From 2ba6d0d973a5c2b2d355b46139230eea3160b65c Mon Sep 17 00:00:00 2001 From: Dan Stefaniuk <499338+stefaniuk@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:11:39 +0100 Subject: [PATCH] Remove scan dependencies git hook (#132) ## Description There is not much benefit in running a potentially outdated CVE check locally, especially considering that the GitHub Action always performs a check against the latest version. - Fixes #128 ## Context Grype [updates its database](https://github.com/anchore/grype#data-staleness) at the first run or every 5 days. The size is approximately 1GB. It may take minutes for the scan dependencies git hook to complete. This is not a good user experience. ## Type of changes - [x] Refactoring (non-breaking change) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would change existing functionality) - [x] Bug fix (non-breaking change which fixes an issue) ## Checklist - [x] I am familiar with the [contributing guidelines](../docs/CONTRIBUTING.md) - [x] I have followed the code style of the project - [ ] I have added tests to cover my changes - [x] I have updated the documentation accordingly - [ ] This PR is a result of pair or mob programming --- ## Sensitive Information Declaration To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including [PII (Personal Identifiable Information) / PID (Personal Identifiable Data)](https://digital.nhs.uk/data-and-information/keeping-data-safe-and-benefitting-the-public) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter. - [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes. --- docs/user-guides/Run_Git_hooks_on_commit.md | 1 - docs/user-guides/Scan_dependencies.md | 1 - scripts/config/pre-commit.yaml | 7 ---- scripts/githooks/scan-dependencies.sh | 37 --------------------- 4 files changed, 46 deletions(-) delete mode 100755 scripts/githooks/scan-dependencies.sh diff --git a/docs/user-guides/Run_Git_hooks_on_commit.md b/docs/user-guides/Run_Git_hooks_on_commit.md index 5a4d9ebc..507e1f80 100644 --- a/docs/user-guides/Run_Git_hooks_on_commit.md +++ b/docs/user-guides/Run_Git_hooks_on_commit.md @@ -17,7 +17,6 @@ The [pre-commit](https://pre-commit.com/) framework is a powerful tool for manag - [check-file-format.sh](../../scripts/githooks/check-file-format.sh) - [check-markdown-format.sh](../../scripts/githooks/check-markdown-format.sh) - [check-terraform-format.sh](../../scripts/githooks/check-terraform-format.sh) - - [scan-dependencies.sh](../../scripts/githooks/scan-dependencies.sh) - [scan-secrets.sh](../../scripts/githooks/scan-secrets.sh) - Configuration - [pre-commit.yaml](../../scripts/config/pre-commit.yaml) diff --git a/docs/user-guides/Scan_dependencies.md b/docs/user-guides/Scan_dependencies.md index 11b97496..411d07c0 100644 --- a/docs/user-guides/Scan_dependencies.md +++ b/docs/user-guides/Scan_dependencies.md @@ -21,7 +21,6 @@ In modern software development, leveraging third-party dependencies is a common - [grype.yaml](../../scripts/config/grype.yaml): A configuration file for the CVE scanner - [scan-dependencies/action.yaml](../../.github/actions/scan-dependencies/action.yaml): GitHub action to run the scripts as part of the CI/CD pipeline - [.gitignore](../../.gitignore): Excludes the `*sbom*report.json` and `*vulnerabilities*report.json` report files created during the process -- [scan-dependencies.sh](../../scripts/githooks/scan-dependencies.sh): a Git hook to scan dependencies upon each commit. For a more comprehensive information of how these Git hooks operate, please refer to the [Run Git hooks on commit](./Run_Git_hooks_on_commit.md) guide ## Configuration checklist diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml index b8ce2f54..fce7ea51 100644 --- a/scripts/config/pre-commit.yaml +++ b/scripts/config/pre-commit.yaml @@ -27,10 +27,3 @@ repos: entry: ./scripts/githooks/check-terraform-format.sh language: script pass_filenames: false -- repo: local - hooks: - - id: scan-dependencies - name: Scan Dependencies - entry: ./scripts/githooks/scan-dependencies.sh - language: script - pass_filenames: false diff --git a/scripts/githooks/scan-dependencies.sh b/scripts/githooks/scan-dependencies.sh deleted file mode 100755 index 7e97e3ee..00000000 --- a/scripts/githooks/scan-dependencies.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -set -e - -# Pre-commit git hook to scan dependencies for CVEs (Common Vulnerabilities and Exposures). -# -# Usage: -# $ ./scan-dependencies.sh -# -# Options: -# VERBOSE=true # Show all the executed commands, default is `false` - -# ============================================================================== - -function main() { - - cd $(git rev-parse --show-toplevel) - ./scripts/reports/generate-sbom.sh - ./scripts/reports/scan-vulnerabilities.sh -} - -function is_arg_true() { - - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then - return 0 - else - return 1 - fi -} - -# ============================================================================== - -is_arg_true "$VERBOSE" && set -x - -main $* - -exit 0