ProtonMail
/
proton-bridge
mirror of https://github.com/ProtonMail/proton-bridge
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
proton-bridge/utils/govulncheck.sh

69 lines
2.0 KiB
Bash
Executable File
Raw Permalink Blame History

#!/usr/bin/env bash
# Copyright (c) 2024 Proton AG
#
# This file is part of Proton Mail Bridge.
#
# Proton Mail Bridge is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Proton Mail Bridge is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
set -eo pipefail
main(){
go install golang.org/x/vuln/cmd/govulncheck@latest
make gofiles
govulncheck -json ./... > vulns.json
jq -r '.finding | select( (.osv != null) and (.trace[0].function != null) ) | .osv ' < vulns.json > vulns_osv_ids.txt
ignore GO-2023-2328 "GODT-3124 RESTY race condition"
ignore GO-2024-2598 "BRIDGE-16 Update Go to 1.21.9"
ignore GO-2024-2599 "BRIDGE-16 Update Go to 1.21.9"
ignore GO-2024-2600 "BRIDGE-16 Update Go to 1.21.9"
ignore GO-2024-2609 "BRIDGE-16 Update Go to 1.21.9"
ignore GO-2024-2610 "BRIDGE-16 Update Go to 1.21.9"
ignore GO-2024-2687 "BRIDGE-16 Update Go to 1.21.9"
has_vulns
echo
echo "No new vulnerabilities found."
}
ignore(){
echo "ignoring $1 fix: $2"
cp vulns_osv_ids.txt tmp
grep -v "$1" < tmp > vulns_osv_ids.txt || true
rm tmp
}
has_vulns(){
has=false
while read -r osv; do
jq \
--arg osvid "$osv" \
'.osv | select ( .id == $osvid) | {"id":.id, "ranges": .affected[0].ranges, "import": .affected[0].ecosystem_specific.imports[0].path}' \
< vulns.json
has=true
done < vulns_osv_ids.txt
if [ "$has" == true ]; then
echo
echo "Vulnerability found"
return 1
fi
}
main
Reference in New Issue View Git Blame Copy Permalink