags() (validatorConfig, error) {
 		searchPaths = append(searchPaths, flag.Args()...)
 	}
 
-	if *reportTypePtr != "standard" && *reportTypePtr != "json" && *reportTypePtr != "junit" {
-		return validatorConfig{}, errors.New("Wrong parameter value for reporter, only supports standard, json or junit")
+	acceptedReportTypes := map[string]bool{"standard": true, "json": true, "junit": true, "sarif": true}
+
+	if !acceptedReportTypes[*reportTypePtr] {
+		return validatorConfig{}, errors.New("Wrong parameter value for reporter, only supports standard, json, junit or sarif")
 	}
 
-	if *reportTypePtr == "junit" && *groupOutputPtr != "" {
-		return validatorConfig{}, errors.New("Wrong parameter value for reporter, groupby is not supported for JUnit reports")
+	groupOutputReportTypes := map[string]bool{"standard": true, "json": true}
+
+	if !groupOutputReportTypes[*reportTypePtr] && *groupOutputPtr != "" {
+		return validatorConfig{}, errors.New("Wrong parameter value for reporter, groupby is only supported for standard and JSON reports")
 	}
 
 	if depthPtr != nil && isFlagSet("depth") && *depthPtr < 0 {
@@ -166,7 +187,7 @@ func getFlags() (validatorConfig, error) {
 		versionPtr,
 		outputPtr,
 		groupOutputPtr,
-		quietPrt,
+		quietPtr,
 	}
 
 	return config, nil
@@ -185,6 +206,20 @@ func isFlagSet(flagName string) bool {
 	return isSet
 }
 
+func setFlagFromEnvIfNotSet(flagName string, envVar string) error {
+	if isFlagSet(flagName) {
+		return nil
+	}
+
+	if envVarValue, ok := os.LookupEnv(envVar); ok {
+		if err := flag.Set(flagName, envVarValue); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // Return the reporter associated with the
 // reportType string
 func getReporter(reportType, outputDest *string) reporter.Reporter {
@@ -193,6 +228,8 @@ func getReporter(reportType, outputDest *string) reporter.Reporter {
 		return reporter.NewJunitReporter(*outputDest)
 	case "json":
 		return reporter.NewJSONReporter(*outputDest)
+	case "sarif":
+		return reporter.NewSARIFReporter(*outputDest)
 	default:
 		return reporter.StdoutReporter{}
 	}

cmd/validator/validator_test.go

@@ -22,7 +22,8 @@ func Test_flags(t *testing.T) {
 		{"depth set", []string{"-depth=1", "."}, 0},
 		{"flags set, wrong reporter", []string{"--exclude-dirs=subdir", "--reporter=wrong", "."}, 1},
 		{"flags set, json reporter", []string{"--exclude-dirs=subdir", "--reporter=json", "."}, 0},
-		{"flags set, junit reported", []string{"--exclude-dirs=subdir", "--reporter=junit", "."}, 0},
+		{"flags set, junit reporter", []string{"--exclude-dirs=subdir", "--reporter=junit", "."}, 0},
+		{"flags set, sarif reporter", []string{"--exclude-dirs=subdir", "--reporter=sarif", "."}, 0},
 		{"bad path", []string{"/path/does/not/exit"}, 1},
 		{"exclude file types set", []string{"--exclude-file-types=json", "."}, 0},
 		{"multiple paths", []string{"../../test/fixtures/subdir/good.json", "../../test/fixtures/good.json"}, 0},
@@ -33,6 +34,7 @@ func Test_flags(t *testing.T) {
 		{"incorrect group", []string{"-groupby=badgroup", "."}, 1},
 		{"correct group", []string{"-groupby=directory", "."}, 0},
 		{"grouped junit", []string{"-groupby=directory", "--reporter=junit", "."}, 1},
+		{"grouped sarif", []string{"-groupby=directory", "--reporter=sarif", "."}, 1},
 		{"groupby duplicate", []string{"--groupby=directory,directory", "."}, 1},
 		{"quiet flag", []string{"--quiet=true", "."}, 0},
 	}