diff --git a/.copywrite.hcl b/.copywrite.hcl index d63be9c..99d96b2 100644 --- a/.copywrite.hcl +++ b/.copywrite.hcl @@ -3,7 +3,7 @@ schema_version = 1 project { license = "MPL-2.0" copyright_holder = "Mondoo, Inc." - copyright_year = 2023 + copyright_year = 2024 # (OPTIONAL) A list of globs that should not have copyright/license headers. # Supports doublestar glob patterns for more flexibility in defining which diff --git a/.github/actions/spelling/README.md b/.github/actions/spelling/README.md new file mode 100644 index 0000000..562091e --- /dev/null +++ b/.github/actions/spelling/README.md @@ -0,0 +1,15 @@ +# check-spelling/check-spelling configuration + +| File | Purpose | Format | Info | +| -------------------------------------------------- | --------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | +| [allow.txt](allow.txt) | Add words to the dictionary | one word per line (only letters and `'`s allowed) | [allow](https://github.com/check-spelling/check-spelling/wiki/Configuration#allow) | +| [reject.txt](reject.txt) | Remove words from the dictionary (after allow) | grep pattern matching whole dictionary words | [reject](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-reject) | +| [excludes.txt](excludes.txt) | Files to ignore entirely | perl regular expression | [excludes](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-excludes) | +| [only.txt](only.txt) | Only check matching files (applied after excludes) | perl regular expression | [only](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-only) | +| [patterns.txt](patterns.txt) | Patterns to ignore from checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) | +| [line_forbidden.patterns](line_forbidden.patterns) | Patterns to flag in checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns) | +| [expect.txt](expect.txt) | Expected words that aren't in the dictionary | one word per line (sorted, alphabetically) | [expect](https://github.com/check-spelling/check-spelling/wiki/Configuration#expect) | +| [advice.md](advice.md) | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown | [advice](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice) | + +Note: you can replace any of these files with a directory by the same name (minus the suffix) +and then include multiple files inside that directory (with that suffix) to merge multiple files together. diff --git a/.github/actions/spelling/advice.md b/.github/actions/spelling/advice.md new file mode 100644 index 0000000..cea808b --- /dev/null +++ b/.github/actions/spelling/advice.md @@ -0,0 +1,23 @@ + +
If the flagged items are false positives + +If items relate to a ... + +- binary file (or some other file you wouldn't want to check at all). + + Please add a file path to the `excludes.txt` file matching the containing file. + + File paths are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files. + + `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude README.md (on whichever branch you're using). + +- well-formed pattern. + + If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it, + try adding it to the `patterns.txt` file. + + Patterns are Perl 5 Regular Expressions - you can [test](https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines. + + Note that patterns can't match multiline strings. + +
diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt new file mode 100644 index 0000000..e69de29 diff --git a/.github/actions/spelling/excludes.txt b/.github/actions/spelling/excludes.txt new file mode 100644 index 0000000..5977f03 --- /dev/null +++ b/.github/actions/spelling/excludes.txt @@ -0,0 +1,83 @@ +# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes +(?:^|/)(?i)COPYRIGHT +(?:^|/)(?i)LICEN[CS]E +(?:^|/)3rdparty/ +(?:^|/)go\.sum$ +(?:^|/)package(?:-lock|)\.json$ +(?:^|/)Pipfile$ +(?:^|/)pyproject.toml +(?:^|/)requirements(?:-dev|-doc|-test|)\.txt$ +(?:^|/)vendor/ +ignore$ +\.a$ +\.ai$ +\.all-contributorsrc$ +\.avi$ +\.bmp$ +\.bz2$ +\.cer$ +\.class$ +\.coveragerc$ +\.crl$ +\.crt$ +\.csr$ +\.dll$ +\.docx?$ +\.drawio$ +\.DS_Store$ +\.eot$ +\.eps$ +\.exe$ +\.gif$ +\.git-blame-ignore-revs$ +\.gitattributes$ +\.gitkeep$ +\.graffle$ +\.gz$ +\.icns$ +\.ico$ +\.ipynb$ +\.jar$ +\.jks$ +\.jpe?g$ +\.key$ +\.lib$ +\.lock$ +\.map$ +\.min\.. +\.mo$ +\.mod$ +\.mp[34]$ +\.o$ +\.ocf$ +\.otf$ +\.p12$ +\.parquet$ +\.pdf$ +\.pem$ +\.pfx$ +\.png$ +\.psd$ +\.pyc$ +\.pylintrc$ +\.qm$ +\.s$ +\.sig$ +\.so$ +\.svgz?$ +\.sys$ +\.tar$ +\.tgz$ +\.tiff?$ +\.ttf$ +\.wav$ +\.webm$ +\.webp$ +\.woff2?$ +\.xcf$ +\.xlsx?$ +\.xpm$ +\.xz$ +\.zip$ +^\.github/actions/spelling/ +^\Q.github/workflows/spelling.yml\E$ diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt new file mode 100644 index 0000000..472255c --- /dev/null +++ b/.github/actions/spelling/expect.txt @@ -0,0 +1,8 @@ +openssl +pkey +pubexp +pubout +rangerguard +roundtrip +topk +twrip diff --git a/.github/actions/spelling/line_forbidden.patterns b/.github/actions/spelling/line_forbidden.patterns new file mode 100644 index 0000000..20dbc91 --- /dev/null +++ b/.github/actions/spelling/line_forbidden.patterns @@ -0,0 +1,671 @@ +# Detect common combinations of valid words that are in fact invalid. +# Useful for brand capitalizations + +# +# Catch placeholder text +# + +\b[Ll]orem [Ii]psum\b + +# +# Terms to avoid +# + +# s.b. Allow list +\s[Ww]hitelist\b +\s[Ww]hitelisting\b +\s[Ww]hitelisted\b +\s[Ww]hite list\b +\s[Ww]hite listing\b +\s[Ww]hite listed\b + +# s.b. Block list +\s[Bb]lacklist\b +\s[Bb]lacklisting\b +\s[Bb]lacklisted\b +\s[Bb]lack list\b +\s[Bb]lack listing\b +\s[Bb]lack listed\b + +# +# Our Terms +# + +# s.b. Mondoo Platform +\sthe Mondoo Platform\b +\sMondoo platform\b + +# s.b. Compliance Hub +\s[Cc]ompliance hub\b + +# +# Compliance Terms +# + +# s.b. SOC 2 +\bSOC2\b + +# s.b. ISO 270001 +\bISO270001\b + +# +# Industry Terms +# + +# s.b. Side scanning +\b[Ss]idescanning\b + +# s.b. DevOps +\bDev Ops\b +\bDevops\b + +# s.b. SaaS +\b[Ss]aas\b + +# s.b. Docker Hub +\bDocker[Hh]ub\b + +# s.b. REST API +\b[Rr]est API\b +\brest api\b + +# s.b. DevSecOps +\bDevsec[Oo]ps\b + +# s.b. on-premises +\bon-premise\b + +# s.b. email +\be-mail\b + +# s.b. APIs +\bapis\b + +# +# Product Names +# + +# s.b. Jira +\bJIRA\b + +# s.b. MariaDB +\bMaria DB\b +\bmariaDB\b +# \bmariaDb\b causes failures in MQL queries + +# s.b. PostgreSQL +\bPostgreSql\b + +# s.b. Firefox +\bFireFox\b + +# s.b. CentOS +\bCentos\b +\bCent OS\b +\bcentOS\b + +# s.b. macOS +\bOS X\b +\bMacOS\b +\bMac OS\b + +# s.b. Okta +\bOcta\b + +# s.b. Elasticsearch +\bElasticSearch\b + +# s.b. DocuSign +\bDocu Sign\b + +# s.b. DocuSign +\bDocu Sign\b + +# s.b. DocuSign +\bDocu Sign\b +\bDocusign\b + +# s.b. MongoDB +\bMongo DB\b +\bMongoDb\b + +# s.b. MySQL +\bMysql\b +\bMySql\b + +# s.b. OpenStack +\bOpen Stack\b +\bOpenstack\b + +# s.b. Red Hat +\bRedHat\b +\bRedhat\b + +# s.b. EuroLinux +\bEurolinux\b +\bEuro Linux\b + +# s.b. AlmaLinux +\bAlma Linux\b + +# s.b. openSUSE +\bOpenSUSE\b + +# s.b. openSUSE +\bopenSuse\b + +# s.b. CircleCI +\bCircleCi\b +\bCircle CI\b + +# s.b. AppArmor +\bApparmor\b +\bApp Armor\b + +# s.b. SELinux +\bSeLinux\b +\bSelinux\b + +# s.b. InSpec +\b[Ii]nspec\b + +# s.b. GitHub +\bGithub\b + +# s.b. GitLab +\bGitlab\b + +# s.b. JavaScript +\bJavascript\b + +# s.b. OpenSSL +\bOpenssl\b +\bopenSSL\b + +# s.b. CloudBees +\b[Cc]loudbees\b + +# s.b. System76 +\bSystem 76\b + +# s.b. VirtualBox +\b[Vv]irtualbox\b +\bVirtual Box\b + +# s.b. SentinelOne +\bSentinal[Oo]ne\b +\bSentinelone\b +\bSentinal One\b + +# s.b. CrowdStrike +\bCrowd Strike\b +\b[Cc]rowdstrike\b + +# +# Kubernetes Terms +# + +# s.b. DaemonSet +\bDaemonset\b + +# s.b. Dockershim +\bDockerShim\b +\bdockershim\b + +# s.b. LimitRange +\bLimitrange\b + +# s.b. Minikube +\bMiniKube\b + +# s.b. ReplicaSet +\bReplicaset\b + +# s.b. StatefulSet +\bStatefulset\b + +# +# HashiCorp Products +# + +# s.b. HashiCorp +\bHashicorp\b + +# s.b. Terraform +\bTerraForm\b + +# s.b. Vagrantfile +\bVagrant file\b +\bVagrantFile\b + +# +# Microsoft Products +# + +# s.b. Microsoft +\bMicroSoft\b + +# s.b. PowerPoint +\bPower Point\b +\bPowerpoint\b + +# s.b. OneNote +\bOne Note\b +\bOnenote\b + +# s.b. Windows Server +\bWindows server\b + +# s.b. Team Foundation Server +\bTeam foundation server\b +\bteam foundation server\b + +# s.b. Active Directory +\bActive directory\b +\bactive directory\b + +# s.b. Group Policy Object +\bGroup policy object\b +\bgroup policy object\b +\bGroup Policy object\b + +# s.b. Power BI +\bPowerBI\b + +# s.b. SharePoint +\bSharepoint\b +\bShare Point\b + +# s.b. BitLocker +\bBitlocker\b +\bbitLocker\b + +# s.b. VS Code +\bVSCode\b +\bVScode\b + +# s.b. LinkedIn +\bLinked In\b +\bLinkedin\b + +# +# VMware Products +# + +# s.b. VMware +\bVmware\b +\bVMWare\b + +# s.b. vCenter +\bVcenter\b +\bVCenter\b + +# s.b. vSphere +\bVsphere\b +\bVSphere\b + +# s.b. ESXi +\bEsxi\b + +# +# AWS Products +# + +# s.b. App2Container +\bApp2container\b + +# s.b. AppFlow +\bAppflow\b + +# s.b. AppSync +\bAppsync\b + +# s.b. CloudEnsure +\bCloudensure\b + +# s.b. CloudFormation +\bCloudformation\b +\bCloud Formation\b + +# s.b. CloudFront +\bCloudfront\b + +# s.b. CloudHSM +\bCloud[Hh]sm\b + +# s.b. CloudSearch +\bCloudsearch\b + +# s.b. CloudShell +# we can't check for Cloud Shell since that's what Azure calls it +\bCloudshell\b +\bcloudshell\b + +# s.b. CloudTrail +\bCloudtrail\b + +# s.b. CloudWatch +\bCloudwatch\b + +# s.b. CodeArtifact +\bCodeartifact\b + +# s.b. CodeBuild +\bCodebuild\b + +# s.b. CodeCommit +\bCodecommit\b + +# s.b. CodeDeploy +\bCodedeploy\b + +# s.b. CodeGuru +\bCodeguru\b + +# s.b. CodePipeline +\bCodepipeline\b + +# s.b. CodeStar +\bCodestar\b + +# s.b. AWS Config +\bAWS config\b + +# s.b. Copilot +\bCoPilot\b + +# s.b. DeepRacer +\bDeepracer\b + +# s.b. DocumentDB +\bDocument DB\b +\bDocumentDb\b + +# s.b. DynamoDB +\bDynamo DB\b +\bDynamoDb\b + +# s.b. ElastiCache +\bElasticache\b + +# s.b. EventBridge +\bEventbridge\b + +# s.b. Fargate +\bFarGate\b +\bFar Gate\b + +# s.b. FinSpace +\bFinSpace\b + +# s.b. FSx +\bFSX\b + +# s.b. GameLift +\bGamelift\b + +# s.b. GuardDuty +\bGuardduty\b + +# s.b. Honeycode +\bHoneyCode\b + +# s.b. Lambda +\bLamba\b + +# s.b. Lightsail +\bLightSail\b + +# s.b. MXNet +\bMxnet\b +\bMXnet\b + +# s.b. OpenSearch +\bOpensearch\b + +# s.b. OpenShift +\bOpenshift\b + +# s.b. PrivateLink +\bPrivatelink\b + +# s.b. QuickSight +\bQuicksight\b + +# s.b. Redshift +\bRedShift\b + +# s.b. RoboMaker +\bRobomaker\b + +# s.b. Route 53 +\bRoute53\b + +# s.b. SageMaker +\bSagemaker\b + +# s.b. SiteWise +\bSitewise\b + +# s.b. StackSets +\bStacksets\b + +# s.b. WorkDocs +\bWorkdocs\b + +# s.b. WorkMail +\bWorkmail\b + +# +# GCP Products +# + +# s.b. AlloyDB +\bAlloy DB\b + +# s.b. AppEngine +\bApp Engine\b + +# s.b. BigLake +\bBig Lake\b + +# s.b. BigQuery +\bBig Query\b + +# s.b. Cloud Build +\bCloudBuild\b +\bCloud build\b + +# s.b. Cloud CDN +\bCloudCDN\b + +# s.b. Cloud Functions +\bCloud functions\b + +# s.b. Cloud Run +\bCloudRun\b +\bCloud run\b + +# s.b. Cloud SQL +\bCloudSQL\b + +# s.b. Compute Engine +\bComputeEngine\b +\bCompute engine\b + +# s.b. Dataplex +\bDataPlex\b + +# s.b. Datastream +\bDataStream\b +\bData Stream\b + +# s.b. Dialogflow +\bDialogFlow\b + +# s.b. Firestore +\bFireStore\b + +# s.b. gVNIC +\bGVNIC\b + +# s.b. Knative +\bKNative\b + +# s.b. Memorystore +\bMemoryStore\b +\bMemory Store\b + +# s.b. Pub/Sub +\bPubSub\b + +# s.b. TensorFlow +\bTensor Flow\b + +# s.b. Vertex AI +\bVertexAI\b + +# s.b. VMware Engine +\bVMware engine\b +\bVMWare Engine\b + +# +# Azure Products +# + +# s.b. Azure Pipelines +\bAzure DevOps Pipelines\b + +# s.b. Key Vault +\bKey vault\b +\bKeyVault\b + +# s.b. Ampere +\bampere\b + +# s.b. Azure DevOps Server +\bAzure DevOps server\b + +# s.b. Synapse Analytics +\bSynapse analytics\b +\bsynapse analytics\b + +# s.b. Cognitive Services +\bCognitive services\b +\bcognitive services\b + +# s.b. Event Hubs +\bEvent hubs\b +\bevent hubs\b + +# s.b. CloudOps +\bCloud Ops\b +\bCloud ops\b +\bcloud ops\b + +# s.b. Batch Service +\bBatch service\b +\bbatch service\b + +# s.b. Service Fabric Cluster +\bservice fabric cluster\b + +# s.b. Azure Kubernetes Service +\bAzure Kubernetes service\b + +# s.b. Cosmos DB +\bCosmosDB\b +\bCosmoDB\b +\bCosmo DB\b + +# s.b. SignalR Service +\bSignalR service\b +\bSignal R Service\b + +# s.b. App Service Certificate +\bapp service certificate\b + +# s.b. Privileged Identity Management +\bprivileged identity management\b + +# s.b. BizTalk Service +\bBizTalk service\b +\bBiztalk service\b +\bBiz Talk service\b +\bBiz Talk Service\b + +# s.b. Data Box +\bdata box\b + +# s.b. Database Migration Service +\bdatabase migration service\b + +# s.b. Internet Analyzer +\bInternet analyzer\b +\binternet analyzer\b + +# s.b. Web Application Firewall +\bWeb application firewall\b +\bweb Application Firewall\b + +# s.b. SQL Vulnerability Assessment +\bSQL vulnerability assessment\b + +# s.b. StorSimple +\bStor Simple\b + +# +# Common Typos +# + +# s.b. another +\ban[- ]other\b + +# s.b. greater than +\bgreater then\b + +# s.b. less than +\bless then\b + +# s.b. otherwise +\bother[- ]wise\b + +# s.b. nonexistent +\bnon existing\b +\b[Nn]o[nt][- ]existent\b + +# s.b. preexisting +[Pp]re-existing + +# s.b. preempt +[Pp]re-empt\b + +# s.b. preemptively +[Pp]re-emptively + +# s.b. reentrancy +[Rr]e-entrancy + +# s.b. reentrant +[Rr]e-entrant + +# s.b. policies +[Pp]olices + +# s.b. ID +# \bId\b # disabled in this repo due to false positives + +# s.b. CSV +\bCVS\b + +# Reject duplicate words +\s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s + +# s.b. it's or its +\bits['’] + +# s.b. understand +\bunder stand\b + +# find spaces before a comma +( )+, diff --git a/.github/actions/spelling/only.txt b/.github/actions/spelling/only.txt new file mode 100644 index 0000000..cfa27f7 --- /dev/null +++ b/.github/actions/spelling/only.txt @@ -0,0 +1 @@ +\.md$ diff --git a/.github/actions/spelling/patterns.txt b/.github/actions/spelling/patterns.txt new file mode 100644 index 0000000..caeb662 --- /dev/null +++ b/.github/actions/spelling/patterns.txt @@ -0,0 +1,118 @@ +# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns + +# acceptable duplicates +# ls directory listings +[-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+ + +# Commit message -- Signed-off-by and friends +^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$ + +# Autogenerated revert commit message +^This reverts commit [0-9a-f]{40}\.$ + +# ignore long runs of a single character: +\b([A-Za-z])\g{-1}{3,}\b + +# ignore funky space IDs that blow up spell checking +api\.mondoo\.app\/.*\b +console\.mondoo\.com\/.*\b + +# azure subscription ID +[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12} + +# azure subscriptions URL +\/subscriptions\/\S* + +# docker container +\b[a-z,0-9]{12}\b + +# URLs in markdown links / images +]\(.*\) + +# Azure Key Vault Vault. It feels wrong, but it's technically right +Key Vault Vault + +# luna containers in scan output +\bluna/.*\b + +# this comes up in permissions and is valid +\broot root\b + +# AWS resources +(ami|subnet|vpc|sg|fs)-[0-9a-fA-F]{17} + +# http and https URLs +https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*) + +# registry key paths +HKEY_[\w\\]* + +# Container digests +\bsha256:\w* + +# mime types +\bapplication\/\S* + +# mql certificate IDs +certificate:\w* + +# ARN values +\barn:\S* + +# mac user dir path +\/Users\/\S* + +# AWS Token, ID access key, etc +aws_session_token\s+\=(\s+)?.+ +aws_access_key_id\s+\=(\s+)?.+ +aws_secret_access_key\s+\=(\s+)?.+ + +# PGP +\b(?:[0-9A-F]{4} ){9}[0-9A-F]{4}\b +# GPG keys +\b(?:[0-9A-F]{4} ){5}(?: [0-9A-F]{4}){5}\b + +# uuid +\b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b + +# curl arguments +\b(?:\\n|)curl(?:\s+-[a-zA-Z]{1,2}\b)*(?:\s+-[a-zA-Z]{3,})(?:\s+-[a-zA-Z]+)* + +# set arguments +\bset(?:\s+-[abefimouxE]{1,2})*\s+-[abefimouxE]{3,}(?:\s+-[abefimouxE]+)* + +# tar arguments +\b(?:\\n|)g?tar(?:\.exe|)(?:(?:\s+--[-a-zA-Z]+|\s+-[a-zA-Z]+|\s[ABGJMOPRSUWZacdfh-pr-xz]+\b)(?:=[^ ]*|))+ + +# file permissions +['"`\s][-bcdLlpsw](?:[-r][-w][-Ssx]){2}[-r][-w][-SsTtx]\+?['"`\s] + +# score score is valid in MQL docs +score score + +# macOS temp folders +/var/folders/\w\w/[+\w]+/(?:T|-Caches-)/ + +# ssh +(?:ssh-\S+|-nistp256) [-a-zA-Z=;:\/0-9+]{12,} + +# kubernetes object suffix +-[0-9a-f]{10}-\w{5}\s + +# sed regular expressions +sed 's/(?:[^/]*?[a-zA-Z]{3,}[^/]*?/){2} + +# UNIX device paths +\/dev\/\w* + +# AWS RDS instance types +db.\w{2}.\w* + +# uuid +[<({"'>][0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[<'"})>] + +# rsa private keys +MII[BCEJ]\w* + +# UID in MQL policy +- uid: \S* diff --git a/.github/actions/spelling/reject.txt b/.github/actions/spelling/reject.txt new file mode 100644 index 0000000..804697b --- /dev/null +++ b/.github/actions/spelling/reject.txt @@ -0,0 +1,15 @@ +ad-hoc +^attache$ +^bellow$ +benefitting +occurences? +^dependan.* +^oer$ +Sorce +^[Ss]pae.* +^untill$ +^untilling$ +^wether.* +\w*(?