22361640215

Committed 24 Feb 2026 05:09PM UTC coverage: 92.342% (-0.6%) from 92.935%

Build # 22361640215

Build Type

Pull #23133

github

Committed by

web-flow

Commit Message

Merge fd48a7577 into 4d038bd74

Pull Request Pull Request #23133: Add buildctl engine

Coverage Stats

194 of 282 new or added lines in 10 files covered. (68.79%)

452 existing lines in 24 files now uncovered.

89670 of 97106 relevant lines covered (92.34%)

4.01 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.12

/src/python/pants/backend/docker/lint/trivy/trivy_integration_test.py

# Copyright 2024 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).
from textwrap import dedent

import pytest

from pants.backend.docker.lint.trivy.rules import TrivyDockerFieldSet, TrivyDockerRequest
from pants.backend.docker.lint.trivy.rules import rules as trivy_docker_rules
from pants.backend.docker.rules import rules as docker_rules
from pants.backend.docker.target_types import DockerImageTarget
from pants.backend.tools.trivy.rules import rules as trivy_rules
from pants.backend.tools.trivy.testutil import (
    assert_trivy_output,
    assert_trivy_success,
    trivy_config,
)
from pants.core.goals import package
from pants.core.goals.lint import LintResult
from pants.core.util_rules import source_files
from pants.core.util_rules.partitions import PartitionMetadata
from pants.engine.internals.native_engine import Address
from pants.engine.rules import QueryRule
from pants.testutil.rule_runner import RuleRunner


@pytest.fixture
def rule_runner() -> RuleRunner:
    from pants.core.goals.lint import LintResult
    from pants.core.target_types import FileTarget

    rule_runner = RuleRunner(
        target_types=[DockerImageTarget, FileTarget],
        rules=[
            *trivy_docker_rules(),
            *trivy_rules(),
            *docker_rules(),
            *package.rules(),
            *source_files.rules(),
            QueryRule(LintResult, [TrivyDockerRequest.Batch]),
        ],
    )
    rule_runner.write_files(
        {
            "Dockerfile.good": GOOD_FILE,
            "Dockerfile.bad": BAD_FILE,
            "file.txt": "",
            "BUILD": dedent(
                """
            file(name="file", source="file.txt")
            docker_image(name="good", source="Dockerfile.good", dependencies=[":file"])
            docker_image(name="bad", source="Dockerfile.bad")
            """
            ),
            "trivy.yaml": trivy_config,
        }
    )
    # DOCKER_HOST allows for humans with rootless docker to run docker-dependent tests
    rule_runner.set_options(
        ("--trivy-extra-env-vars=DOCKER_HOST",),
        env_inherit={"PATH", "DOCKER_HOST"},
    )

    return rule_runner


GOOD_FILE = "FROM scratch\nCOPY file.txt /"  # A Docker image with nothing but a file is secure

BAD_FILE = (
    "FROM alpine:3.14.9@sha256:fa26727c28837d1471c2f1524d297a0255c153b5d023d7badd1412be7e6e12a2"
)
BAD_IMAGE_TARGET = "sha256:9e02963d7df7e8da13c08d23fd2f09b9dcf779422151766a8963415994e74ae0 (alpine 3.14.9)"  # this is Trivy's "Target" field


def test_trivy_good(rule_runner: RuleRunner) -> None:
    tgt_good = rule_runner.get_target(Address("", target_name="good"))

    result = rule_runner.request(
        LintResult,
        [
            TrivyDockerRequest.Batch(
                "trivy", (TrivyDockerFieldSet.create(tgt_good),), PartitionMetadata
            )
        ],
    )

    assert_trivy_success(result)


def test_trivy_bad(rule_runner: RuleRunner) -> None:
    tgt_bad = rule_runner.get_target(Address("", target_name="bad"))

    result = rule_runner.request(
        LintResult,
        [
            TrivyDockerRequest.Batch(
                "trivy", (TrivyDockerFieldSet.create(tgt_bad),), PartitionMetadata
            )
        ],
    )
    assert_trivy_output(result, 1, BAD_IMAGE_TARGET, "image", 4)

1	# Copyright 2024 Pants project contributors (see CONTRIBUTORS.md).
2	# Licensed under the Apache License, Version 2.0 (see LICENSE).
3	from textwrap import dedent	1✔
4
5	import pytest	1✔
6
7	from pants.backend.docker.lint.trivy.rules import TrivyDockerFieldSet, TrivyDockerRequest	1✔
8	from pants.backend.docker.lint.trivy.rules import rules as trivy_docker_rules	1✔
9	from pants.backend.docker.rules import rules as docker_rules	1✔
10	from pants.backend.docker.target_types import DockerImageTarget	1✔
11	from pants.backend.tools.trivy.rules import rules as trivy_rules	1✔
12	from pants.backend.tools.trivy.testutil import (	1✔
13	assert_trivy_output,
14	assert_trivy_success,
15	trivy_config,
16	)
17	from pants.core.goals import package	1✔
18	from pants.core.goals.lint import LintResult	1✔
19	from pants.core.util_rules import source_files	1✔
20	from pants.core.util_rules.partitions import PartitionMetadata	1✔
21	from pants.engine.internals.native_engine import Address	1✔
22	from pants.engine.rules import QueryRule	1✔
23	from pants.testutil.rule_runner import RuleRunner	1✔
24
25
26	@pytest.fixture	1✔
27	def rule_runner() -> RuleRunner:	1✔
28	from pants.core.goals.lint import LintResult	1✔
29	from pants.core.target_types import FileTarget	1✔
30
31	rule_runner = RuleRunner(	1✔
32	target_types=[DockerImageTarget, FileTarget],
33	rules=[
34	*trivy_docker_rules(),
35	*trivy_rules(),
36	*docker_rules(),
37	*package.rules(),
38	*source_files.rules(),
39	QueryRule(LintResult, [TrivyDockerRequest.Batch]),
40	],
41	)
42	rule_runner.write_files(	1✔
43	{
44	"Dockerfile.good": GOOD_FILE,
45	"Dockerfile.bad": BAD_FILE,
46	"file.txt": "",
47	"BUILD": dedent(
48	"""
49	file(name="file", source="file.txt")
50	docker_image(name="good", source="Dockerfile.good", dependencies=[":file"])
51	docker_image(name="bad", source="Dockerfile.bad")
52	"""
53	),
54	"trivy.yaml": trivy_config,
55	}
56	)
57	# DOCKER_HOST allows for humans with rootless docker to run docker-dependent tests
58	rule_runner.set_options(	1✔
59	("--trivy-extra-env-vars=DOCKER_HOST",),
60	env_inherit={"PATH", "DOCKER_HOST"},
61	)
62
63	return rule_runner	1✔
64
65
66	GOOD_FILE = "FROM scratch\nCOPY file.txt /" # A Docker image with nothing but a file is secure	1✔
67
68	BAD_FILE = (	1✔
69	"FROM alpine:3.14.9@sha256:fa26727c28837d1471c2f1524d297a0255c153b5d023d7badd1412be7e6e12a2"
70	)
71	BAD_IMAGE_TARGET = "sha256:9e02963d7df7e8da13c08d23fd2f09b9dcf779422151766a8963415994e74ae0 (alpine 3.14.9)" # this is Trivy's "Target" field	1✔
72
73
74	def test_trivy_good(rule_runner: RuleRunner) -> None:	1✔
75	tgt_good = rule_runner.get_target(Address("", target_name="good"))	1✔
76
77	result = rule_runner.request(	1✔
78	LintResult,
79	[
80	TrivyDockerRequest.Batch(
81	"trivy", (TrivyDockerFieldSet.create(tgt_good),), PartitionMetadata
82	)
83	],
84	)
85
UNCOV 86	assert_trivy_success(result)	×
87
88
89	def test_trivy_bad(rule_runner: RuleRunner) -> None:	1✔
90	tgt_bad = rule_runner.get_target(Address("", target_name="bad"))	1✔
91
92	result = rule_runner.request(	1✔
93	LintResult,
94	[
95	TrivyDockerRequest.Batch(
96	"trivy", (TrivyDockerFieldSet.create(tgt_bad),), PartitionMetadata
97	)
98	],
99	)
UNCOV 100	assert_trivy_output(result, 1, BAD_IMAGE_TARGET, "image", 4)	×

pantsbuild / pants / 22361640215

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous