forked from tianon/gosu
-
Notifications
You must be signed in to change notification settings - Fork 0
/
govulncheck-with-excludes.sh
executable file
·89 lines (78 loc) · 2.1 KB
/
govulncheck-with-excludes.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env bash
set -Eeuo pipefail
# a wrapper / replacement for "govulncheck" which allows for excluding vulnerabilities
# (https://github.com/golang/go/issues/59507)
excludeVulns="$(jq -nc '[
# fixed in Go 1.20.5+
# https://pkg.go.dev/vuln/GO-2023-1840
# we already mitigate setuid in our code
"GO-2023-1840", "CVE-2023-29403",
# (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883)
empty # trailing comma hack (makes diffs smaller)
]')"
export excludeVulns
if ! command -v govulncheck > /dev/null; then
govulncheck() {
local user; user="$(id -u):$(id -g)"
local args=(
--rm --interactive --init
--user "$user"
--env HOME=/tmp
--env GOPATH=/tmp/go
--volume govulncheck:/tmp
--env CGO_ENABLED=0
--mount "type=bind,src=$PWD,dst=/wd,ro"
--workdir /wd
"${GOLANG_IMAGE:-golang:latest}"
sh -euc '
# https://github.com/golang/vuln/releases
# (pinning version to avoid format changes like https://github.com/tianon/gosu/issues/144 surprising us unexpectedly)
go install golang.org/x/vuln/cmd/govulncheck@v1.1.2 > /dev/null
exec "$GOPATH/bin/govulncheck" "$@"
' --
)
docker run "${args[@]}" "$@"
}
fi
if out="$(govulncheck "$@")"; then
printf '%s\n' "$out"
exit 0
fi
json="$(govulncheck -json "$@")"
vulns="$(jq <<<"$json" -cs '
(
map(
.osv // empty
| { key: .id, value: . }
)
| from_entries
) as $meta
# https://github.com/tianon/gosu/issues/144
| map(
.finding // empty
# https://github.com/golang/vuln/blob/3740f5cb12a3f93b18dbe200c4bcb6256f8586e2/internal/scan/template.go#L97-L104
| select((.trace[0].function // "") != "")
| .osv
)
| unique
| map($meta[.])
')"
if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then
printf '%s\n' "$out"
exit 1
fi
filtered="$(jq <<<"$vulns" -c '
(env.excludeVulns | fromjson) as $exclude
| map(select(
.id as $id
| $exclude | index($id) | not
))
')"
text="$(jq <<<"$filtered" -r 'map("- \(.id) (aka \(.aliases | join(", ")))\n\n\t\(.details | gsub("\n"; "\n\t"))") | join("\n\n")')"
if [ -z "$text" ]; then
printf 'No vulnerabilities found.\n'
exit 0
else
printf '%s\n' "$text"
exit 1
fi