diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 2a1917eebe..6b7045dc0c 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -29,4 +29,4 @@ jobs: with: go-version: ${{ steps.vars.outputs.go_version }} - name: Run verify container script - run: make verify-container-images + run: make verify-container-images verify-govulncheck diff --git a/Makefile b/Makefile index 516b859531..bed7f3d798 100644 --- a/Makefile +++ b/Makefile @@ -149,6 +149,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yaml | grep [[: GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)) GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint +GOVULNCHECK_BIN := govulncheck +GOVULNCHECK_VER := v1.0.0 +GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER)) +GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck + GOVC_VER := $(shell cat go.mod | grep "github.com/vmware/govmomi" | awk '{print $$NF}') GOVC_BIN := govc GOVC := $(abspath $(TOOLS_BIN_DIR)/$(GOVC_BIN)-$(GOVC_VER)) @@ -370,6 +375,14 @@ verify-boilerplate: ## Verify boilerplate text exists in each file verify-container-images: ## Verify container images TRACE=$(TRACE) ./hack/verify-container-images.sh +.PHONY: verify-govulncheck +verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities + $(GOVULNCHECK) ./... + +.PHONY: verify-vulnerabilities +verify-vulnerabilities: ## Verify code and images for vulnerabilities + TRACE=$(TRACE) ./hack/verify-vulnerabilities.sh + ## -------------------------------------- ## Build ## -------------------------------------- @@ -714,6 +727,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo. .PHONY: $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint. +.PHONY: $(GOVULNCHECK_BIN) +$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck. + .PHONY: $(GOVC_BIN) $(GOVC_BIN): $(GOVC) ## Build a local copy of govc. @@ -760,6 +776,9 @@ $(GINKGO): # Build ginkgo. $(GOLANGCI_LINT): # Build golangci-lint. GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER) +$(GOVULNCHECK): # Build govulncheck. + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER) + $(GOVC): # Build GOVC. CGO_ENABLED=0 GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVC_PKG) $(GOVC_BIN) $(GOVC_VER) diff --git a/hack/verify-vulnerabilities.sh b/hack/verify-vulnerabilities.sh new file mode 100755 index 0000000000..dd73bc3aec --- /dev/null +++ b/hack/verify-vulnerabilities.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +if [[ "${TRACE-0}" == "1" ]]; then + set -o xtrace +fi + +# Scan the images +make verify-container-images && R1=$? || R1=$? +make verify-govulncheck && R2=$? || R2=$? + +echo "" +BRed='\033[1;31m' +BGreen='\033[1;32m' +NC='\033[0m' # No + +if [ "$R1" -ne "0" ] || [ "$R2" -ne "0" ] +then + echo -e "${BRed}Check for vulnerabilities failed! There are vulnerability to be fixed${NC}" + exit 1 +fi + +echo -e "${BGreen}Check for vulnerabilities passed! No vulnerability found${NC}"