chore: Update Trivy Diagnostics (#293)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: vkhitrin

doc/BUILTINS.md

@@ -1779,7 +1779,7 @@ local sources = { null_ls.builtins.diagnostics.trivy }
 
 #### Defaults
 
-- Filetypes: `{ "terraform", "tf", "terraform-vars" }`
+- Filetypes: `{ "terraform", "tf", "terraform-vars", "helmfile", "dockerfile" }`
 - Method: `diagnostics_on_save`
 - Command: `trivy`
 - Args: dynamically resolved (see [source](https://github.com/nvimtools/none-ls.nvim/blob/main/lua/null-ls/builtins/diagnostics/trivy.lua))

doc/builtins.json

@@ -499,7 +499,9 @@
       "filetypes": [
         "terraform",
         "tf",
-        "terraform-vars"
+        "terraform-vars",
+        "helmfile",
+        "dockerfile"
       ]
     },
     "twigcs": {

lua/null-ls/builtins/_meta/diagnostics.lua

@@ -242,7 +242,7 @@ return {
     filetypes = {}
   },
   trivy = {
-    filetypes = { "terraform", "tf", "terraform-vars" }
+    filetypes = { "terraform", "tf", "terraform-vars", "helm", "dockerfile" }
   },
   twigcs = {
     filetypes = { "twig" }

lua/null-ls/builtins/_meta/filetype_map.lua

@@ -207,6 +207,9 @@ return {
     diagnostics = { "terragrunt_validate" },
     formatting = { "atlas_fmt", "hclfmt", "packer", "terragrunt_fmt" }
   },
+  helm = {
+    diagnostics = { "trivy" }
+  },
   html = {
     diagnostics = { "markuplint", "tidy" },
     formatting = { "prettier", "prettierd", "rustywind", "tidy" }
@@ -494,7 +497,7 @@ return {
     formatting = { "tidy", "xmllint" }
   },
   yaml = {
-    diagnostics = { "actionlint", "cfn_lint", "spectral", "vacuum", "yamllint" },
+    diagnostics = { "actionlint", "cfn_lint", "spectral", "vacuum", "yamllint", "trivy" },
     formatting = { "prettier", "prettierd", "yamlfix", "yamlfmt" }
   },
   ["yaml.ansible"] = {

lua/null-ls/builtins/diagnostics/trivy.lua

@@ -1,6 +1,5 @@
 local h = require("null-ls.helpers")
 local methods = require("null-ls.methods")
-local u = require("null-ls.utils")
 
 local DIAGNOSTICS_ON_SAVE = methods.internal.DIAGNOSTICS_ON_SAVE
 
@@ -12,14 +11,35 @@ local severities = {
     UNKNOWN = h.diagnostics.severities["information"],
 }
 
+-- NOTE: (vkhitrin) custom logic to derive the directory name for trivy execution:
+-- * If buffer is inside a helm chart, attempt to set the directory to the directory
+--   containing Chart.yaml.
+-- * Otherwise, set the directory to none-ls' '$DIRNAME'.
+local trivy_working_dir = function()
+    local filetype = vim.bo.filetype
+    if filetype == "helm" then
+        local dir = vim.fn.expand("%:p:h")
+        while dir ~= "/" do
+            local chart_path = dir .. "/Chart.yaml"
+            if vim.fn.filereadable(chart_path) == 1 then
+                return dir
+            end
+            dir = vim.fn.fnamemodify(dir, ":h")
+        end
+        return dir
+    else
+        return "$DIRNAME"
+    end
+end
+
 return h.make_builtin({
     name = "trivy",
     meta = {
         url = "https://github.com/aquasecurity/trivy",
         description = "Find misconfigurations and vulnerabilities",
     },
     method = DIAGNOSTICS_ON_SAVE,
-    filetypes = { "terraform", "tf", "terraform-vars" },
+    filetypes = { "terraform", "tf", "terraform-vars", "helm", "dockerfile" },
     generator_opts = {
         command = "trivy",
         timeout = 30000, -- Trivy can be slow, so increase timeout
@@ -29,7 +49,7 @@ return h.make_builtin({
                 "--format",
                 "json",
                 "--quiet",
-                "$DIRNAME",
+                trivy_working_dir(),
             }
 
             local config_file_path = vim.fs.find("trivy.yaml", {
@@ -55,8 +75,8 @@ return h.make_builtin({
         cwd = h.cache.by_bufnr(function(params)
             return vim.fs.dirname(params.bufname)
         end),
-        from_stderr = false, -- Trivy outputs logs to stderr that even --quiet doesn't silence
-        ignore_stderr = true,
+        from_stderr = true, -- https://github.com/aquasecurity/trivy/pull/2289
+        ignore_stderr = false,
         to_stdin = false,
         multiple_files = true,
         format = "json",
@@ -82,12 +102,14 @@ return h.make_builtin({
             for _, result in pairs(params.output.Results or {}) do
                 for _, misconfiguration in ipairs(result.Misconfigurations or {}) do
                     local rewritten_diagnostic = {
-                        message = misconfiguration.ID .. " - " .. misconfiguration.Title,
+                        code = misconfiguration.ID,
+                        message = misconfiguration.Title,
                         row = misconfiguration.CauseMetadata.StartLine,
+                        end_row = misconfiguration.CauseMetadata.EndLine,
                         col = 0,
                         source = "trivy",
                         severity = severities[misconfiguration.Severity],
-                        filename = u.path.join(params.cwd, result.Target),
+                        filename = result.Target,
                     }
                     table.insert(combined_diagnostics, rewritten_diagnostic)
                 end