From e87f9e6a0a62a55cfd916ad5d298e95f1bdb5a49 Mon Sep 17 00:00:00 2001 From: "Bo-Yi.Wu" Date: Sun, 11 Sep 2022 09:29:08 +0800 Subject: [PATCH 1/3] chore(security): Go Vulnerability Management Signed-off-by: Bo-Yi.Wu --- .drone.yml | 10 ++++++++++ Makefile | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/.drone.yml b/.drone.yml index e035f57af98e1..5a035cc90c8a0 100644 --- a/.drone.yml +++ b/.drone.yml @@ -39,6 +39,16 @@ steps: - make lint-frontend depends_on: [deps-frontend] + - name: security-check + image: golang:1.18 + pull: always + commands: + - make security-check + depends_on: [deps-backend] + volumes: + - name: deps + path: /go + - name: lint-backend image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env pull: always diff --git a/Makefile b/Makefile index 3662e836aa441..3cf311cd2806f 100644 --- a/Makefile +++ b/Makefile @@ -35,6 +35,7 @@ MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.0 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.3.0 +GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest DOCKER_IMAGE ?= gitea/gitea DOCKER_TAG ?= latest @@ -728,6 +729,10 @@ generate-go: $(TAGS_PREREQ) @echo "Running go generate..." @CC= GOOS= GOARCH= $(GO) generate -tags '$(TAGS)' $(GO_PACKAGES) +.PHONY: security-check +security-check: + $(GOVULNCHECK_PACKAGE) -v ./... + $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ) CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@ @@ -813,6 +818,7 @@ deps-backend: $(GO) install $(SWAGGER_PACKAGE) $(GO) install $(XGO_PACKAGE) $(GO) install $(GO_LICENSES_PACKAGE) + $(GO) install $(GOVULNCHECK_PACKAGE) node_modules: package-lock.json npm install --no-save From dbaa18d5a119cab496da8b7436691a21e77b02bc Mon Sep 17 00:00:00 2001 From: "Bo-Yi.Wu" Date: Sun, 11 Sep 2022 11:54:22 +0800 Subject: [PATCH 2/3] chore: switch to go1.19 Signed-off-by: Bo-Yi.Wu --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index 5a035cc90c8a0..95d40324133f4 100644 --- a/.drone.yml +++ b/.drone.yml @@ -40,7 +40,7 @@ steps: depends_on: [deps-frontend] - name: security-check - image: golang:1.18 + image: golang:1.19 pull: always commands: - make security-check From 729573a06428f370c44eb0dd037914b2c38249f5 Mon Sep 17 00:00:00 2001 From: "Bo-Yi.Wu" Date: Sun, 11 Sep 2022 11:59:39 +0800 Subject: [PATCH 3/3] fix: govulncheck command Signed-off-by: Bo-Yi.Wu --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3cf311cd2806f..e258ac748fea4 100644 --- a/Makefile +++ b/Makefile @@ -731,7 +731,7 @@ generate-go: $(TAGS_PREREQ) .PHONY: security-check security-check: - $(GOVULNCHECK_PACKAGE) -v ./... + govulncheck -v ./... $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ) CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@