build: security checks (#43)

semaphoreci · Aug 8, 2023 · 2552e2a · 2552e2a
1 parent 25e763f
commit 2552e2a
Show file tree

Hide file tree

Showing 13 changed files with 95 additions and 358 deletions.
diff --git a/.semaphore/release.yml b/.semaphore/release.yml
@@ -2,8 +2,8 @@ version: "v1.0"
 name: "Github Release"
 agent:
   machine:
-    type: e1-standard-2
-    os_image: ubuntu1804
+    type: e2-standard-2
+    os_image: ubuntu2004
 blocks:
   - name: "Github Release"
     task:
@@ -14,7 +14,7 @@ blocks:
         - name: sem-robot-ghtoken
       prologue:
         commands:
-          - sem-version go 1.16
+          - sem-version go 1.18
           - "export GOPATH=~/go"
           - "export PATH=/home/semaphore/go/bin:$PATH"
           - checkout

diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
@@ -2,13 +2,13 @@ version: v1.0
 name: Go
 agent:
   machine:
-    type: e1-standard-2
-    os_image: ubuntu1804
+    type: e2-standard-2
+    os_image: ubuntu2004
 
 global_job_config:
   prologue:
     commands:
-      - sem-version go 1.16
+      - sem-version go 1.18
       - export GO111MODULE=on
       - export GOPATH=~/go
       - 'export PATH=/home/semaphore/go/bin:$PATH'
@@ -19,13 +19,31 @@ global_job_config:
       - go get ./...
 
 blocks:
+  - name: "Security checks"
+    dependencies: []
+    task:
+      secrets:
+        - name: security-toolbox-shared-read-access
+      prologue:
+        commands:
+          - checkout
+          - mv ~/.ssh/security-toolbox ~/.ssh/id_rsa
+          - sudo chmod 600 ~/.ssh/id_rsa
+      jobs:
+        - name: Check dependencies
+          commands:
+            - make check.deps
+        - name: Check code
+          commands:
+            - make check.static
+
   - name: Lint
     dependencies: []
     task:
       jobs:
         - name: Lint
           commands:
-            - go get -u github.com/mgechev/revive
+            - go install github.com/mgechev/revive@latest
             - make lint
 
   - name: E2E
@@ -47,7 +65,7 @@ blocks:
       jobs:
         - name: go test
           commands:
-            - go get gotest.tools/gotestsum
+            - go install gotest.tools/gotestsum@latest
             - make test
 
         - name: e2e

diff --git a/Makefile b/Makefile
@@ -1,5 +1,25 @@
 .PHONY: build test
 
+SECURITY_TOOLBOX_BRANCH ?= master
+SECURITY_TOOLBOX_TMP_DIR ?= /tmp/security-toolbox
+
+check.prepare:
+	rm -rf $(SECURITY_TOOLBOX_TMP_DIR)
+	git clone git@github.com:renderedtext/security-toolbox.git $(SECURITY_TOOLBOX_TMP_DIR) && (cd $(SECURITY_TOOLBOX_TMP_DIR) && git checkout $(SECURITY_TOOLBOX_BRANCH) && cd -)
+
+check.static: check.prepare
+	docker run -it -v $$(pwd):/app \
+		-v $(SECURITY_TOOLBOX_TMP_DIR):$(SECURITY_TOOLBOX_TMP_DIR) \
+		registry.semaphoreci.com/ruby:2.7 \
+		bash -c 'cd /app && $(SECURITY_TOOLBOX_TMP_DIR)/code --language go -d'
+
+check.deps: check.prepare
+	docker run -it -v $$(pwd):/app \
+		-v $(SECURITY_TOOLBOX_TMP_DIR):$(SECURITY_TOOLBOX_TMP_DIR) \
+		registry.semaphoreci.com/ruby:2.7 \
+		bash -c 'cd /app && $(SECURITY_TOOLBOX_TMP_DIR)/dependencies --language go -d'
+
+
 lint:
 	revive -formatter friendly -config lint.toml ./...
 

diff --git a/go.mod b/go.mod
@@ -1,16 +1,20 @@
 module github.com/semaphoreci/spc
 
-go 1.16
+go 1.18
 
 require (
-	github.com/Jeffail/gabs v1.4.0
-	github.com/Jeffail/gabs/v2 v2.6.0
-	github.com/a-h/generate v0.0.0-20190312091541-e59c34d33fb3 // indirect
-	github.com/bmatcuk/doublestar/v2 v2.0.4
+	github.com/Jeffail/gabs/v2 v2.7.0
+	github.com/bmatcuk/doublestar/v4 v4.6.0
 	github.com/ghodss/yaml v1.0.0
-	github.com/iancoleman/strcase v0.1.2
-	github.com/spf13/cobra v1.1.1
-	github.com/stretchr/testify v1.3.0
-	github.com/tidwall/gjson v1.6.3
-	gotest.tools/gotestsum v0.6.0 // indirect
+	github.com/spf13/cobra v1.7.0
+	github.com/stretchr/testify v1.8.4
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/lint.toml b/lint.toml
@@ -11,7 +11,6 @@ warningCode = 1
 [rule.increment-decrement]
 [rule.var-naming]
 [rule.var-declaration]
-[rule.package-comments]
 [rule.range]
 [rule.receiver-naming]
 [rule.time-naming]
@@ -57,3 +56,6 @@ warningCode = 1
 
 [rule.function-result-limit]
   arguments = [3]
+
+[rule.package-comments]
+  Disabled = true
diff --git a/pkg/cli/compile.go b/pkg/cli/compile.go
@@ -39,6 +39,7 @@ var compileCmd = &cobra.Command{
 		yamlPpl, err := ppl.ToYAML()
 		check(err)
 
+		// #nosec
 		err = ioutil.WriteFile(output, yamlPpl, 0644)
 		check(err)
 	},

diff --git a/pkg/cli/evaluate.go b/pkg/cli/evaluate.go
@@ -40,6 +40,7 @@ var evaluateChangeInCmd = &cobra.Command{
 		yamlPpl, err := ppl.ToYAML()
 		check(err)
 
+		// #nosec
 		err = ioutil.WriteFile(output, yamlPpl, 0644)
 		check(err)
 	},

diff --git a/pkg/logs/log.go b/pkg/logs/log.go
@@ -2,6 +2,7 @@ package logs
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"reflect"
 
@@ -12,6 +13,7 @@ var loggerInstance *os.File
 var currentPipelineFilePath string
 
 func Open(path string) {
+	// #nosec
 	f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, os.ModePerm)
 	if err != nil {
 		panic(err)
@@ -44,8 +46,13 @@ func toJSON(e interface{}) string {
 		panic(err)
 	}
 
-	jsonEvent.Set(reflect.TypeOf(e).Name(), "type")
-	jsonEvent.Set(currentPipelineFilePath, "location", "file")
+	if _, err := jsonEvent.Set(reflect.TypeOf(e).Name(), "type"); err != nil {
+		fmt.Printf("error: unable to update json event with type: %v\n", err)
+	}
+
+	if _, err := jsonEvent.Set(currentPipelineFilePath, "location", "file"); err != nil {
+		fmt.Printf("error: unable to update json event with location file: %v\n", err)
+	}
 
 	return jsonEvent.String()
 }
diff --git a/pkg/pipelines/load.go b/pkg/pipelines/load.go
@@ -8,6 +8,7 @@ import (
 )
 
 func LoadFromFile(path string) (*Pipeline, error) {
+	// #nosec
 	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err

diff --git a/pkg/when/changein/pattern.go b/pkg/when/changein/pattern.go
@@ -4,7 +4,7 @@ import (
 	"path"
 	"strings"
 
-	doublestar "github.com/bmatcuk/doublestar/v2"
+	doublestar "github.com/bmatcuk/doublestar/v4"
 )
 
 func patternMatch(diffLine, pattern, workDir string) bool {

diff --git a/pkg/when/whencli/list_inputs.go b/pkg/when/whencli/list_inputs.go
@@ -70,6 +70,7 @@ func ListInputsPrepareInputFile(path string, expressions []string) error {
 }
 
 func ListInputsLoadResults(path string) (*gabs.Container, error) {
+	// #nosec
 	file, err := os.Open(path)
 	if err != nil {
 		return nil, err

diff --git a/pkg/when/whencli/reduce.go b/pkg/when/whencli/reduce.go
@@ -74,6 +74,7 @@ func ReducePrepareInput(expressions []string, inputs []ReduceInputs, path string
 }
 
 func ReduceLoadOutput(path string) ([]string, error) {
+	// #nosec
 	file, err := os.Open(path)
 	if err != nil {
 		return []string{}, err