diff --git a/.gitignore b/.gitignore index 14ed70c2..124ac248 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,5 @@ TODO # Virtual go & fuse .virtualgo .fuse_hidden* + +gosec-report.sarif diff --git a/Makefile b/Makefile index d4b5f489..4c9c8d39 100644 --- a/Makefile +++ b/Makefile @@ -82,6 +82,14 @@ generate: $(VGOPATH) $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(HELM) $(M @REPO_ROOT=$(REPO_ROOT) VGOPATH=$(VGOPATH) GARDENER_HACK_DIR=$(GARDENER_HACK_DIR) bash $(GARDENER_HACK_DIR)/generate-sequential.sh ./charts/... ./cmd/... ./pkg/... $(MAKE) format +.PHONY: sast +sast: $(GOSEC) + @./hack/sast.sh + +.PHONY: sast-report +sast-report: $(GOSEC) + @./hack/sast.sh --gosec-report true + .PHONY: format format: $(GOIMPORTS) $(GOIMPORTSREVISER) @bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg @@ -99,7 +107,7 @@ test-clean: @bash $(GARDENER_HACK_DIR)/test-cover-clean.sh .PHONY: verify -verify: check format test +verify: check format sast test .PHONY: verify-extended -verify-extended: check-generate check format test-cov test-clean +verify-extended: check-generate check format sast-report test-cov test-clean diff --git a/hack/sast.sh b/hack/sast.sh new file mode 100755 index 00000000..24d834a9 --- /dev/null +++ b/hack/sast.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )" + +gosec_report="false" +gosec_report_parse_flags="" + +parse_flags() { + while test $# -gt 1; do + case "$1" in + --gosec-report) + shift; gosec_report="$1" + ;; + *) + echo "Unknown argument: $1" + exit 1 + ;; + esac + shift + done +} + +parse_flags "$@" + +echo "> Running gosec" +gosec --version +if [[ "$gosec_report" != "false" ]]; then + echo "Exporting report to $root_dir/gosec-report.sarif" + gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout" +fi + +# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf +# which create lots of G103 (CWE-242: Use of unsafe calls should be audited) & G104 (CWE-703: Errors unhandled) errors. +# However, those generators are best-pratice in Kubernetes environment and their results are tested well. +# Thus, generated code is excluded from gosec scan. +# Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder +# is excluded too. It does not contain productive code anyway. + +# shellcheck disable=SC2086 +gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...