Skip to content

Commit

Permalink
Add verify-govulncheck target and integrate to scan action
Browse files Browse the repository at this point in the history
  • Loading branch information
chrischdi committed Aug 7, 2023
1 parent f1341ab commit f82cd68
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 2 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,5 @@ jobs:
uses: actions/[email protected] # tag=v3.5.0
with:
go-version: ${{ steps.vars.outputs.go_version }}
- name: Run verify container script
run: make verify-container-images
- name: Run verify vulnerabilities script
run: make verify-vulnerabilities
19 changes: 19 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yaml | grep [[:
GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint

GOVULNCHECK_BIN := govulncheck
GOVULNCHECK_VER := v1.0.0
GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck

GOVC_VER := $(shell cat go.mod | grep "github.com/vmware/govmomi" | awk '{print $$NF}')
GOVC_BIN := govc
GOVC := $(abspath $(TOOLS_BIN_DIR)/$(GOVC_BIN)-$(GOVC_VER))
Expand Down Expand Up @@ -370,6 +375,14 @@ verify-boilerplate: ## Verify boilerplate text exists in each file
verify-container-images: ## Verify container images
TRACE=$(TRACE) ./hack/verify-container-images.sh

.PHONY: verify-govulncheck
verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
$(GOVULNCHECK) ./...

.PHONY: verify-vulnerabilities
verify-vulnerabilities: ## Verify code and images for vulnerabilities
TRACE=$(TRACE) ./hack/verify-vulnerabilities.sh

## --------------------------------------
## Build
## --------------------------------------
Expand Down Expand Up @@ -714,6 +727,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo.
.PHONY: $(GOLANGCI_LINT_BIN)
$(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint.

.PHONY: $(GOVULNCHECK_BIN)
$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck.

.PHONY: $(GOVC_BIN)
$(GOVC_BIN): $(GOVC) ## Build a local copy of govc.

Expand Down Expand Up @@ -760,6 +776,9 @@ $(GINKGO): # Build ginkgo.
$(GOLANGCI_LINT): # Build golangci-lint.
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)

$(GOVULNCHECK): # Build govulncheck.
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)

$(GOVC): # Build GOVC.
CGO_ENABLED=0 GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVC_PKG) $(GOVC_BIN) $(GOVC_VER)

Expand Down
40 changes: 40 additions & 0 deletions hack/verify-vulnerabilities.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
#!/bin/bash

# Copyright 2023 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o errexit
set -o nounset
set -o pipefail

if [[ "${TRACE-0}" == "1" ]]; then
set -o xtrace
fi

# Scan the images
make verify-container-images && R1=$? || R1=$?
make verify-govulncheck && R2=$? || R2=$?

echo ""
BRed='\033[1;31m'
BGreen='\033[1;32m'
NC='\033[0m' # No

if [ "$R1" -ne "0" ] || [ "$R2" -ne "0" ]
then
echo -e "${BRed}Check for vulnerabilities failed! There are vulnerability to be fixed${NC}"
exit 1
fi

echo -e "${BGreen}Check for vulnerabilities passed! No vulnerability found${NC}"

0 comments on commit f82cd68

Please sign in to comment.