From c2935e0269f2736a4017cbcaf4a76f1c567f7ffe Mon Sep 17 00:00:00 2001
From: Christian Schlotter <christi.schlotter@gmail.com>
Date: Mon, 7 Aug 2023 15:45:55 +0200
Subject: [PATCH] Add verify-govulncheck target and integrate to scan action

---
 .github/workflows/weekly-image-scan.yaml    | 32 ---------------------
 .github/workflows/weekly-security-scan.yaml | 32 +++++++++++++++++++++
 Makefile                                    | 25 ++++++++++++++++
 docs/release/release-tasks.md               |  2 +-
 hack/verify-container-images.sh             |  2 +-
 5 files changed, 59 insertions(+), 34 deletions(-)
 delete mode 100644 .github/workflows/weekly-image-scan.yaml
 create mode 100644 .github/workflows/weekly-security-scan.yaml

diff --git a/.github/workflows/weekly-image-scan.yaml b/.github/workflows/weekly-image-scan.yaml
deleted file mode 100644
index 2518511641..0000000000
--- a/.github/workflows/weekly-image-scan.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: Weekly image scan
-
-on:
-  schedule:
-    # Cron for every Monday at 12:00 UTC.
-    - cron: "0 12 * * 1"
-
-# Remove all permissions from GITHUB_TOKEN except metadata.
-permissions: {}
-
-jobs:
-  scan:
-    strategy:
-      fail-fast: false
-      matrix:
-        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
-    name: Trivy
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out code
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
-        with:
-          ref: ${{ matrix.branch }}
-      - name: Calculate go version
-        id: vars
-        run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
-      - name: Set up Go
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
-        with:
-          go-version: ${{ steps.vars.outputs.go_version }}
-      - name: Run verify container script
-        run: make verify-container-images
diff --git a/.github/workflows/weekly-security-scan.yaml b/.github/workflows/weekly-security-scan.yaml
new file mode 100644
index 0000000000..2047bcfd9c
--- /dev/null
+++ b/.github/workflows/weekly-security-scan.yaml
@@ -0,0 +1,32 @@
+name: Weekly security scan
+
+on:
+  schedule:
+    # Cron for every Monday at 12:00 UTC.
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+      with:
+        ref: ${{ matrix.branch }}
+    - name: Calculate go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+    - name: Set up Go
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    - name: Run verify security target
+      run: make verify-security
diff --git a/Makefile b/Makefile
index b73e971db5..9de948b63d 100644
--- a/Makefile
+++ b/Makefile
@@ -149,6 +149,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/pr-golangci-lint.yaml | grep
 GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
 GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint
 
+GOVULNCHECK_BIN := govulncheck
+GOVULNCHECK_VER := v1.0.0
+GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
+GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck
+
 GOVC_VER := $(shell cat go.mod | grep "github.com/vmware/govmomi" | awk '{print $$NF}')
 GOVC_BIN := govc
 GOVC := $(abspath $(TOOLS_BIN_DIR)/$(GOVC_BIN)-$(GOVC_VER))
@@ -381,6 +386,19 @@ verify-boilerplate: ## Verify boilerplate text exists in each file
 verify-container-images: ## Verify container images
 	TRACE=$(TRACE) ./hack/verify-container-images.sh
 
+.PHONY: verify-govulncheck
+verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
+	$(GOVULNCHECK) ./...
+
+.PHONY: verify-security
+verify-security: ## Verify code and images for vulnerabilities
+	$(MAKE) verify-container-images && R1=$$? || R1=$$?; \
+	$(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \
+	if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
+	  echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \
+		exit 1; \
+	fi
+
 .PHONY: verify-flavors
 verify-flavors: $(FLAVOR_DIR) generate-flavors ## Verify generated flavors
 	@if !(git diff --quiet HEAD -- $(FLAVOR_DIR)); then \
@@ -388,6 +406,7 @@ verify-flavors: $(FLAVOR_DIR) generate-flavors ## Verify generated flavors
 		echo "flavor files in templates directory are out of date"; exit 1; \
 	fi
 
+
 ## --------------------------------------
 ## Build
 ## --------------------------------------
@@ -727,6 +746,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo.
 .PHONY: $(GOLANGCI_LINT_BIN)
 $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint.
 
+.PHONY: $(GOVULNCHECK_BIN)
+$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck.
+
 .PHONY: $(GOVC_BIN)
 $(GOVC_BIN): $(GOVC) ## Build a local copy of govc.
 
@@ -773,6 +795,9 @@ $(GINKGO): # Build ginkgo.
 $(GOLANGCI_LINT): # Build golangci-lint.
 	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)
 
+$(GOVULNCHECK): # Build govulncheck.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)
+
 $(GOVC): # Build GOVC.
 	CGO_ENABLED=0 GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVC_PKG) $(GOVC_BIN) $(GOVC_VER)
 
diff --git a/docs/release/release-tasks.md b/docs/release/release-tasks.md
index 8cc40799be..60f6ae2c02 100644
--- a/docs/release/release-tasks.md
+++ b/docs/release/release-tasks.md
@@ -108,7 +108,7 @@ From this point forward changes which should land in the release have to be cher
          - Adjust branches: `^main$` => `^release-1.8$`.
 5. Remove tests for old release branches if necessary
 6. Verify the jobs and dashboards a day later by taking a look at [testgrid](https://testgrid.k8s.io/sig-cluster-lifecycle-cluster-api-provider-vsphere)
-7. Update `.github/workflows/weekly-image-scan.yaml` - to setup Trivy scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches.
+7. Update `.github/workflows/weekly-security-scan.yaml` - to setup Trivy and govulncheck scanning - `.github/workflows/weekly-md-link-check.yaml` - to setup link checking in the CAPI book - and `.github/workflows/weekly-test-release.yaml` - to verify the release target is working - for the currently supported branches.
 
 ## Cut a release
 
diff --git a/hack/verify-container-images.sh b/hack/verify-container-images.sh
index 0a983ea2e3..d99c2da64a 100755
--- a/hack/verify-container-images.sh
+++ b/hack/verify-container-images.sh
@@ -66,7 +66,7 @@ NC='\033[0m' # No
 
 if [ "$R1" -ne "0" ]
 then
-  echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}"
+  echo -e "${BRed}Check container images failed! There are vulnerabilities to be fixed${NC}"
   exit 1
 fi