plugin-scanner 1.4.15__tar.gz

plugin_scanner-1.4.15/.clusterfuzzlite/Dockerfile

@@ -0,0 +1,9 @@
+FROM gcr.io/oss-fuzz-base/base-builder-python@sha256:721650302bfda2f3832df73bb24aeacfa41c32e692f3d6e4dd06074e79c64ed7
+
+COPY ./.clusterfuzzlite/requirements-atheris.txt $SRC/requirements-atheris.txt
+RUN python3 -m pip install --require-hashes --no-cache-dir --no-binary=:all: --no-deps \
+    -r $SRC/requirements-atheris.txt
+
+COPY . $SRC/codex-plugin-scanner
+WORKDIR $SRC/codex-plugin-scanner
+COPY ./.clusterfuzzlite/build.sh $SRC/build.sh

plugin_scanner-1.4.15/.clusterfuzzlite/build.sh

@@ -0,0 +1,8 @@
+#!/bin/bash -eu
+
+cd "$SRC/codex-plugin-scanner"
+export PYTHONPATH="$PWD/src${PYTHONPATH:+:$PYTHONPATH}"
+
+for fuzzer in fuzzers/*_fuzzer.py; do
+  compile_python_fuzzer "$fuzzer"
+done

plugin_scanner-1.4.15/.clusterfuzzlite/project.yaml

@@ -0,0 +1,3 @@
+homepage: "https://github.com/hashgraph-online/codex-plugin-scanner"
+language: python
+main_repo: "https://github.com/hashgraph-online/codex-plugin-scanner"

plugin_scanner-1.4.15/.clusterfuzzlite/requirements-atheris.txt

@@ -0,0 +1 @@
+atheris==3.0.0 --hash=sha256:1f0929c7bc3040f3fe4102e557718734190cf2d7718bbb8e3ce6d3eb56ef5bb3

plugin_scanner-1.4.15/.dockerignore

@@ -0,0 +1,10 @@
+.git
+.github
+.pytest_cache
+.ruff_cache
+.venv
+__pycache__
+dist
+tests
+action
+*.pyc

plugin_scanner-1.4.15/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @hashgraph-online/core

plugin_scanner-1.4.15/.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10

plugin_scanner-1.4.15/.github/workflows/ci.yml

@@ -0,0 +1,45 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: ${{ matrix.python-version }}
+      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+      - run: uv sync --frozen --extra dev --python ${{ matrix.python-version }}
+      - run: uv run --no-sync python -m ruff check src/
+      - run: uv run --no-sync python -m ruff format --check src/
+      - run: uv run --no-sync pytest --tb=short
+
+  cross-platform:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, windows-latest]
+        python-version: ["3.12"]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        with:
+          python-version: ${{ matrix.python-version }}
+      - uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e
+        with:
+          enable-cache: true
+      - run: uv sync --frozen --extra dev --python ${{ matrix.python-version }}
+      - run: uv run --no-sync pytest tests/test_cli.py tests/test_verification.py tests/test_action_runner.py --tb=short

plugin_scanner-1.4.15/.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 4 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    if: ${{ vars.CODEQL_ADVANCED_ENABLED == 'true' }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [actions, python]
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - name: Provide legacy workspace alias for CodeQL default setup state
+        run: |
+          LEGACY_ROOT="/home/runner/work/codex-plugin-scanner"
+          mkdir -p "$LEGACY_ROOT"
+          ln -sfn "$GITHUB_WORKSPACE" "$LEGACY_ROOT/codex-plugin-scanner"
+      - uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: none
+          source-root: .
+      - uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d
+        with:
+          category: /language:${{ matrix.language }}

plugin_scanner-1.4.15/.github/workflows/e2e-test.yml

@@ -0,0 +1,112 @@
+name: E2E Tests
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [feat/*]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  scanner-text:
+    name: Scanner (text format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          min_score: 80
+
+  scanner-json:
+    name: Scanner (JSON format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          format: json
+          output: report.json
+      - name: Validate JSON
+        run: |
+          python3 -c "
+          import json
+          d = json.load(open('report.json'))
+          assert 'score' in d
+          assert 'grade' in d
+          assert d['score'] >= 80, f'Expected score >= 80, got {d[\"score\"]}'
+          print(f'JSON output valid: score={d[\"score\"]}, grade={d[\"grade\"]}')
+          "
+
+  scanner-sarif:
+    name: Scanner (SARIF format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          format: sarif
+          output: report.sarif
+      - name: Validate SARIF
+        run: |
+          python3 -c "
+          import json
+          d = json.load(open('report.sarif'))
+          assert d['version'] == '2.1.0'
+          assert d['\$schema'].startswith('https://')
+          print('SARIF output valid')
+          "
+    # Skip SARIF upload - CodeQL upload-sarif requires code scanning to be enabled on the repo
+
+  scanner-fail:
+    name: Scanner (fail on low score)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        continue-on-error: true
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/bad-plugin
+          min_score: 99
+      - name: Verify failure
+        if: always() && steps.scan.outcome == 'failure'
+        run: echo "Correctly failed for low score"
+      - name: Should have failed
+        if: always() && steps.scan.outcome != 'failure'
+        run: |
+          echo "Expected failure but scanner passed"
+          exit 1
+
+  scanner-markdown:
+    name: Scanner (Markdown format)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: ./action
+        id: scan
+        with:
+          install_source: local
+          plugin_dir: tests/fixtures/good-plugin
+          format: markdown
+          output: report.md
+      - name: Validate Markdown
+        run: |
+          python3 -c "
+          content = open('report.md').read()
+          assert '/100' in content
+          assert 'Excellent' in content or 'Good' in content or 'Fair' in content
+          print('Markdown output valid')
+          "

plugin_scanner-1.4.15/.github/workflows/fuzz.yml

@@ -0,0 +1,53 @@
+name: Fuzzing
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  code-change:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: google/clusterfuzzlite/actions/build_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          language: python
+          sanitizer: address
+      - uses: google/clusterfuzzlite/actions/run_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          mode: code-change
+          sanitizer: address
+          fuzz-seconds: 600
+          output-sarif: true
+
+  batch:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: google/clusterfuzzlite/actions/build_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          language: python
+          sanitizer: address
+      - uses: google/clusterfuzzlite/actions/run_fuzzers@52ecc61cb587ee99c26825a112a21abf19c7448c
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          mode: batch
+          sanitizer: address
+          fuzz-seconds: 1800
+          output-sarif: true

plugin_scanner-1.4.15/.github/workflows/publish-action-repo.yml

@@ -0,0 +1,169 @@
+name: Publish GitHub Action Repository
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: codex-plugin-scanner-action-repo-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  publish-action-repo:
+    name: Sync action repo + publish release notes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      ACTION_REPOSITORY: ${{ vars.ACTION_REPOSITORY != '' && vars.ACTION_REPOSITORY || 'hashgraph-online/hol-codex-plugin-scanner-action' }}
+      SOURCE_REF: ${{ github.sha }}
+      SOURCE_REPOSITORY: ${{ github.repository }}
+      SOURCE_SERVER_URL: ${{ github.server_url }}
+    steps:
+      - name: Validate publication credentials
+        env:
+          ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          if [ -z "$ACTION_REPO_TOKEN" ]; then
+            echo "ACTION_REPO_TOKEN must be configured to publish the Marketplace action repository." >&2
+            exit 1
+          fi
+
+      - name: Checkout source repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+
+      - name: Compute next action release tag
+        id: version
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          LAST_TAG=$(gh release list --repo "$ACTION_REPOSITORY" --limit 1 --json tagName --jq '.[0].tagName // ""')
+
+          if [ -z "$LAST_TAG" ]; then
+            TAG="v1.0.0"
+          else
+            IFS=. read -r MAJOR MINOR PATCH <<< "${LAST_TAG#v}"
+            if [ -z "$MAJOR" ] || [ -z "$MINOR" ] || [ -z "$PATCH" ]; then
+              echo "Unsupported release tag format: $LAST_TAG" >&2
+              exit 1
+            fi
+            TAG="v${MAJOR}.${MINOR}.$((PATCH + 1))"
+          fi
+
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Compute scanner package version
+        id: scanner_version
+        env:
+          GITHUB_REF: ${{ github.ref }}
+          GITHUB_EVENT_NAME: ${{ github.event_name }}
+        run: |
+          BASE_VERSION=$(python3 -c "import tomllib; p=tomllib.load(open('pyproject.toml','rb')); print(p['project']['version'])")
+          VERSION="$BASE_VERSION"
+          if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
+            VERSION="${GITHUB_REF#refs/tags/v}"
+          elif [[ "$GITHUB_EVENT_NAME" == "push" && "$GITHUB_REF" == "refs/heads/main" ]]; then
+            LAST_TAG=$(git tag --list 'v*' --sort=-version:refname | head -n1)
+            if [[ -n "$LAST_TAG" ]]; then
+              IFS=. read -r MAJOR MINOR PATCH <<< "${LAST_TAG#v}"
+              if [[ -z "$MAJOR" || -z "$MINOR" || -z "$PATCH" ]]; then
+                echo "Unsupported release tag format: $LAST_TAG" >&2
+                exit 1
+              fi
+              VERSION="${MAJOR}.${MINOR}.$((PATCH + 1))"
+            fi
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Clone action repository
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: gh repo clone "$ACTION_REPOSITORY" action-repo -- --depth 1
+
+      - name: Configure authenticated action repository remote
+        working-directory: action-repo
+        env:
+          ACTION_REPO_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          git remote set-url origin "https://x-access-token:${ACTION_REPO_TOKEN}@github.com/$ACTION_REPOSITORY.git"
+
+      - name: Sync root-ready action bundle
+        working-directory: action-repo
+        run: |
+          cp "${GITHUB_WORKSPACE}/action/action.yml" action.yml
+          cp "${GITHUB_WORKSPACE}/action/README.md" README.md
+          printf '%s\n' "${{ steps.scanner_version.outputs.version }}" > scanner-version.txt
+          cp "${GITHUB_WORKSPACE}/action/cisco-version.txt" cisco-version.txt
+          cp "${GITHUB_WORKSPACE}/action/pypi-attestations-version.txt" pypi-attestations-version.txt
+          cp "${GITHUB_WORKSPACE}/LICENSE" LICENSE
+          cp "${GITHUB_WORKSPACE}/SECURITY.md" SECURITY.md
+          cp "${GITHUB_WORKSPACE}/CONTRIBUTING.md" CONTRIBUTING.md
+
+      - name: Detect sync changes
+        id: diff
+        working-directory: action-repo
+        run: |
+          if [ -n "$(git status --short -- action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md)" ]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Commit synced bundle
+        if: steps.diff.outputs.changed == 'true'
+        working-directory: action-repo
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add action.yml README.md scanner-version.txt cisco-version.txt pypi-attestations-version.txt LICENSE SECURITY.md CONTRIBUTING.md
+          git commit -m "chore: publish action bundle ${{ steps.version.outputs.tag }}"
+
+      - name: Push action repository branch and tags
+        if: steps.diff.outputs.changed == 'true'
+        working-directory: action-repo
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          git push origin HEAD:main
+          git tag "$TAG"
+          git push origin "refs/tags/${TAG}"
+          git tag -fa v1 -m "Update floating major tag to ${TAG}"
+          git push origin refs/tags/v1 --force
+
+      - name: Check action release state
+        id: release_state
+        working-directory: action-repo
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+
+          if gh release view "${TAG}" --repo "$ACTION_REPOSITORY" >/dev/null 2>&1; then
+            echo "release_exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "release_exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+          if git ls-remote --tags origin "refs/tags/${TAG}" | grep -q .; then
+            echo "tag_exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag_exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create action repository release
+        if: steps.release_state.outputs.release_exists == 'false' && (steps.diff.outputs.changed == 'true' || steps.release_state.outputs.tag_exists == 'true')
+        env:
+          GH_TOKEN: ${{ secrets.ACTION_REPO_TOKEN }}
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          gh release create "${TAG}" \
+            --repo "$ACTION_REPOSITORY" \
+            --title "$TAG" \
+            --generate-notes \
+            --notes "Published automatically from ${SOURCE_SERVER_URL}/${SOURCE_REPOSITORY}/tree/${SOURCE_REF}"