plugin-validator

module

v0.7.3 Latest Latest Go to latest Published: Mar 1, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grafana/plugin-validator

Links

Open Source Insights

README ¶

Grafana Plugin Validator

A tool for validating community plugins for publishing to Grafana.com.

The tool expects path to either a remote or a local ZIP archive.

Install

cd pkg/cmd/plugincheck2
go install

Run

Typically running the checker with default settings is the easiest method to see if there are issues with a plugin.

plugincheck2 -config config/default.yaml https://github.com/marcusolsson/grafana-jsonapi-datasource/releases/download/v0.6.0/marcusolsson-json-datasource-0.6.0.zip

To wrap the output with another tool (like the validator ui), running with the terse-json.yaml config can be used.

plugincheck2 -config config/terse-json.yaml https://github.com/marcusolsson/grafana-jsonapi-datasource/releases/download/v0.6.0/marcusolsson-json-datasource-0.6.0.zip

Verbose json output is available to show all checks made, with status for each.

plugincheck2 -config config/verbose-json.yaml https://github.com/marcusolsson/grafana-jsonapi-datasource/releases/download/v0.6.0/marcusolsson-json-datasource-0.6.0.zip

Configuration

You must pass a configuration file to the validator with the -config option. Several configuraton examples are available to use here https://github.com/grafana/plugin-validator/tree/main/config

Enabling and disabling analyzers via config

If you wish to disable an specific check (analyzer) you can define this in your configuration file adding an analyzers section and specyfing which analyzer or analyzer rules to enable and disable.

E.g.: disable the version analyzer

global:
  enabled: true
  jsonOutput: false
  reportAll: false

analyzers:
  version:
    enabled: false

You can also disable specific rules or change their severity level:

global:
  enabled: true
  jsonOutput: false
  reportAll: false

analyzers:
  readme:
    rules:
      missing-readme:
        enabled: true
        severity: warning

Severity levels could be: error, warning, ok

Please notice that Grafanalabs uses its own configuration for plugins submissions and your own config file can't change these rules.

Analyzers

The plugincheck tool runs a series of analyzers to ensure submitted plugins are following best practices, and speed up the process of approving a plugin for publishing.

Currently there are 20 different types of checks being performed, and are described below.

Archive Structure

Ensures the contents of the zip file have the expected layout.

Archive Name

The name of the archive should be correctly formatted.

Binary Permissions

For datasources and apps with binaries, this ensures the plugin can run when extracted on a system.

Broken Links

Detects if any url does not resolve to a valid location.

HTML in Readme

Detects if there are any html tags used in the README.md, as they will not render in the marketplace.

Developer Jargon

Generally discourage use of code jargon in the documentation.

Legacy Platform

License Type

Ensures the license type specified is allowed.

Manifest (Signing)

When a plugin is signed, the zip file will contain a signed MANIFEST.txt file.

Metadata Paths and Validity

Ensures all paths are valid and images referenced exist.

module.js (exists)

All plugins require a module.js to be loaded.

Organization exists

Verifies the org specified in the plugin id exists.

Plugin Name formatting

Validates the plugin id used conforms to our naming convention.

Readme (exists)

Ensures a README.md file exists within the zip file.

Restrictive Dependency

Specifies a valid range of Grafana that works with this version of the plugin.

Screenshots

Screenshots are specified in plugin.json that will be used in the marketplace.

Signature

Ensures the plugin has a valid signature.

Source Code (NEW!)

The source code URI matches the released code. A comparison is made between the zip file and the source code to ensure what is released matches the repo associated with it.

Unique README.md

Ensures the plugin does not re-use the template from the create-plugin tool.

No Tracking Scripts

Detects if there are any known tracking scripts, which are not allowed.

Type Suffix (panel/app/datasource)

Ensures the plugin has a valid type specified.

Version

Ensures the version submitted is newer than the currently published plugin. If this is a new/unpublished plugin, this is skipped.

Vulnerability Scanner

This analyzer leverages the OSV Scanner (https://github.com/google/osv-scanner) to detect critical vulnerabilities in go modules and yarn lock files.

Any critical vulnerability will cause the validation to fail and prevent a plugin from being published.

Source code must be provided for this analyzer to execute, and osv-scanner needs to be in your PATH for it to run.

Running this Analyzer

Default Usage:

plugincheck2 -config config/default.yaml -sourceCodeUri https://github.com/briangann/grafana-gauge-panel/archive/refs/tags/v0.0.9.zip https://github.com/briangann/grafana-gauge-panel/releases/download/v0.0.9/briangann-gauge-panel-0.0.9.zip

Example default output:

warning: README.md: possible broken link: https://www.d3js.org (404 Not Found)
detail: README.md might contain broken links. Check that all links are valid and publicly accesible.
warning: README.md contains developer jargon: (yarn)
detail: Move any developer and contributor documentation to a separate file and link to it from the README.md. For example, CONTRIBUTING.md, DEVELOPMENT.md, etc.
error: osv-scanner detected a critical severity issue
detail: SEVERITY: CRITICAL in package immer, vulnerable to CVE-2021-23436
error: osv-scanner detected a critical severity issue
detail: SEVERITY: CRITICAL in package json-schema, vulnerable to CVE-2021-3918
error: osv-scanner detected a critical severity issue
detail: SEVERITY: CRITICAL in package loader-utils, vulnerable to CVE-2022-37601
error: osv-scanner detected a critical severity issue
detail: SEVERITY: CRITICAL in package minimist, vulnerable to CVE-2021-44906
error: osv-scanner detected a critical severity issue
detail: SEVERITY: CRITICAL in package shell-quote, vulnerable to CVE-2021-42740
error: osv-scanner detected a critical severity issue
detail: SEVERITY: CRITICAL in package simple-git, vulnerable to CVE-2022-25860
error: osv-scanner detected critical severity issues
detail: osv-scanner detected 6 unique critical severity issues for lockfile: /var/folders/84/yw3k27_j0d79r_myzgjgx1980000gn/T/validator1049475772/yarn.lock
error: Plugin version 0.0.9 is invalid.
detail: The submitted plugin version 0.0.9 is not greater than the latest published version 0.0.9 on grafana.com.

Terse JSON Output:

plugincheck2 -config config/terse-json.yaml -sourceCodeUri https://github.com/briangann/grafana-gauge-panel/archive/refs/tags/v0.0.9.zip https://github.com/briangann/grafana-gauge-panel/releases/download/v0.0.9/briangann-gauge-panel-0.0.9.zip

JSON:

{
  "id": "briangann-gauge-panel",
  "version": "0.0.9",
  "plugin-validator": {
    "brokenlinks": [
      {
        "Severity": "warning",
        "Title": "README.md: possible broken link: https://www.d3js.org (404 Not Found)",
        "Detail": "README.md might contain broken links. Check that all links are valid and publicly accesible.",
        "Name": "broken-link"
      }
    ],
    "jargon": [
      {
        "Severity": "warning",
        "Title": "README.md contains developer jargon: (yarn)",
        "Detail": "Move any developer and contributor documentation to a separate file and link to it from the README.md. For example, CONTRIBUTING.md, DEVELOPMENT.md, etc.",
        "Name": "developer-jargon"
      }
    ],
    "osv-scanner": [
      {
        "Severity": "error",
        "Title": "osv-scanner detected a critical severity issue",
        "Detail": "SEVERITY: CRITICAL in package immer, vulnerable to CVE-2021-23436",
        "Name": "osvscanner-critical-severity-vulnerabilities-detected"
      },
      {
        "Severity": "error",
        "Title": "osv-scanner detected a critical severity issue",
        "Detail": "SEVERITY: CRITICAL in package json-schema, vulnerable to CVE-2021-3918",
        "Name": "osvscanner-critical-severity-vulnerabilities-detected"
      },
      {
        "Severity": "error",
        "Title": "osv-scanner detected a critical severity issue",
        "Detail": "SEVERITY: CRITICAL in package loader-utils, vulnerable to CVE-2022-37601",
        "Name": "osvscanner-critical-severity-vulnerabilities-detected"
      },
      {
        "Severity": "error",
        "Title": "osv-scanner detected a critical severity issue",
        "Detail": "SEVERITY: CRITICAL in package minimist, vulnerable to CVE-2021-44906",
        "Name": "osvscanner-critical-severity-vulnerabilities-detected"
      },
      {
        "Severity": "error",
        "Title": "osv-scanner detected a critical severity issue",
        "Detail": "SEVERITY: CRITICAL in package shell-quote, vulnerable to CVE-2021-42740",
        "Name": "osvscanner-critical-severity-vulnerabilities-detected"
      },
      {
        "Severity": "error",
        "Title": "osv-scanner detected a critical severity issue",
        "Detail": "SEVERITY: CRITICAL in package simple-git, vulnerable to CVE-2022-25860",
        "Name": "osvscanner-critical-severity-vulnerabilities-detected"
      },
      {
        "Severity": "error",
        "Title": "osv-scanner detected critical severity issues",
        "Detail": "osv-scanner detected 6 unique critical severity issues for lockfile: /var/folders/84/yw3k27_j0d79r_myzgjgx1980000gn/T/validator1150112313/yarn.lock",
        "Name": "osvscanner-critical-severity-vulnerabilities-detected"
      }
    ],
    "version": [
      {
        "Severity": "error",
        "Title": "Plugin version 0.0.9 is invalid.",
        "Detail": "The submitted plugin version 0.0.9 is not greater than the latest published version 0.0.9 on grafana.com.",
        "Name": "wrong-plugin-version"
      }
    ]
  }
}

Verbose

plugincheck2 -config config/verbose-json.yaml -sourceCodeUri https://github.com/briangann/grafana-gauge-panel/archive/refs/tags/v0.0.9.zip https://github.com/briangann/grafana-gauge-panel/releases/download/v0.0.9/briangann-gauge-panel-0.0.9.zip

License

Grafana Plugin Validator is distributed under the Apache 2.0 License.

Directories ¶

Path	Synopsis
pkg
analysis
analysis/passes
analysis/passes/archive
analysis/passes/archivename
analysis/passes/binarypermissions
analysis/passes/brokenlinks
analysis/passes/coderules
analysis/passes/gomanifest
analysis/passes/gosec
analysis/passes/htmlreadme
analysis/passes/jargon
analysis/passes/jssourcemap
analysis/passes/legacyplatform
analysis/passes/license
analysis/passes/logos
analysis/passes/manifest
analysis/passes/metadata
analysis/passes/metadatapaths
analysis/passes/metadataschema
analysis/passes/metadatavalid
analysis/passes/modulejs
analysis/passes/org
analysis/passes/osvscanner
analysis/passes/pluginname
analysis/passes/published
analysis/passes/readme
analysis/passes/restrictivedep
analysis/passes/screenshots
analysis/passes/signature
analysis/passes/sourcecode
analysis/passes/templatereadme
analysis/passes/trackingscripts
analysis/passes/typesuffix
analysis/passes/unsafesvg
analysis/passes/version
archivetool
cmd/plugincheck
cmd/plugincheck2
cmd/sourcemapdiff
difftool
grafana
logme
prettyprint
repotool
runner
sourcemap
svgvalidate
testpassinterceptor

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL