From 7924e3134345adf9343fdf0560f4c56f196622a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20Henrique=20Guard=C3=A3o=20Gandarez?=
 <gandarez@gmail.com>
Date: Wed, 2 Aug 2023 21:45:25 -0300
Subject: [PATCH] Add govulncheck-with-excludes.sh wrapper script

---
 .github/workflows/on_push.yml    |  3 +-
 Makefile                         |  5 +++
 bin/govulncheck-with-excludes.sh | 67 ++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100755 bin/govulncheck-with-excludes.sh

diff --git a/.github/workflows/on_push.yml b/.github/workflows/on_push.yml
index c3e4b76e..ffe3dd66 100644
--- a/.github/workflows/on_push.yml
+++ b/.github/workflows/on_push.yml
@@ -40,7 +40,7 @@ jobs:
           skip-cache: true
       -
         name: Vulnerability scan
-        run: make vulncheck
+        run: make vulncheck-with-excludes
       -
         name: Coverage
         uses: codecov/codecov-action@v2
@@ -189,6 +189,7 @@ jobs:
         uses: ludeeus/action-shellcheck@master
         with:
           ignore_paths: 'bin/tests/libs'
+          ignore_names: govulncheck-with-excludes.sh
       -
         name: Setup bats
         uses: mig4/setup-bats@v1
diff --git a/Makefile b/Makefile
index 20f790b8..c712d085 100644
--- a/Makefile
+++ b/Makefile
@@ -146,6 +146,11 @@ vulncheck:
 	go install golang.org/x/vuln/cmd/govulncheck@latest
 	govulncheck ./...
 
+.PHONY: vulncheck-with-excludes
+vulncheck-with-excludes:
+	go install golang.org/x/vuln/cmd/govulncheck@latest
+	./bin/govulncheck-with-excludes.sh ./...
+
 .PHONY: test
 test:
 	go test -race -covermode=atomic -coverprofile=coverage.out ./...
diff --git a/bin/govulncheck-with-excludes.sh b/bin/govulncheck-with-excludes.sh
new file mode 100755
index 00000000..b0a8e4b0
--- /dev/null
+++ b/bin/govulncheck-with-excludes.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# a wrapper / replacement for "govulncheck" which allows for excluding vulnerabilities
+# (https://github.com/golang/go/issues/59507)
+
+excludeVulns="$(jq -nc '[
+
+	# https://pkg.go.dev/vuln/GO-2023-1987
+	"GO-2023-1987",
+
+	empty # trailing comma hack (makes diffs smaller)
+]')"
+export excludeVulns
+
+if ! command -v govulncheck > /dev/null; then
+	govulncheck() {
+		local user; user="$(id -u):$(id -g)"
+		local args=(
+			--rm --interactive --init
+			--user "$user"
+			--env HOME=/tmp
+			--env GOPATH=/tmp/go
+			--volume govulncheck:/tmp
+			--env CGO_ENABLED=0
+			--mount "type=bind,src=$PWD,dst=/wd,ro"
+			--workdir /wd
+			"${GOLANG_IMAGE:-golang:latest}"
+			sh -euc '
+				go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null
+				exec "$GOPATH/bin/govulncheck" "$@"
+			' --
+		)
+		docker run "${args[@]}" "$@"
+	}
+fi
+
+if out="$(govulncheck "$@")"; then
+	printf '%s\n' "$out"
+	exit 0
+fi
+
+json="$(govulncheck -json "$@")"
+
+vulns="$(jq <<<"$json" -cs 'map(select(has("osv")) | .osv)')"
+if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then
+	printf '%s\n' "$out"
+	exit 1
+fi
+
+filtered="$(jq <<<"$vulns" -c '
+	(env.excludeVulns | fromjson) as $exclude
+	| map(select(
+		.id as $id
+		| $exclude | index($id) | not
+	))
+')"
+
+text="$(jq <<<"$filtered" -r 'map("- \(.id) (aka \(.aliases | join(", ")))\n\n\t\(.details | gsub("\n"; "\n\t"))") | join("\n\n")')"
+
+if [ -z "$text" ]; then
+	printf 'No vulnerabilities found.\n'
+	exit 0
+else
+	printf '%s\n' "$text"
+	exit 1
+fi