fix(BRIDGE-94): enable govulncheck and add ignore capability

2025-12-23 23:57:50 -05:00 · 2024-06-05 16:11:23 +02:00
parent 1a81ec7dc7
commit 2f693dee7b
3 changed files with 79 additions and 2 deletions
--- a/.github/actions/govulncheck.sh
+++ b/.github/actions/govulncheck.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+main(){
+    local go_package="$1"
+    govulncheck -json "$go_package" > vulns.json
+
+    jq -r '.finding | select( (.osv != null) and (.trace[0].function != null) ) | .osv ' < vulns.json > vulns_osv_ids.txt
+
+    ignore GO-2024-2887 "BRIDGE-95 net/http vulnerability"
+    ignore GO-2024-2888 "BRIDGE-95 archive/zip vulnerability"
+
+    has_vulns
+
+    echo
+    echo "No new vulnerabilities found."
+}
+
+ignore(){
+    echo "ignoring $1 fix: $2"
+    cp vulns_osv_ids.txt tmp
+    grep -v "$1" < tmp > vulns_osv_ids.txt || true
+    rm tmp
+}
+
+has_vulns(){
+    has=false
+    while read -r osv; do
+        jq \
+            --arg osvid "$osv" \
+            '.osv | select ( .id == $osvid) | {"id":.id, "ranges": .affected[0].ranges,  "import": .affected[0].ecosystem_specific.imports[0].path}' \
+            < vulns.json
+        has=true
+    done < vulns_osv_ids.txt
+
+    if [ "$has" == true ]; then
+        echo
+        echo "Vulnerability found"
+        return 1
+    fi
+}
+
+main
--- a/.github/actions/govulncheck/action.yml
+++ b/.github/actions/govulncheck/action.yml
@@ -0,0 +1,26 @@
+name: 'golang-govulncheck-action'
+description: 'Run govulncheck'
+inputs:
+  go-version-input:  # version of Go to use for govulncheck
+    description: 'Version of Go to use for govulncheck'
+    required: false
+  go-package:
+    description: 'Go Package to scan with govulncheck'
+    required: false
+    default: './...'
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-go@v5.0.0
+      with:
+        go-version: ${{ inputs.go-version-input }}
+        check-latest: false
+        cache: false
+    - name: Install govulncheck
+      run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      shell: bash
+    - name: Run govulncheck
+      run: |
+        chmod +x .github/actions/govulncheck.sh
+        .github/actions/govulncheck.sh ${{ inputs.go-package }}
+      shell: bash
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -7,8 +7,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Get sources
-        uses: actions/checkout@v3
-
+        uses: actions/checkout@v4
+      
      - name: Set up Go 1.21
        uses: actions/setup-go@v3
        with:
@@ -26,3 +26,10 @@ jobs:

      - name: Run tests with race check
        run: go test -v -race ./...
+
+      - name: Run govulncheck
+        uses: ./.github/actions/govulncheck
+        with:
+          go-version-input: 1.21
+          go-package: ./...
+