From 6b4e5250a445ace7f59088945cbb1a69b453d52d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 10:01:49 +0000 Subject: [PATCH 1/8] Bump the github-actions-version-updates group across 1 directory with 4 updates Bumps the github-actions-version-updates group with 4 updates in the /.github/workflows directory: [fsfe/reuse-action](https://github.com/fsfe/reuse-action), [oxsecurity/megalinter](https://github.com/oxsecurity/megalinter), [github/codeql-action](https://github.com/github/codeql-action) and [mikefarah/yq](https://github.com/mikefarah/yq). Updates `fsfe/reuse-action` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/fsfe/reuse-action/releases) - [Commits](https://github.com/fsfe/reuse-action/compare/bb774aa972c2a89ff34781233d275075cbddf542...676e2d560c9a403aa252096d99fcab3e1132b0f5) Updates `oxsecurity/megalinter` from 9.0.1 to 9.1.0 - [Release notes](https://github.com/oxsecurity/megalinter/releases) - [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md) - [Commits](https://github.com/oxsecurity/megalinter/compare/0dcbedd66ea456ba2d54fd350affaa15df8a0da3...62c799d895af9bcbca5eacfebca29d527f125a57) Updates `github/codeql-action` from 3.30.6 to 4.30.8 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/64d10c13136e1c5bce3e5fbde8d4906eeaafc885...f443b600d91635bebf5b0d9ebc620189c0d6fba5) Updates `mikefarah/yq` from 4.47.2 to 4.48.1 - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/6251e95af8df3505def48c71f3119836701495d6...0ecdce24e83f0fa127940334be98c86b07b0c488) --- updated-dependencies: - dependency-name: fsfe/reuse-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-version-updates - dependency-name: oxsecurity/megalinter dependency-version: 9.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-version-updates - dependency-name: github/codeql-action dependency-version: 4.30.8 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-version-updates - dependency-name: mikefarah/yq dependency-version: 4.48.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-version-updates ... Signed-off-by: dependabot[bot] --- .github/workflows/license-check.yaml | 2 +- .github/workflows/mega-linter.yml | 2 +- .github/workflows/oss-scorecard.yaml | 2 +- .github/workflows/release-build.yaml | 6 +++--- .github/workflows/scb-bot.yaml | 6 +++--- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml index bf94535edb..f9cadf756c 100644 --- a/.github/workflows/license-check.yaml +++ b/.github/workflows/license-check.yaml @@ -22,6 +22,6 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: REUSE Compliance Check - uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 with: args: --include-submodules lint diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 55e566d2aa..2b94813571 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -46,7 +46,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.github.io/flavors/ - uses: oxsecurity/megalinter@0dcbedd66ea456ba2d54fd350affaa15df8a0da3 # v9.0.1 + uses: oxsecurity/megalinter@62c799d895af9bcbca5eacfebca29d527f125a57 # v9.1.0 env: # All available variables are described in documentation # https://megalinter.github.io/configuration/ diff --git a/.github/workflows/oss-scorecard.yaml b/.github/workflows/oss-scorecard.yaml index ce50803cd2..edaffbcd7d 100644 --- a/.github/workflows/oss-scorecard.yaml +++ b/.github/workflows/oss-scorecard.yaml @@ -33,6 +33,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 + uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 with: sarif_file: results.sarif diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml index 854c85cb4e..9d4d1c7c8e 100644 --- a/.github/workflows/release-build.yaml +++ b/.github/workflows/release-build.yaml @@ -425,7 +425,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set ENV Var with Scanner Version - uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 # Notice: The current version of the scanner is provided via the Chart.yaml to ensure # there is only one place to edit the version of a scanner with: @@ -433,7 +433,7 @@ jobs: # extract the supported cpu architectures from the Chart.yaml - name: Set ENV Var with Supported Platforms - uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 with: cmd: echo supportedPlatforms=$(yq e .annotations.supported-platforms scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV @@ -555,7 +555,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set ENV Var with Demo-Target Version - uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 # Notice: The current version of the demo-target is provided via the Chart.yaml to ensure # there is only one place to edit the version of a scanner with: diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml index 1b4ffd9a41..c95dc20ed9 100644 --- a/.github/workflows/scb-bot.yaml +++ b/.github/workflows/scb-bot.yaml @@ -61,14 +61,14 @@ jobs: # Fetching scanner version from local chart .appVersion attribute # this would look like 1.1.1 or v1.1.1 depending on the corresponding Docker image tag - name: Fetch local scanner version - uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 with: cmd: echo local=$(yq e .appVersion scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV # Fetching scanner version API from local chart .annotations.versionApi attribute # This would look like https://api.github.com/repos/projectdiscovery/nuclei/releases/latest - name: Fetch scanner's version API - uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 with: cmd: echo versionApi=$(yq e .annotations.versionApi scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV @@ -143,7 +143,7 @@ jobs: - name: Upgrade Scanner Helm Chart if: ${{ env.release != env.local && env.prExists == 0 && env.release != null}} - uses: mikefarah/yq@6251e95af8df3505def48c71f3119836701495d6 # v4.47.2 + uses: mikefarah/yq@0ecdce24e83f0fa127940334be98c86b07b0c488 # v4.48.1 with: # appVersion value in chart is replaced with release value. Empty lines are deleted in the process cmd: yq e --inplace '.appVersion = "${{env.release}}"' ./scanners/${{ matrix.scanner }}/Chart.yaml From aacf0f90c3826c428f6eb522145d258c0edf922d Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Mon, 13 Oct 2025 16:50:34 +0200 Subject: [PATCH 2/8] Use The Latest Python Version Signed-off-by: Sven Strittmatter --- .python-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.python-version b/.python-version index 71380f2427..f982feb41b 100644 --- a/.python-version +++ b/.python-version @@ -1 +1 @@ -3.9.10 \ No newline at end of file +3.14.0 From d919941bf180f22e1afe44f092102e3a22a09eaf Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Mon, 13 Oct 2025 16:51:09 +0200 Subject: [PATCH 3/8] Load pyenv and nvm automatiocally, if direnv is installed Signed-off-by: Sven Strittmatter --- .envrc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.envrc b/.envrc index 068b8b84ce..71d4504f60 100644 --- a/.envrc +++ b/.envrc @@ -5,6 +5,11 @@ # shellcheck shell=sh # https://direnv.net/man/direnv-stdlib.1.html PATH_add bin + +export VIRTUAL_ENV=venv +layout python +use nvm + # shellcheck disable=SC2155 export PROJECT_DIR="$(pwd)" From 956556cd0072ef44b4739cf9fb69523f8564e3ae Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Mon, 13 Oct 2025 16:51:32 +0200 Subject: [PATCH 4/8] Same Arguments As In GH Workflow Signed-off-by: Sven Strittmatter --- bin/add-license-header.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/add-license-header.sh b/bin/add-license-header.sh index 98c66f3e59..2d2833c65f 100755 --- a/bin/add-license-header.sh +++ b/bin/add-license-header.sh @@ -17,7 +17,7 @@ # cat spdx-report.md | ./add-license-header.sh # # To generate the file list use `reuse lint`. This produces a Markdown report: -# docker run --rm --volume $(pwd):/data fsfe/reuse lint > spdx-report.md +# docker run --rm --volume $(pwd):/data fsfe/reuse --include-submodules lint > spdx-report.md # # See also: # - https://spdx.org From f82bc67b4ea638e77d931e3cf6d7c9507789cc0e Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Mon, 13 Oct 2025 16:52:53 +0200 Subject: [PATCH 5/8] Convert Deprecated Reuse config To New Format Signed-off-by: Sven Strittmatter --- .reuse/dep5 | 15 --------------- REUSE.toml | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 15 deletions(-) delete mode 100644 .reuse/dep5 create mode 100644 REUSE.toml diff --git a/.reuse/dep5 b/.reuse/dep5 deleted file mode 100644 index 64acaf960b..0000000000 --- a/.reuse/dep5 +++ /dev/null @@ -1,15 +0,0 @@ -Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: secureCodeBox -Upstream-Contact: Robert Felber -Source: https://github.com/secureCodeBox/secureCodeBox - -Files: .github/ISSUE_TEMPLATE/*.md -Copyright: the secureCodeBox authors -License: Apache-2.0 - -# Workaround because some of the test files hav content which confuses reuse -# and it will skip the file resulting in no copyright/license ifo which will -# fail our check. -Files: **/tests/__snapshot__/*.yaml.snap -Copyright: the secureCodeBox authors -License: Apache-2.0 diff --git a/REUSE.toml b/REUSE.toml new file mode 100644 index 0000000000..c32e23821c --- /dev/null +++ b/REUSE.toml @@ -0,0 +1,16 @@ +version = 1 +SPDX-PackageName = "secureCodeBox" +SPDX-PackageSupplier = "Robert Felber " +SPDX-PackageDownloadLocation = "https://github.com/secureCodeBox/secureCodeBox" + +[[annotations]] +path = ".github/ISSUE_TEMPLATE/**.md" +precedence = "aggregate" +SPDX-FileCopyrightText = "the secureCodeBox authors" +SPDX-License-Identifier = "Apache-2.0" + +[[annotations]] +path = "**/tests/__snapshot__/**.yaml.snap" +precedence = "aggregate" +SPDX-FileCopyrightText = "the secureCodeBox authors" +SPDX-License-Identifier = "Apache-2.0" From d864850336567b212251613402449d9b3d892d6b Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Mon, 13 Oct 2025 16:56:28 +0200 Subject: [PATCH 6/8] Change Package Supplier to the Umbrella Organization We Publish it Signed-off-by: Sven Strittmatter --- REUSE.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/REUSE.toml b/REUSE.toml index c32e23821c..f2f92f8080 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -1,6 +1,6 @@ version = 1 SPDX-PackageName = "secureCodeBox" -SPDX-PackageSupplier = "Robert Felber " +SPDX-PackageSupplier = "OWASP (https://owasp.org/)" SPDX-PackageDownloadLocation = "https://github.com/secureCodeBox/secureCodeBox" [[annotations]] From 75708a847fabcdd63bf8d042ff09b6bc4b0e60ae Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Mon, 13 Oct 2025 17:10:16 +0200 Subject: [PATCH 7/8] Fix XML Syntax: Nothing Allowed Before Preamble Signed-off-by: Sven Strittmatter --- scanners/nmap/examples/basic-example/nmap-results.xml | 3 +-- .../nmap/examples/example-with-parameters/nmap-results.xml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/scanners/nmap/examples/basic-example/nmap-results.xml b/scanners/nmap/examples/basic-example/nmap-results.xml index b2a9acd2df..cfe396cc54 100644 --- a/scanners/nmap/examples/basic-example/nmap-results.xml +++ b/scanners/nmap/examples/basic-example/nmap-results.xml @@ -1,10 +1,9 @@ + - - diff --git a/scanners/nmap/examples/example-with-parameters/nmap-results.xml b/scanners/nmap/examples/example-with-parameters/nmap-results.xml index 80267ee8d0..4a89faa806 100644 --- a/scanners/nmap/examples/example-with-parameters/nmap-results.xml +++ b/scanners/nmap/examples/example-with-parameters/nmap-results.xml @@ -1,10 +1,9 @@ + - - From 5dfc9a1b80b1a60a307557df9e53618cc3d468c0 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Tue, 14 Oct 2025 20:33:47 +0200 Subject: [PATCH 8/8] Strip the SPDX From Captured Response This is to circumvent that the REUSE tool find this as a license in the project. Adding the MIT license to LICENSES/ didn't solve the problem. Also overide the annotation for this file in REUSE.toml didn't work. Signed-off-by: Sven Strittmatter --- scanners/nmap/examples/example-with-parameters/nmap-results.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/nmap/examples/example-with-parameters/nmap-results.xml b/scanners/nmap/examples/example-with-parameters/nmap-results.xml index 4a89faa806..acbbcd59d5 100644 --- a/scanners/nmap/examples/example-with-parameters/nmap-results.xml +++ b/scanners/nmap/examples/example-with-parameters/nmap-results.xml @@ -20,7 +20,7 @@ SPDX-License-Identifier: Apache-2.0 - +