golibs/gosu
1
0
Fork 0
mirror of https://github.com/tianon/gosu.git synced 2025-04-18 19:04:06 +03:00
Code

Fix govulncheck wrapper + run govulncheck on latest release periodically too

Browse Source
This commit is contained in:
Tianon Gravi 2024-06-06 11:16:49 -07:00
parent a094511005
commit 7b1b498b98
3 changed files with 80 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.github/workflows/ci.yml vendored
View File

@ -5,6 +5,7 @@ on:
push:
schedule:
- cron: 0 0 * * 0
workflow_dispatch:
defaults:
run:
@ -25,13 +26,8 @@ jobs:
- run: docker build --pull --file hub/Dockerfile.alpine hub
- run: docker build --pull --file hub/Dockerfile.debian hub
- uses: actions/setup-go@v4
with:
go-version: 1.18
# https://github.com/golang/vuln/commits/master
# https://github.com/golang/vuln/releases
# https://github.com/golang/vuln/tags
- run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.4
# (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.1/go.mod#L3)
- run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done
- name: govulncheck
run: |
for gosu in gosu-*; do
./govulncheck-with-excludes.sh -mode=binary "$gosu"
done

52
.github/workflows/release.yml vendored Normal file
View File

@ -0,0 +1,52 @@
name: Release
on:
pull_request:
paths:
- '.github/workflows/release.yml'
- 'govulncheck-with-excludes.sh'
push:
paths:
- '.github/workflows/release.yml'
- 'govulncheck-with-excludes.sh'
schedule:
- cron: 0 0 * * 0
workflow_dispatch:
defaults:
run:
shell: 'bash -Eeuo pipefail -x {0}'
jobs:
test:
name: govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: download
run: |
# find and download the latest release for testing
tags="$(git ls-remote --tags https://github.com/tianon/gosu.git | cut -d/ -f3 | cut -d^ -f1 | sort -urV)"
for tag in $tags; do
echo >&2 "checking $tag ..."
url="https://github.com/tianon/gosu/releases/download/$tag"
if wget -O SHA256SUMS "$url/SHA256SUMS" && [ -s SHA256SUMS ]; then
files="$(grep -oE '[ *]gosu-[^.]+$' SHA256SUMS | grep -oE 'gosu-.*$')"
for file in $files; do
wget -O "$file" "$url/$file"
done
if grep -E '[ *]gosu-[^.]+$' SHA256SUMS | sha256sum --strict --check -; then
echo >&2 "success with $tag !"
exit 0
fi
fi
done
echo >&2 'error: failed to find latest release'
- name: govulncheck
run: |
for gosu in gosu-*; do
./govulncheck-with-excludes.sh -mode=binary "$gosu"
done

25
govulncheck-with-excludes.sh
View File

@ -9,7 +9,7 @@ excludeVulns="$(jq -nc '[
# fixed in Go 1.20.5+
# https://pkg.go.dev/vuln/GO-2023-1840
# we already mitigate setuid in our code
#"GO-2023-1840", "CVE-2023-29403",
"GO-2023-1840", "CVE-2023-29403",
# (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883)
empty # trailing comma hack (makes diffs smaller)
@ -30,7 +30,9 @@ if ! command -v govulncheck > /dev/null; then
--workdir /wd
"${GOLANG_IMAGE:-golang:latest}"
sh -euc '
go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null
# https://github.com/golang/vuln/releases
# (pinning version to avoid format changes like https://github.com/tianon/gosu/issues/144 surprising us unexpectedly)
go install golang.org/x/vuln/cmd/govulncheck@v1.1.2 > /dev/null
exec "$GOPATH/bin/govulncheck" "$@"
' --
)
@ -45,7 +47,24 @@ fi
json="$(govulncheck -json "$@")"
vulns="$(jq <<<"$json" -cs 'map(select(has("osv")) | .osv)')"
vulns="$(jq <<<"$json" -cs '
(
map(
.osv // empty
| { key: .id, value: . }
)
| from_entries
) as $meta
# https://github.com/tianon/gosu/issues/144
| map(
.finding // empty
# https://github.com/golang/vuln/blob/3740f5cb12a3f93b18dbe200c4bcb6256f8586e2/internal/scan/template.go#L97-L104
| select((.trace[0].function // "") != "")
| .osv
)
| unique
| map($meta[.])
')"
if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then
printf '%s\n' "$out"
exit 1