feat(GODT-2001): add govulncheck to scan for vulnerabilities.
This commit is contained in:
Jakub
parent
6cbef1d786
commit
01db488caa
7
Makefile
7
Makefile
|
|
@ -328,13 +328,6 @@ lint-bug-report:
|
|||
lint-bug-report-preview:
|
||||
python3 utils/validate_bug_report_file.py --file "internal/frontend/bridge-gui/bridge-gui/qml/Resources/bug_report_flow.json" --preview
|
||||
|
||||
gobinsec: gobinsec-cache.yml build
|
||||
gobinsec -wait -cache -config utils/gobinsec_conf.yml ${EXE_TARGET} ${DEPLOY_DIR}/${TARGET_OS}/${LAUNCHER_EXE}
|
||||
|
||||
gobinsec-cache.yml:
|
||||
./utils/gobinsec_update.sh
|
||||
cp ./utils/gobinsec_update/gobinsec-cache-valid.yml ./gobinsec-cache.yml
|
||||
|
||||
updates: install-go-mod-outdated
|
||||
# Uncomment the "-ci" to fail the job if something can be updated.
|
||||
go list -u -m -json all | go-mod-outdated -update -direct #-ci
|
||||
|
|
|
|||
15
ci/test.yml
15
ci/test.yml
|
|
@ -107,3 +107,18 @@ test-coverage:
|
|||
coverage_report:
|
||||
coverage_format: cobertura
|
||||
path: coverage.xml
|
||||
|
||||
go-vuln-check:
|
||||
extends:
|
||||
- .rules-branch-manual-MR-and-devel-always
|
||||
stage: test
|
||||
tags:
|
||||
- shared-medium
|
||||
script:
|
||||
- apt-get -y install jq
|
||||
- ./utils/govulncheck.sh
|
||||
artifacts:
|
||||
when: always
|
||||
paths:
|
||||
- vulns*
|
||||
|
||||
|
|
|
|||
|
|
@ -1,21 +0,0 @@
|
|||
---
|
||||
|
||||
wait: true
|
||||
strict: true
|
||||
|
||||
file:
|
||||
name: "./gobinsec-cache.yml"
|
||||
expiration: "24h"
|
||||
|
||||
ignore:
|
||||
# golang.org/x/net wrong match, we are using v0.1.0, fixed by 37e1c6af in v0.0.xxx
|
||||
- "CVE-2021-33194"
|
||||
# golang.org/x/crypto wrong match, we are using v0.1.0 all of this have been fixed in vO.O.xx
|
||||
- "CVE-2019-11840"
|
||||
- "CVE-2020-29652"
|
||||
- "CVE-2021-43565"
|
||||
- "CVE-2022-27191"
|
||||
- "CVE-2020-9283"
|
||||
- "CVE-2017-3204"
|
||||
# golang.org/x/text wrong match, we are using v0.4.0, fixed in a previous version
|
||||
- "CVE-2020-14040"
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Copyright (c) 2023 Proton AG
|
||||
#
|
||||
# This file is part of Proton Mail Bridge.
|
||||
#
|
||||
# Proton Mail Bridge is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Proton Mail Bridge is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
cd "$(\
|
||||
cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd \
|
||||
)"/gobinsec_update || exit 1
|
||||
|
||||
for i in $(seq 10); do
|
||||
echo "Trying $i"
|
||||
if make run; then
|
||||
echo "Try $i succeeded"
|
||||
break
|
||||
fi
|
||||
echo "Waiting to try again..."
|
||||
sleep 30
|
||||
done
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
|
||||
|
||||
run:
|
||||
FILECACHE_FILE=gobinsec-cache-valid.yml \
|
||||
FILECACHE_EXPIRATION=1h \
|
||||
go run main.go
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
module gobinsec_update
|
||||
|
||||
go 1.18
|
||||
|
||||
require github.com/intercloud/gobinsec v0.10.2
|
||||
|
||||
require (
|
||||
github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d // indirect
|
||||
github.com/fatih/color v1.13.0 // indirect
|
||||
github.com/mattn/go-colorable v0.1.13 // indirect
|
||||
github.com/mattn/go-isatty v0.0.16 // indirect
|
||||
github.com/memcachier/gomemcache v0.0.0-20170425125614-d027381f7653 // indirect
|
||||
golang.org/x/sys v0.1.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
)
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d h1:pVrfxiGfwelyab6n21ZBkbkmbevaf+WvMIiR7sr97hw=
|
||||
github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
|
||||
github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
|
||||
github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
|
||||
github.com/intercloud/gobinsec v0.10.2 h1:4L2d4SaIqlHnUQ6Hlg1E51dqUg4jK+TpSILVTHaEvx4=
|
||||
github.com/intercloud/gobinsec v0.10.2/go.mod h1:Y/AMKT0aQM40WDkTqlEe18W/IL6ZUuuJjdOXdayi+CI=
|
||||
github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
|
||||
github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
|
||||
github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
|
||||
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
|
||||
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
|
||||
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
|
||||
github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
|
||||
github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
|
||||
github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
|
||||
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
|
||||
github.com/memcachier/gomemcache v0.0.0-20170425125614-d027381f7653 h1:222emoxOt/bCmNHp8Xt0Pr5Am3gIbqRKFpb4CQ9O2SI=
|
||||
github.com/memcachier/gomemcache v0.0.0-20170425125614-d027381f7653/go.mod h1:KoYVbOQexD45AOLfn+gsFB6c3o4ANzP1QKzjE6tZbK0=
|
||||
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 h1:xHms4gcpe1YE7A3yIllJXP16CMAGuqwO2lX1mTyyRRc=
|
||||
golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
|
||||
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
|
||||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
|
|
@ -1,76 +0,0 @@
|
|||
// Copyright (c) 2023 Proton AG
|
||||
//
|
||||
// This file is part of Proton Mail Bridge.
|
||||
//
|
||||
// Proton Mail Bridge is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// Proton Mail Bridge is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/intercloud/gobinsec/gobinsec"
|
||||
)
|
||||
|
||||
type Depend struct {
|
||||
Name string
|
||||
Version string
|
||||
}
|
||||
|
||||
func loadDependencies(file string) []Depend {
|
||||
var dependencies []Depend
|
||||
txt, err := ioutil.ReadFile(file)
|
||||
if err != nil {
|
||||
return dependencies
|
||||
}
|
||||
re := regexp.MustCompile(`\t[a-zA-Z0-9-\/\.]* v.*`)
|
||||
matches := re.FindAllString(string(txt), -1)
|
||||
for _, str := range matches {
|
||||
withoutTab := strings.Split(str, "\t")
|
||||
split := strings.Split(withoutTab[1], " ")
|
||||
dependencies = append(dependencies, Depend{split[0], split[1]})
|
||||
}
|
||||
return dependencies
|
||||
}
|
||||
|
||||
func main() {
|
||||
dependencies := loadDependencies("../../go.mod")
|
||||
|
||||
if err := gobinsec.LoadConfig("", true, true, true, true); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
if err := gobinsec.BuildCache(); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
for _, dep := range dependencies {
|
||||
fmt.Println("... Checking " + dep.Name + " " + dep.Version)
|
||||
dep, err := gobinsec.NewDependency(dep.Name, dep.Version)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
if err := dep.LoadVulnerabilities(); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
if err := gobinsec.CacheInstance.Close(); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# Copyright (c) 2023 Proton AG
|
||||
#
|
||||
# This file is part of Proton Mail Bridge.
|
||||
#
|
||||
# Proton Mail Bridge is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# Proton Mail Bridge is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
|
||||
set -eo pipefail
|
||||
|
||||
main(){
|
||||
go install golang.org/x/vuln/cmd/govulncheck@latest
|
||||
make gofiles
|
||||
govulncheck -json ./... > vulns.json
|
||||
|
||||
jq -r '.osv.id | select( . != null )' < vulns.json > vulns_osv_ids.txt
|
||||
|
||||
ignore GO-2023-2102 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-2043 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-2041 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-1878 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-1987 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-1840 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-2185 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-2186 "GODT-3160 update go to 1.21.4"
|
||||
ignore GO-2023-2328 "GODT-3124 RESTY race condition"
|
||||
|
||||
has_vulns
|
||||
|
||||
echo
|
||||
echo "No new vulnerabilities found."
|
||||
}
|
||||
|
||||
ignore(){
|
||||
echo "ignoring $1 fix: $2"
|
||||
cp vulns_osv_ids.txt tmp
|
||||
grep -v "$1" < tmp > vulns_osv_ids.txt || true
|
||||
rm tmp
|
||||
}
|
||||
|
||||
has_vulns(){
|
||||
has=false
|
||||
while read -r osv; do
|
||||
jq \
|
||||
--arg osvid "$osv" \
|
||||
'.osv | select ( .id == $osvid) | {"id":.id, "ranges": .affected[0].ranges, "import": .affected[0].ecosystem_specific.imports[0].path}' \
|
||||
< vulns.json
|
||||
has=true
|
||||
done < vulns_osv_ids.txt
|
||||
|
||||
if [ "$has" == true ]; then
|
||||
echo
|
||||
echo "Vulnerability found"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
main
|
||||
Loading…
Reference in New Issue