From 190f9d0d4b966eb38d1a0b4781c6949f6c5e7e6a Mon Sep 17 00:00:00 2001 From: ArkaSaha30 Date: Mon, 11 Sep 2023 16:16:56 +0530 Subject: [PATCH 1/3] Add govulncheck script to expose go vulnerabilities Signed-off-by: ArkaSaha30 --- hack/verify-govulncheck.sh | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100755 hack/verify-govulncheck.sh diff --git a/hack/verify-govulncheck.sh b/hack/verify-govulncheck.sh new file mode 100755 index 00000000000..5c547becccb --- /dev/null +++ b/hack/verify-govulncheck.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash +# Copyright 2022 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +export WORKDIR=${ARTIFACTS:-$TMPDIR} +export PATH=$PATH:$GOPATH/bin +mkdir -p "${WORKDIR}" +pushd "$WORKDIR" +go install golang.org/x/vuln/cmd/govulncheck@v1.0.1 +popd + +govulncheck -scan module ./... > "${WORKDIR}/head.txt" +git reset --hard HEAD +git checkout -b base "${PULL_BASE_SHA}" +govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt" +diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true From 9e34aa306cd40e9898ac889374a4d2c27a56d8b7 Mon Sep 17 00:00:00 2001 From: Arka Saha <42507652+ArkaSaha30@users.noreply.github.com> Date: Mon, 11 Sep 2023 20:49:04 +0530 Subject: [PATCH 2/3] Update hack/verify-govulncheck.sh Co-authored-by: LX Signed-off-by: ArkaSaha30 --- hack/verify-govulncheck.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/verify-govulncheck.sh b/hack/verify-govulncheck.sh index 5c547becccb..d2df1053ef9 100755 --- a/hack/verify-govulncheck.sh +++ b/hack/verify-govulncheck.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 2022 The Kubernetes Authors. +# Copyright 2023 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,12 +18,12 @@ set -euo pipefail export WORKDIR=${ARTIFACTS:-$TMPDIR} export PATH=$PATH:$GOPATH/bin mkdir -p "${WORKDIR}" -pushd "$WORKDIR" go install golang.org/x/vuln/cmd/govulncheck@v1.0.1 -popd govulncheck -scan module ./... > "${WORKDIR}/head.txt" + git reset --hard HEAD git checkout -b base "${PULL_BASE_SHA}" govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt" + diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true From 7437ad2617a657ad267450c122369cbc6d1bc0d7 Mon Sep 17 00:00:00 2001 From: ArkaSaha30 Date: Wed, 27 Sep 2023 13:56:31 +0530 Subject: [PATCH 3/3] Add/update prechecks to verify-govulncheck.sh Signed-off-by: ArkaSaha30 --- hack/verify-govulncheck.sh | 42 ++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/hack/verify-govulncheck.sh b/hack/verify-govulncheck.sh index d2df1053ef9..e739285d4ee 100755 --- a/hack/verify-govulncheck.sh +++ b/hack/verify-govulncheck.sh @@ -13,17 +13,41 @@ # See the License for the specific language governing permissions and # limitations under the License. -set -euo pipefail +set -o errexit +set -o nounset +set -o pipefail + +KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/.. +source "${KUBE_ROOT}/hack/lib/init.sh" +source "${KUBE_ROOT}/hack/lib/util.sh" + +# make sure everything is committed +kube::util::ensure_clean_working_dir + +# This sets up the environment, like GOCACHE, which keeps the worktree cleaner. +kube::golang::setup_env +# Opt into using go modules +export GO111MODULE=on -export WORKDIR=${ARTIFACTS:-$TMPDIR} -export PATH=$PATH:$GOPATH/bin -mkdir -p "${WORKDIR}" go install golang.org/x/vuln/cmd/govulncheck@v1.0.1 -govulncheck -scan module ./... > "${WORKDIR}/head.txt" +# KUBE_VERIFY_GIT_BRANCH is populated in verify CI jobs +BRANCH="${KUBE_VERIFY_GIT_BRANCH:-master}" -git reset --hard HEAD -git checkout -b base "${PULL_BASE_SHA}" -govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt" +kube::util::ensure-temp-dir +WORKTREE="${KUBE_TEMP}/worktree" -diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true +# Create a copy of the repo with $BRANCH checked out +git worktree add -f "${WORKTREE}" "${BRANCH}" +# Clean up the copy on exit +kube::util::trap_add "git worktree remove -f ${WORKTREE}" EXIT + +govulncheck -scan module ./... > "${KUBE_TEMP}/head.txt" +pushd "${WORKTREE}" >/dev/null + govulncheck -scan module ./... > "${KUBE_TEMP}/pr-base.txt" +popd >/dev/null + +echo -e "\n HEAD: $(cat "${KUBE_TEMP}"/head.txt)" +echo -e "\n PR_BASE: $(cat "${KUBE_TEMP}/pr-base.txt")" + +diff -s -u --ignore-all-space "${KUBE_TEMP}"/pr-base.txt "${KUBE_TEMP}"/head.txt || true