Fix govulncheck wrapper + run govulncheck on latest release periodica…

…lly too

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
   push:
   schedule:
     - cron: 0 0 * * 0
+  workflow_dispatch:
 
 defaults:
   run:
@@ -25,13 +26,8 @@ jobs:
       - run: docker build --pull --file hub/Dockerfile.alpine hub
       - run: docker build --pull --file hub/Dockerfile.debian hub
 
-      - uses: actions/setup-go@v4
-        with:
-          go-version: 1.18
-      # https://github.com/golang/vuln/commits/master
-      # https://github.com/golang/vuln/releases
-      # https://github.com/golang/vuln/tags
-      - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.4
-      # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.1/go.mod#L3)
-
-      - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done
+      - name: govulncheck
+        run: |
+          for gosu in gosu-*; do
+            ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+          done

.github/workflows/release.yml

@@ -0,0 +1,52 @@
+name: Release
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/release.yml'
+      - 'govulncheck-with-excludes.sh'
+  push:
+    paths:
+      - '.github/workflows/release.yml'
+      - 'govulncheck-with-excludes.sh'
+  schedule:
+    - cron: 0 0 * * 0
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+  test:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: download
+        run: |
+          # find and download the latest release for testing
+          tags="$(git ls-remote --tags https://github.com/tianon/gosu.git | cut -d/ -f3 | cut -d^ -f1 | sort -urV)"
+          for tag in $tags; do
+            echo "checking $tag ..."
+            url="https://github.com/tianon/gosu/releases/download/$tag"
+            if wget -O SHA256SUMS "$url/SHA256SUMS" && [ -s SHA256SUMS ]; then
+              files="$(grep -oE '[ *]gosu-[^.]+$' SHA256SUMS | grep -oE 'gosu-.*$')"
+              for file in $files; do
+                wget -O "$file" "$url/$file"
+              done
+              if grep -E '[ *]gosu-[^.]+$' SHA256SUMS | sha256sum --strict --check -; then
+                echo "success with $tag !"
+                exit 0
+              fi
+            fi
+          done
+
+          echo >&2 'error: failed to find latest release'
+
+      - name: govulncheck
+        run: |
+          for gosu in gosu-*; do
+            ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+          done

govulncheck-with-excludes.sh

@@ -9,7 +9,7 @@ excludeVulns="$(jq -nc '[
 	# fixed in Go 1.20.5+
 	# https://pkg.go.dev/vuln/GO-2023-1840
 	# we already mitigate setuid in our code
-	#"GO-2023-1840", "CVE-2023-29403",
+	"GO-2023-1840", "CVE-2023-29403",
 	# (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883)
 
 	empty # trailing comma hack (makes diffs smaller)
@@ -30,7 +30,9 @@ if ! command -v govulncheck > /dev/null; then
 			--workdir /wd
 			"${GOLANG_IMAGE:-golang:latest}"
 			sh -euc '
-				go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null
+				# https://github.com/golang/vuln/releases
+				# (pinning version to avoid format changes like https://github.com/tianon/gosu/issues/144 surprising us unexpectedly)
+				go install golang.org/x/vuln/cmd/govulncheck@v1.1.2 > /dev/null
 				exec "$GOPATH/bin/govulncheck" "$@"
 			' --
 		)
@@ -45,7 +47,24 @@ fi
 
 json="$(govulncheck -json "$@")"
 
-vulns="$(jq <<<"$json" -cs 'map(select(has("osv")) | .osv)')"
+vulns="$(jq <<<"$json" -cs '
+	(
+		map(
+			.osv // empty
+			| { key: .id, value: . }
+		)
+		| from_entries
+	) as $meta
+	# https://github.com/tianon/gosu/issues/144
+	| map(
+		.finding // empty
+		# https://github.com/golang/vuln/blob/3740f5cb12a3f93b18dbe200c4bcb6256f8586e2/internal/scan/template.go#L97-L104
+		| select((.trace[0].function // "") != "")
+		| .osv
+	)
+	| unique
+	| map($meta[.])
+')"
 if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then
 	printf '%s\n' "$out"
 	exit 1