Checkov upgrade notice causing CI to fail - checkov

Beginning around 11:30am ET on 11/21/2022, our CI pipelines started failing due to a Checkov update/upgrade notice with an input prompt (see output below).
Is there command line option to skip this check from bridgecrew?
$ checkov
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.1.244
Update available 2.1.244 -> 2.2.80
Run pip3 install -U checkov to update
Would you like to “level up” your Checkov powers for free? The upgrade includes:
• Command line docker Image scanning
• Software Composition Analysis
• Centralized policy management
• Free bridgecrew.cloud account with API access
• Auto-fix remediation suggestions
• Enabling of VS Code Plugin
• Dashboard visualisation of Checkov scans
• Integration with GitHub for:
◦ Automated Pull Request scanning
◦ Auto remediation PR generation
• Integration with up to 100 cloud resources for:
◦ Automated cloud resource checks
◦ Resource drift detection
and much more...
It's easy and only takes 2 minutes. We can do it right now!
To Level-up, press 'y'...
Level up? (y/n): Traceback (most recent call last):
File "/usr/bin/checkov", line 9, in <module>
sys.exit(run())
File "/usr/lib/python3.10/site-packages/checkov/main.py", line 368, in run
bc_integration.onboarding()
File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 696, in onboarding
reply = self._input_levelup_results()
File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 860, in _input_levelup_results
result = str(input('Level up? (y/n): ')).lower().strip() # nosec
EOFError: EOF when reading a line
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: plan.json: no matching files
ERROR: No files to upload
I did try to update the version using pip but the old version is still being used. This is a separate issue, and at this point my focus is on avoiding the update check entirely.
bash-5.1# checkov --version
2.1.244
bash-5.1# pip3 install -U checkov
... (Lots of output)
bash-5.1# checkov --version
2.1.244
This is my .checkov.yaml file:
compact: true
quiet: true
skip-download: false
download-external-modules: true
directory:
- ./
skip-check:
- CKV_AWS_18
- CKV_AWS_50
- CKV_AWS_115
- CKV_AWS_116
- CKV_AWS_117
- CKV_AWS_158
- CKV_AWS_173
- CKV_OPENAPI_4 # some APIs are public
- CKV_OPENAPI_5 # some APIs are public
- LOW

You're only getting this output because you're calling checkov without any command line parameters. It's been like this for about a year maybe even more.

If anyone else runs into this, I fixed it by explicitly passing the config-file flag on the command line:
checkov --config-file .checkov.yaml
It's still unclear to me why the pipelines started failing when we were using a pre-build Docker image to run our jobs.

I did try to update the version using pip but the old version is still being used
Version 2.1.244 was released on Oct 2nd, so it isn't from today. I join James' suggestion to use parameters - it will avoid this prompt altogether. And also to check what is missing in your machine's deps as it seems the latest checkov cannot be installed. Highly recommend using checkov's docker directly if you're not in the mood to debug this, too!

Related

AWS CodeBuild S3 cache for swift lambda

So I have some aws swift lambdas that I deployed via sam deploy. That works fine.
The swift lambda looks like this: aws-samples
I am currently in the middle of building a CI/CD pipeline using Codepipeline and Codebuild. My Codebuild project executes the following buildspec.yml and is configured to cache to S3:
version: 0.2
phases:
build:
commands:
- sam build
- sam package -t template.yml --s3-bucket bucketName --output-template-file packaged.yaml
artifacts:
files:
- packaged.yaml
cache:
paths:
- ".aws-sam/**/*"
To build the swift lambdas sam buildexecuted the following makefile as the function in template.yml is set to: BuildMethod: makefile
Makefile:
### Add functions here and link them to builder-bot format MUST BE "build-FunctionResourceName in template.yaml"
build-ExpiredMediaItemProcessorLambda: builder-bot
builder-bot:
$(eval $#PRODUCT = $(subst build-,,$(MAKECMDGOALS)))
$(eval $#BUILD_DIR = $(PWD)/.aws-sam/build-$($#PRODUCT))
$(eval $#STAGE = $($#BUILD_DIR)/lambda)
$(eval $#ARTIFACTS_DIR = $(PWD)/.aws-sam/build/$($#PRODUCT))
# prep directories
mkdir -p $($#BUILD_DIR)/lambda $($#ARTIFACTS_DIR)
# Compile application
swift build --product $($#PRODUCT) -c release --build-path $($#BUILD_DIR)
# copy deps
ldd '/$($#BUILD_DIR)/release/$($#PRODUCT)' | grep swift | cut -d' ' -f3 | xargs cp -Lv -t /$($#BUILD_DIR)/lambda
# copy binary to stage
cp $($#BUILD_DIR)/release/$($#PRODUCT) $($#BUILD_DIR)/lambda/bootstrap
# copy app from stage to artifacts dir
cp $($#STAGE)/* $($#ARTIFACTS_DIR)
I got the makefile from the linked aws-samples project above which I modified slightly to work on codebuild.
Now to my question: How do I get codebuild S3 cache to work with swift lambdas?
when I cache the .aws-sam/**/* folder swift cannot compile because the build paths are different due to the different build machines. The error looks like so:
swift build --product LambdaName -c release --build-path /codebuild/output/src409372700/src/.swift-build/build-LambdaName
33 [1/863] Compiling CSotoExpat xmltok_impl.c
34 [2/863] Compiling CSotoExpat xmltok_ns.c
35 [3/865] Compiling INIParser INIParser.swift
36 <unknown>:0: error: PCH was compiled with module cache path '.aws-sam/build-LambdaName/x86_64-unknown-linux-gnu/release/ModuleCache/1LD7OVICEM9JB', but the path is currently '/codebuild/output/src409372700/src/.aws-sam/build-LambdaName/x86_64-unknown-linux-gnu/release/ModuleCache/1LD7OVICEM9JB'
37 <unknown>:0: error: missing required module 'SwiftShims'
38 [4/865] Compiling Logging Locks.swift
39 <unknown>:0: error: PCH was compiled with module cache path '.aws-sam/build-LambdaName/x86_64-unknown-linux-gnu/release/ModuleCache/1LD7OVICEM9JB', but the path is currently '/codebuild/output/src409372700/src/.aws-sam/build-LambdaName/x86_64-unknown-linux-gnu/release/ModuleCache/1LD7OVICEM9JB'
40 <unknown>:0: error: missing required module 'SwiftShims'
As far as I understand this is due to the fact that swift build cannot cope with a changing or relative path.
After some digging I found this stack overflow post which has a similar problem. I tried there solution and the swift compile error is gone but after a rebuild swift compiles the entire project again even if no code was changed.
Any help is much appreciated!
Thanks!

gcloud update components - permission denied on file ...\kuberun_licenses\LICENSES.txt

Start udating gcloud:
Your current Cloud SDK version is: 321.0.0
You will be upgraded to version: 322.0.0
┌──────────────────────────────────────────────────┐
│ These components will be updated. │
├──────────────────────────┬────────────┬──────────┤
│ Name │ Version │ Size │
├──────────────────────────┼────────────┼──────────┤
│ Cloud SDK Core Libraries │ 2021.01.05 │ 16.1 MiB │
│ Kuberun │ 0.0.1 │ 20.6 MiB │
└──────────────────────────┴────────────┴──────────┘
I get error:
╠═ Uninstalling: Cloud SDK Core Libraries ═╣
╠════════════════════════════════════════════════════════════╣
╠═ Uninstalling: Kuberun ═╣
ERROR: (gcloud.components.update) Отказано в доступе: [C:\Users\USER_NAME\AppData\Local\Google\ct4j-cloud-sdk\LATEST\google-cloud-sdk.staging\platform\kuberun_licenses\LICENSES.txt]
Ensure you have the permissions to access the file and that the file is not in use.
Env: Win10
i try from IDEA appEngine Plugin.
try from CMD with admin privilegies.
with some error
How to update this ?
Maybe you can disable Kuberun ? I use only appengine
I solved this issue by removing the folder kuberun_licenses from google-cloud-sdk\platform path. Not the one with .staging.
It looks like this is a known issue: https://status.cloud.google.com/incident/support/21001
Here is the workaround provided at that link:
Please run the following commands in a PowerShell window:
$gcloudDir = Get-Command gcloud | Select -ExpandProperty "Source" | Split-Path | Split-Path
attrib -r "$gcloudDir\platform\kuberun_licenses*.*" /s
attrib -r "$gcloudDir\lib\kuberun*.*" /s
attrib -r "$gcloudDir..\google-cloud-sdk.staging\platform\kuberun_licenses*.*" /s
attrib -r "$gcloudDir..\google-cloud-sdk.staging\lib\kuberun*.*" /s
Remove-Item "$gcloudDir..\google-cloud-sdk.staging" -Recurse
If any of the commands fail, proceed with running the remaining
commands.
After running the PowerShell script, run the following in a regular
Command Prompt (not PowerShell):
gcloud components update --version 320.0.0
Please note, after applying this workaround, do not run 'gcloud
components update' as this will re-trigger the issue. Please wait
until the fix is released before updating components.
I find only with full reinstall solution:
exit idea
rename folder C:\Users\Step\AppData\Local\Google\ct4j-cloud-sdk -> _ct4j-cloud-sdk
run idea
start gradle -> downloadCloudSDK
delete folder _ct4j-cloud-sdk
profit
Here is what I did,
On Win10, I went to
C:\Users{your user name}\AppData\Local\Google
removed dir ct4j-cloud-sdk
And ran:
mvn appengine:deploy
This solved the issue for me
For Eclipse,
Exit the Eclipse.
Remove the ct4j-cloud-sdk folder from gCloud installed dir.
Open the Eclipse and Deploy.
In a windows file browser, watch file
C:\Program Files (x86)\Google\Cloud SDK\google-cloud-sdk.staging\platform\kuberun_licenses\LICENSES.txt
during the gcloud components update process. It will disappear then re-appear. When it does, right click on properties and uncheck Read Only then select Ok, then confirm the administrator pop-up. You must do this quickly or have some way of slowing the update script.
Nothing else worked. This does. Good luck.
New Date. New version. New Google Cloud trouble ... crap...
Your current Cloud SDK version is: 322.0.0
You will be upgraded to version: 323.0.0
| These components will be updated. |
+--------------------------+------------+----------+
| Name | Version | Size |
+--------------------------+------------+----------+
| Cloud SDK Core Libraries | 2021.01.08 | 16.1 MiB |
| Kuberun | 0.0.1 | 20.6 MiB |
| gcloud cli dependencies | 2021.01.08 | 10.7 MiB |
+--------------------------+------------+----------+
gcloud crashed (Error): [('C:\\Users\\USER_NAME\\AppData\\Local\\Google\\ct4j-cloud-sdk\\LATEST\\google-cloud-sdk\\platform\\gsutil\\third_party\\funcsigs\\docs\\index.rst', 'C:\\Users\\USER_NAME\\AppData\\Local\\Google\\ct4j-cloud-sdk\\LATEST\\google-cloud-sdk.staging\\platform\\gsutil\\third_party\\funcsigs\\docs\\index.rst', 'symbolic link privilege not held'), ('C:\\Users\\USER_NAME\\AppData\\Local\\Google\\ct4j-cloud-sdk\\LATEST\\google-cloud-sdk\\platform\\gsutil\\third_party\\mock\\docs\\changelog.txt', 'C:\\Users\\USER_NAME\\AppData\\Local\\Google\\ct4j-cloud-sdk\\LATEST\\google-cloud-sdk.staging\\platform\\gsutil\\third_party\\mock\\docs\\changelog.txt', 'symbolic link privilege not held')]
damn the updates, what to do with it, I lose one day a week with them ...

Cannot run VSCode source code because its unable to find electron app in directory

Overview:
When I attempt to run VSCode with the instructions given in the contributions page to download all the packages, build the source code, and then run it all on the terminal, an error message pops up saying that I don't have the electron app in the vscode directory. Shouldn't have the electron app been installed when I ran the yarn command to install and build all the dependencies?
Steps to reproduce the bug:
$ yarn //building and installing all dependencies
$ yarn watchd //building vscode
$ ./scripts/code.sh //running vscode
Error Message:
Error launching app
Unable to find Electron app at /home/juan/Desktop/Projects/vscode
Cannot find module '/home/juan/Desktop/Projects/vscode/out/main'. Please verify that the package.json has a valid "main" entry
System Details:
CPUs | Intel(R) Core(TM) i7-6600U CPU # 2.60GHz (4 x 3200)
-- | --
GPU Status | 2d_canvas: unavailable_softwareflash_3d: disabled_softwareflash_stage3d: disabled_softwareflash_stage3d_baseline: disabled_softwaregpu_compositing: disabled_softwaremultiple_raster_threads: enabled_onoop_rasterization: disabled_offprotected_video_decode: disabled_offrasterization: disabled_softwareskia_renderer: disabled_off_okvideo_decode: disabled_softwareviz_display_compositor: enabled_onviz_hit_test_surface_layer: disabled_off_okwebgl: unavailable_softwarewebgl2: unavailable_software
Load (avg) | 1, 1, 1
Memory (System) | 7.63GB (0.12GB free)
Process Argv | . --no-sandbox
Screen Reader | no
VM | 0%
OS|Ubuntu 18.04 LTS
Extensions:
Extension | Author (truncated) | Version
-- | -- | --
Bookmarks | ale | 11.2.0
vscode-sqlite | ale | 0.8.2
code-gnu-global | aus | 0.2.2
npm-intellisense | chr | 1.3.0
vscode-svgviewer | css | 2.0.0
vscode-markdownlint | Dav | 0.36.0
jshint | dba | 0.10.21
vscode-eslint | dba | 2.1.5
vscode-html-css | ecm | 0.2.3
EditorConfig | Edi | 0.15.1
vscode-npm-script | eg2 | 0.3.12
vscode-firefox-debug | fir | 2.8.0
beautify | Hoo | 1.5.0
vscode-emacs-friendly | lfs | 0.9.0
rainbow-csv | mec | 1.7.0
python | ms- | 2020.5.80290
cpptools | ms- | 0.28.2
debugger-for-chrome | msj | 4.12.8
sqltools | mtx | 0.22.5
material-icon-theme | PKi | 4.1.0
rust | rus | 0.7.8
lc2k | vio | 1.1.1
Here is the bug report I filled in the vscode github page: https://github.com/microsoft/vscode/issues/99537
I got this same error myself when the code did not build correctly.
In your second step you do:
yarn watchd
I tried this command myself, but ran into the same issue that you have stated here. Although the official wiki suggests this as a tip, I would just ignore it.
Instead, do either of these instead (this is what the official wiki originally suggest to do):
Type: Ctrl + Shift + B
Or alternatively use the Command Palette:
Type: Ctrl + Shift + P
Search for the option called: Tasks: Run Build Task and select it.
Once you start the build task you'll see a couple of things:
Firstly, at the bottom of VS Code (on your status line), VS Code will let you know the code is building.
Secondly, The build command will open two terminals:
Task - Build VS Code
Task - Build VS Code Extensions
Watch the output for both of terminals, make sure:
Task - Build VS Code terminal outputs: [some time] Finished compilation ...
and
Task - Build VS Code Extensions terminal outputs: [some time] Finished compilation extensions ...
If not and the build fails, you'll probably get a notification from VS code saying so (You'll probably get the error twice, one for each task):
yarn ... exited with code [some non-zero integer]
A common error that may occur is the ENOSPC error from inotify (also documented well in a medium blog). You'll want to issue this command:
echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
Arch users would issue:
echo fs.inotify.max_user_watches=524288 | sudo tee /etc/sysctl.d/40-max-user-watches.conf && sudo sysctl --system
After fixing this, trying to build again should work. Start the build task again and make sure both tasks succeed. (You'll notice that the tasks do not end after they succeed. This is because they will watch for changes you make in the code while developing and automatically recompile for you).
If successful you may finally issue:
./scripts/code.sh
A new instance of VS Code should open called: Code - OSS dev. This is the version of VS Code you just built.

Core dump while running 'rake rails:update:bin' during Rails 4 upgrade

I'm upgrading an existing Rails 3.2 application to Rails 4. I'm using ruby 1.9.3p429 (2013-05-15 revision 40747) [x86_64-linux] through rbenv, on Ubuntu 13.04. I was using the '--binstubs' option with Rails 3.2. During the upgrade, I:
upgraded Rails to Rails 4.0.0
upgraded the Gemfile with the latest Rails 4 equivalent gems
ran 'bundle config --delete bin && rm -rf bin'
Running 'rake rails:update:bin' core dumps with the top few lines being:
/home/user/projects/proj_name/.bundle/gems/activesupport-4.0.0/lib/active_support/dependencies.rb:228: [BUG] Segmentation fault
ruby 1.9.3p429 (2013-05-15 revision 40747) [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0039 p:---- s:0128 b:0128 l:000127 d:000127 CFUNC :require
c:0038 p:0010 s:0124 b:0124 l:000116 d:000123 BLOCK /home/user/projects/proj_name/.bundle/gems/activesupport-4.0.0/lib/active_support/dependencies.rb:228
c:0037 p:0071 s:0122 b:0122 l:000121 d:000121 METHOD /home/user/projects/proj_name/.bundle/gems/activesupport-4.0.0/lib/active_support/dependencies.rb:213
/home/user/projects/proj_name/.bundle/gems/activesupport-4.0.0/lib/active_support/dependencies.rb:228: [BUG] Segmentation fault
ruby 1.9.3p429 (2013-05-15 revision 40747) [x86_64-linux]
Given the size of the Gem and error output, I have created a gist at https://gist.github.com/grcarey/6109181, that contains the Gemfile and the output from the rake command.
Some ideas on solving this would be greatly appreciated.
---------- Update -----------
Running the command with 'ruby 1.9.3p392 (2013-02-22 revision 39386) [x86_64-linux]' gives the following few lines in the error output:
-- Control frame information -----------------------------------------------
c:0039 p:---- s:0128 b:0128 l:000127 d:000127 CFUNC :require
c:0038 p:0010 s:0124 b:0124 l:000116 d:000123 BLOCK /home/user/projects/proj_name/.bundle/gems/activesupport-4.0.0/lib/active_support/dependencies.rb:228
c:0037 p:0071 s:0122 b:0122 l:000121 d:000121 METHOD /home/user/projects/proj_name/.bundle/gems/activesupport-4.0.0/lib/active_support/dependencies.rb:213
c:0036 p:0019 s:0117 b:0117 l:000116 d:000116 METHOD /home/user/projects/proj_name/.bundle/gems/activesupport-4.0.0/lib/active_support/dependencies.rb:228
c:0035 p:0011 s:0112 b:0112 l:000111 d:000111 TOP /home/user/projects/proj_name/.bundle/gems/nokogiri-1.6.0/lib/nokogiri/xml.rb:1
c:0034 p:---- s:0110 b:0110 l:000109 d:000109 FINISH
Segmentation fault
ruby 1.9.3p392 (2013-02-22 revision 39386) [x86_64-linux]
Problem solved.
I had been using the bundle binstubs option in Rails 3.2 and I hadn't deleted the project's bundle and bin dirs prior to the upgrade.
After deleting these dirs and re-running bundle install, then running rake rails:update:bin the problem was solved.

Calling sem_open on Solaris as ordinary user

This call fails on Solaris with EACCES when ran as ordinary user:
sem_open(fileName.c_str(), O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO, 1);
When process is started as root, it runs fine. Is this expected behavior?
Environment:
$ uname -a
SunOS solaris 5.11 11.0 i86pc i386 i86pc
$ g++ --version
g++ (GCC) 4.5.2
At the command line try:
prctl $$
These are the system enforced resource limits your process has. Note there are
process.max-sem-ops
process.max-sem-nsems
project.max-sem-ids
These are limits that have a number, if you do not see them (or the limits are already reached) then you have to add them to your account's profile with projadd or projmod to increase them if your project already exists.
If you cannot do this (no root access) consult with your sysadmin, s/he probably has some reason for not allowing semapahore access.
Note carefully:
sempahores are kernel persistent. If you ran your code a bunch of times the sempahores you created are likely still out there.
To see existing semaphores try ipcs -as
To remove lingering sempahores that your code should have removed use ipcrm