huskyCI icon indicating copy to clipboard operation
huskyCI copied to clipboard
verified publisher icon globocom

Husky does not detect language correctly [bug]

Open darkspirit510 opened this issue 4 years ago • 1 comments

Hi, I wanted to try out huskyCIs capabilities and check OWASP Benchmark's score (which is a Java project). I sourced the following .env:

export HUSKYCI_CLIENT_REPO_URL="https://github.com/OWASP/Benchmark.git"
export HUSKYCI_CLIENT_REPO_BRANCH="master"
export HUSKYCI_CLIENT_API_ADDR="http://localhost:8888"
export HUSKYCI_CLIENT_API_USE_HTTPS="false"
export HUSKYCI_CLIENT_TOKEN="MmM1MmMxYTEtMDAwZC00YmYzLWFmMmYtZGQ2MWVmNjBhZjUyOl9uQ2drWXVULTlEMV92VDJoTGpEdUtfZk90ajBOY3EzOTRHUlF6R1JSNW89"

but the results of huskyCI are:

fatal: No names found, cannot describe anything.
[HUSKYCI][*] master -> https://github.com/OWASP/Benchmark.git
[HUSKYCI][*] huskyCI analysis started! PP1etZxPneEC91EhVW3PPuGcT7unJHst
[HUSKYCI][!] Hold on! huskyCI is still running...
[HUSKYCI][!] Hold on! huskyCI is still running...
[HUSKYCI][!] Hold on! huskyCI is still running...
[HUSKYCI][!] Hold on! huskyCI is still running...
[HUSKYCI][!] Hold on! huskyCI is still running...
[HUSKYCI][!] Hold on! huskyCI is still running...

[HUSKYCI][!] Title: No package-lock.json found.
[HUSKYCI][!] Language: JavaScript
[HUSKYCI][!] Tool: NpmAudit
[HUSKYCI][!] Severity: low
[HUSKYCI][!] Code: 
[HUSKYCI][!] Version: 
[HUSKYCI][!] Vulnerable Below: 
[HUSKYCI][!] Details: It looks like your project doesn't have a package-lock.json file. If you use NPM to handle your dependencies, it would be a good idea to commit it so huskyCI can check for vulnerabilities.

[HUSKYCI][!] Title: No yarn.lock found.
[HUSKYCI][!] Language: JavaScript
[HUSKYCI][!] Tool: YarnAudit
[HUSKYCI][!] Severity: low
[HUSKYCI][!] Code: 
[HUSKYCI][!] Occurrences: 0
[HUSKYCI][!] Version: 
[HUSKYCI][!] Vulnerable Below: 
[HUSKYCI][!] Details: It looks like your project doesn't have a yarn.lock file. If you use Yarn to handle your dependencies, it would be a good idea to commit it so huskyCI can check for vulnerabilities.

[...]

[HUSKYCI][*] The following securityTests were executed and no blocking vulnerabilities were found:
[HUSKYCI][*] [huskyci/gitleaks:2.1.0]
[HUSKYCI][*] However, some LOW/INFO issues were found...

So i'd either like to have huskyCI detect the language correctly or - even better (for multi-lang projects) - pass a language explicitly.

darkspirit510 avatar May 24 '21 15:05 darkspirit510

The problem seems to be in api/config.yaml file, since the "default" parameter for spotbug container has set to 'false'.

If you change it to 'true', according to the picture, you can start a security scan against Java projects:

image

Therefore, I managed to start sec scan by spotbug, however, it will hang significantly and may not meet time requirements (default 3600 seconds = 1 hour):

image

I suppose that's the reason why spotbug was disabled, however, for lighter Java projects it returns correct results. Also, if you start spotbug by yourself (docker run huskyci/spotbug:4.0.0-beta4) and waits for, just say, 10-15 mins, you will also receive the security report.

Kirkirillka avatar Jun 30 '21 08:06 Kirkirillka