Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Templum/govulncheck-action
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.0.6
Choose a base ref
...
head repository: Templum/govulncheck-action
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref

Commits on Nov 16, 2022

  1. 👽 ✨ Adjusted Action to work with new Report Format (#15)

    * 🔧 Allow setting Debug via ENV for debugging
    
    * 🔊 Added additional logs prior conversion
    
    * 🙈 Investigate missing callsites
    
    * minor
    
    * ✨ Allowing exporting raw report
    
    * ⏪ Revert unneeded changes
    
    * 🔥 Removed unused files
    
    * 🧐 Uploaded new JSON Format
    
    * ⬆️ Updated Modules
    
    * ✨ Exposing raw-report in DEBUG mode
    
    * 👽 Reacting to govulncheck json report change
    
    * 🐛 Fixing Format issue
    
    * ✅ Adjusted Test
    
    * 📝 Updated Limitations
    
    * 🧐 Updated Data
    
    * ✨ Handling Direct Calls & Imports
    
    * ✅ Adjusted Tests to new data
    
    * 🔥 Removed unused Type
    
    * ♻️ Added back text + mark down
    
    * 📝 Adjusted Documentation
    
    Hopefully this makes clear where results are located
    
    * ♻️ Adjusted Filename Handling
    
    * 🍱 Taking uncompressed files
    Templum authored Nov 16, 2022

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    d00d03e View commit details

Commits on Nov 17, 2022

  1. ✨ 🐛 Reading Go Runtime Details from GOENV (#17)

    * ✨ Reading Go Runtime Infos
    
    To avoid reading the runtime information of the compiled code vs the real one used by govulncheck
    
    * ♻️ Streamlined Function
    
    * ✅ Added test
    Templum authored Nov 17, 2022

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    f115ae3 View commit details
  2. Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    bb12e61 View commit details
  3. 📝 Added New Configuration Examples (#18)

    Including a Debug one, should allow people to be redirected to
    Templum authored Nov 17, 2022

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    4b43f32 View commit details

Commits on Jan 9, 2023

  1. ✨ Implement support for private deps via GOPRIVATE & GH PAT (#21)

    * ✨ Defined Build Args
    
    * ✨ Passing args from ENV
    
    * 🔧 Escaping
    
    * Issue with escaping
    
    * 🔧 Moved config to correct place
    
    * ✨ Just wanting Token now
    
    * 🐛 Using add flag
    
    * 🐛 Corrected default value type
    
    * 🐛 Mixed up states
    
    * 🚧 Investigate weird behaviour
    
    * 🚧 Print GOPRIVATE
    
    * 🐛 Using correct config override
    
    * ✨ Finalized Feature
    
    * 📝 Documented feature
    
    * 📝 Added missing link
    Templum authored Jan 9, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    3967a17 View commit details

Commits on Jan 11, 2023

  1. 👷 Implement Integration Test (#22)

    * 👷 Started assembling integration test pipeline
    
    * 🔧 Setup for testing
    
    * 🔧 Selected correct report
    
    * ✅ Added Bash based Integration Test
    
    * 🔧 Added Schedule  (every 3 day at 22.00)
    
    * Minor Name adjustment
    
    * 🔧 Removed test branch as implementation concluded
    Templum authored Jan 11, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    dfb34f5 View commit details

Commits on Jan 27, 2023

  1. ⬆️ Bump github.com/rs/zerolog from 1.28.0 to 1.29.0 (#23)

    Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.28.0 to 1.29.0.
    - [Release notes](https://github.com/rs/zerolog/releases)
    - [Commits](rs/zerolog@v1.28.0...v1.29.0)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/rs/zerolog
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jan 27, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    45455fd View commit details

Commits on Feb 18, 2023

  1. ⬆️ Updated Golang to 1.20.0 (#25)

    * 🧑‍💻 Upgraded devcontainer to 1.20
    
    * 🔧 Updated Github Flows to 1.20
    
    * ⬆️ 💡 Golang to 1.20
    
    Also added some clarifying comments
    
    * 👽 Updated Config to honour new spec
    Templum authored Feb 18, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    df3c331 View commit details

Commits on Feb 25, 2023

  1. ⬆️ Bump golang.org/x/oauth2 (#26)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.0.0-20220909003341-f21342109be1 to 0.5.0.
    - [Release notes](https://github.com/golang/oauth2/releases)
    - [Commits](https://github.com/golang/oauth2/commits/v0.5.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Feb 25, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    054eeba View commit details

Commits on Feb 27, 2023

  1. ⬆️ Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#27)

    Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.1 to 1.8.2.
    - [Release notes](https://github.com/stretchr/testify/releases)
    - [Commits](stretchr/testify@v1.8.1...v1.8.2)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/stretchr/testify
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Feb 27, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    761d076 View commit details

Commits on Mar 6, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.5.0 to 0.6.0 (#28)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.5.0 to 0.6.0.
    - [Release notes](https://github.com/golang/oauth2/releases)
    - [Commits](golang/oauth2@v0.5.0...v0.6.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Mar 6, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    0343751 View commit details

Commits on Mar 16, 2023

  1. ⬆️ Bump actions/setup-go from 3 to 4 (#29)

    Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
    - [Release notes](https://github.com/actions/setup-go/releases)
    - [Commits](actions/setup-go@v3...v4)
    
    ---
    updated-dependencies:
    - dependency-name: actions/setup-go
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Mar 16, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    b61c13d View commit details

Commits on Mar 21, 2023

  1. ⬆️ Bump github.com/owenrumney/go-sarif/v2 from 2.1.2 to 2.1.3 (#30)

    Bumps [github.com/owenrumney/go-sarif/v2](https://github.com/owenrumney/go-sarif) from 2.1.2 to 2.1.3.
    - [Release notes](https://github.com/owenrumney/go-sarif/releases)
    - [Changelog](https://github.com/owenrumney/go-sarif/blob/main/.goreleaser.yml)
    - [Commits](owenrumney/go-sarif@v2.1.2...v2.1.3)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/owenrumney/go-sarif/v2
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Mar 21, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    3a015a8 View commit details
  2. 🐛 👽 Updated action to work with latest json format (#32)

    * 👽 Adjusted code to handle new json report format
    
    * 🍱 Updated static sample data
    
    * 🔥 Removed unused sample data
    
    * 👽 Adjusted to work with new json format
    
    * 💥 Specified a specific govulncheck version instead of latest
    
    * 🗃️ ✅ Using Report from playground
    Templum authored Mar 21, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    af8ff86 View commit details

Commits on Apr 7, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 (#35)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.6.0 to 0.7.0.
    - [Release notes](https://github.com/golang/oauth2/releases)
    - [Commits](golang/oauth2@v0.6.0...v0.7.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Apr 7, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    5140ea8 View commit details

Commits on Apr 11, 2023

  1. 👽 Added support for the new JSON Format (#34)

    * 🙈 Added raw report to ignore
    
    * 📝 Moved warning to latest usage location
    
    * 👽 Adjusted coding to work with new JSON Stream format
    
    * 🧑‍💻 Added Github Actions Extension
    
    * ✅ Running Integration Tests for PRs
    
    * 🔧 Updated the default version to latest
    
    * ♻️ Refactored local execution
    
    Instead of a separate class now an function is leveraged.
    
    * 🍱 Replaced static data with new format
    
    * 💚 Using path.join for access of static data
    
    * 🐛 Fixed Path issue for Local vs Testing
    Templum authored Apr 11, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    a5f05f9 View commit details

Commits on Apr 20, 2023

  1. ⬆️ Bump github.com/rs/zerolog from 1.29.0 to 1.29.1 (#36)

    Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.29.0 to 1.29.1.
    - [Release notes](https://github.com/rs/zerolog/releases)
    - [Commits](rs/zerolog@v1.29.0...v1.29.1)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/rs/zerolog
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Apr 20, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    7c461dd View commit details

Commits on Apr 25, 2023

  1. ⬆️ 📌 Update & Pinned govulncheck to 0.1.0 (#38)

    * ⬆️ 📌 Update & Pinned govulncheck to 0.1.0
    
    * 🐛 Added missing ARG in Devcontainer
    Templum authored Apr 25, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    435a35e View commit details

Commits on May 12, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0 (#39)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.7.0 to 0.8.0.
    - [Commits](golang/oauth2@v0.7.0...v0.8.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored May 12, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    3872d5c View commit details

Commits on May 18, 2023

  1. ⬆️ Bump github.com/owenrumney/go-sarif/v2 from 2.1.3 to 2.2.0 (#40)

    * ⬆️ Bump github.com/owenrumney/go-sarif/v2 from 2.1.3 to 2.2.0
    
    Bumps [github.com/owenrumney/go-sarif/v2](https://github.com/owenrumney/go-sarif) from 2.1.3 to 2.2.0.
    - [Release notes](https://github.com/owenrumney/go-sarif/releases)
    - [Changelog](https://github.com/owenrumney/go-sarif/blob/main/.goreleaser.yml)
    - [Commits](owenrumney/go-sarif@v2.1.3...v2.2.0)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/owenrumney/go-sarif/v2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    
    * ✅ Corrected Test
    
    ---------
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Templum <templum.dev@gmail.com>
    dependabot[bot] and Templum authored May 18, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    ee66b16 View commit details

Commits on May 21, 2023

  1. ⬆️ Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#41)

    Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3.
    - [Release notes](https://github.com/stretchr/testify/releases)
    - [Commits](stretchr/testify@v1.8.2...v1.8.3)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/stretchr/testify
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored May 21, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    8bfebf3 View commit details

Commits on May 30, 2023

  1. ⬆️ Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#42)

    Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.3 to 1.8.4.
    - [Release notes](https://github.com/stretchr/testify/releases)
    - [Commits](stretchr/testify@v1.8.3...v1.8.4)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/stretchr/testify
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored May 30, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    f1346a0 View commit details

Commits on Jun 14, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 (#43)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.8.0 to 0.9.0.
    - [Commits](golang/oauth2@v0.8.0...v0.9.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jun 14, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    c3dd6c8 View commit details

Commits on Jul 7, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#44)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
    - [Commits](golang/oauth2@v0.9.0...v0.10.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jul 7, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    a7ffe00 View commit details

Commits on Jul 18, 2023

  1. 📌 Pinned default's to latest govulncheck (1.0) and golang 1.20.6 (#46)

    * 📌 Pinned latest version of Golang & Govulncheck
    
    There is a special issue with GitHub Actions where 1.20 is parsed as 1.2.
    Hence I leverage 1.20.6 to avoid that parsing issue.
    
    * 📌 Update default in dockerfile
    
    * 🧑‍💻 Update Devcontainer to defaults
    Templum authored Jul 18, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    80b479b View commit details
  2. Revert ":pushpin: Pinned default's to latest govulncheck (1.0) and go…

    …lang 1.20.6 (#46)" (#47)
    
    This reverts commit 80b479b.
    Templum authored Jul 18, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    b711cfd View commit details

Commits on Jul 21, 2023

  1. 💥 👽 Adjusted code to vulncheck 1.0 (breaks with v0 code) (#48)

    * 📌 Pinned latest version of Golang & Govulncheck
    
    There is a special issue with GitHub Actions where 1.20 is parsed as 1.2.
    Hence I leverage 1.20.6 to avoid that parsing issue.
    
    * 📌 Update default in dockerfile
    
    * 🧑‍💻 Update Devcontainer to defaults
    
    * 💥 👽 Using 1.0.0 Format of vulncheck
    
    * ➖ Removed vuln as osv is internal now
    
    * 🍱 Took new sample
    
    * ✅ Fixed Tests
    
    * 🔧 Removed unused Test Explorer
    
    * ♻️ Renamed variable
    
    * ✨  version exposure of vuln to sarif
    Templum authored Jul 21, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    6bb063b View commit details
  2. Copy the full SHA
    6dcc1fe View commit details

Commits on Jul 30, 2023

  1. Maintain major/minor tags (#49)

    * Maintain major/minor tags
    
    * Update tags trigger
    anton-yurchenko authored Jul 30, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    b6f7f55 View commit details

Commits on Jul 31, 2023

  1. ⬆️ Bump github.com/rs/zerolog from 1.29.1 to 1.30.0 (#50)

    Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.29.1 to 1.30.0.
    - [Release notes](https://github.com/rs/zerolog/releases)
    - [Commits](rs/zerolog@v1.29.1...v1.30.0)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/rs/zerolog
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jul 31, 2023

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    1e6d787 View commit details

Commits on Aug 7, 2023

  1. 👷 ✨ Integration Test that can run on (forked) PR (#52)

    * ✨ Implement Integration Test that can run on PR
    
    * 🔧 Removed Env & ensured deps installed
    
    * 🔧 correct values
    Templum authored Aug 7, 2023
    Copy the full SHA
    9d578d2 View commit details
  2. ⬆️ Bump golang.org/x/oauth2 from 0.10.0 to 0.11.0 (#51)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.10.0 to 0.11.0.
    - [Commits](golang/oauth2@v0.10.0...v0.11.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Aug 7, 2023
    Copy the full SHA
    b06bf88 View commit details

Commits on Sep 4, 2023

  1. ⬆️ Bump actions/checkout from 3 to 4 (#54)

    Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3...v4)
    
    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Sep 4, 2023
    Copy the full SHA
    a3de984 View commit details

Commits on Sep 7, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 (#55)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.11.0 to 0.12.0.
    - [Commits](golang/oauth2@v0.11.0...v0.12.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Sep 7, 2023
    Copy the full SHA
    f61f413 View commit details

Commits on Sep 14, 2023

  1. ⬆️ Bump codecov/codecov-action from 3 to 4 (#56)

    Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3 to 4.
    - [Release notes](https://github.com/codecov/codecov-action/releases)
    - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
    - [Commits](codecov/codecov-action@v3...v4)
    
    ---
    updated-dependencies:
    - dependency-name: codecov/codecov-action
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Sep 14, 2023
    Copy the full SHA
    d461ff0 View commit details

Commits on Sep 26, 2023

  1. Copy the full SHA
    7406d14 View commit details
  2. ⬆️ Bump github.com/rs/zerolog from 1.30.0 to 1.31.0 (#58)

    Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.30.0 to 1.31.0.
    - [Release notes](https://github.com/rs/zerolog/releases)
    - [Commits](rs/zerolog@v1.30.0...v1.31.0)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/rs/zerolog
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Sep 26, 2023
    Copy the full SHA
    09166f7 View commit details

Commits on Sep 27, 2023

  1. ⬆️ Bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#57)

    Bumps [github.com/owenrumney/go-sarif/v2](https://github.com/owenrumney/go-sarif) from 2.2.0 to 2.2.2.
    - [Release notes](https://github.com/owenrumney/go-sarif/releases)
    - [Changelog](https://github.com/owenrumney/go-sarif/blob/main/.goreleaser.yml)
    - [Commits](owenrumney/go-sarif@v2.2.0...v2.2.2)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/owenrumney/go-sarif/v2
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Sep 27, 2023
    Copy the full SHA
    91b90a7 View commit details

Commits on Oct 12, 2023

  1. ⬆️ Bump golang.org/x/net from 0.15.0 to 0.17.0 (#62)

    Bumps [golang.org/x/net](https://github.com/golang/net) from 0.15.0 to 0.17.0.
    - [Commits](golang/net@v0.15.0...v0.17.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/net
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Oct 12, 2023
    Copy the full SHA
    bdc45ba View commit details
  2. ⬆️ Bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (#61)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0.
    - [Commits](golang/oauth2@v0.12.0...v0.13.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Oct 12, 2023
    Copy the full SHA
    695737d View commit details
  3. ⬆️ Bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#60)

    * ⬆️ Bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0
    
    Bumps [github.com/owenrumney/go-sarif/v2](https://github.com/owenrumney/go-sarif) from 2.2.2 to 2.3.0.
    - [Release notes](https://github.com/owenrumney/go-sarif/releases)
    - [Changelog](https://github.com/owenrumney/go-sarif/blob/main/.goreleaser.yml)
    - [Commits](owenrumney/go-sarif@v2.2.2...v2.3.0)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/owenrumney/go-sarif/v2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    
    * ✅ Adjusted Test
    
    ---------
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Simon <templum.dev@gmail.com>
    dependabot[bot] and Templum authored Oct 12, 2023
    Copy the full SHA
    4b75f8a View commit details

Commits on Nov 9, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.13.0 to 0.14.0 (#63)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.13.0 to 0.14.0.
    - [Commits](golang/oauth2@v0.13.0...v0.14.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Nov 9, 2023
    Copy the full SHA
    ec892db View commit details

Commits on Nov 21, 2023

  1. ⬆️ Bump golang from 1.20 to 1.21 (#53)

    * ⬆️ Bump golang from 1.20 to 1.21
    
    Bumps golang from 1.20 to 1.21.
    
    ---
    updated-dependencies:
    - dependency-name: golang
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    
    * 🔧 Updated default Golang  Version to 1.21
    
    * 📌 Pinned 1.21 for Actions Pipeline
    
    * 🔧 Updated DevContainer
    
    * 🐛 Fixed Implementation for 1.21
    
    ---------
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    Co-authored-by: Templum <templum.dev@gmail.com>
    dependabot[bot] and Templum authored Nov 21, 2023
    Copy the full SHA
    cd4addc View commit details

Commits on Nov 28, 2023

  1. ⬆️ Bump golang.org/x/oauth2 from 0.14.0 to 0.15.0 (#64)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.14.0 to 0.15.0.
    - [Commits](golang/oauth2@v0.14.0...v0.15.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Nov 28, 2023
    Copy the full SHA
    bbcbc94 View commit details

Commits on Dec 6, 2023

  1. ⬆️ Bump actions/setup-go from 4 to 5 (#65)

    Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4 to 5.
    - [Release notes](https://github.com/actions/setup-go/releases)
    - [Commits](actions/setup-go@v4...v5)
    
    ---
    updated-dependencies:
    - dependency-name: actions/setup-go
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Dec 6, 2023
    Copy the full SHA
    62b1d54 View commit details

Commits on Dec 17, 2023

  1. ⬆️ Bump actions/upload-artifact from 3 to 4 (#66)

    Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
    - [Release notes](https://github.com/actions/upload-artifact/releases)
    - [Commits](actions/upload-artifact@v3...v4)
    
    ---
    updated-dependencies:
    - dependency-name: actions/upload-artifact
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Dec 17, 2023
    Copy the full SHA
    780e919 View commit details

Commits on Dec 19, 2023

  1. ⬆️ Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#67)

    Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.16.0 to 0.17.0.
    - [Commits](golang/crypto@v0.16.0...v0.17.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/crypto
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Dec 19, 2023
    Copy the full SHA
    9c2aefc View commit details

Commits on Jan 9, 2024

  1. ⬆️ Bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 (#68)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.15.0 to 0.16.0.
    - [Commits](golang/oauth2@v0.15.0...v0.16.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Jan 9, 2024
    Copy the full SHA
    fa0f1e6 View commit details

Commits on Feb 6, 2024

  1. ⬆️ Bump github.com/rs/zerolog from 1.31.0 to 1.32.0 (#70)

    Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.31.0 to 1.32.0.
    - [Release notes](https://github.com/rs/zerolog/releases)
    - [Commits](rs/zerolog@v1.31.0...v1.32.0)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/rs/zerolog
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Feb 6, 2024
    Copy the full SHA
    9b2c564 View commit details

Commits on Feb 9, 2024

  1. ⬆️ Bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 (#71)

    Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.16.0 to 0.17.0.
    - [Commits](golang/oauth2@v0.16.0...v0.17.0)
    
    ---
    updated-dependencies:
    - dependency-name: golang.org/x/oauth2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    dependabot[bot] authored Feb 9, 2024
    Copy the full SHA
    3505294 View commit details
11 changes: 7 additions & 4 deletions .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.231.6/containers/go/.devcontainer/base.Dockerfile

# [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1, 1.16, 1.17, 1-bullseye, 1.16-bullseye, 1.17-bullseye, 1-buster, 1.16-buster, 1.17-buster
ARG VARIANT="1.19-bullseye"
FROM mcr.microsoft.com/vscode/devcontainers/go:0-${VARIANT}
ARG VARIANT="1.22-bullseye"
FROM mcr.microsoft.com/vscode/devcontainers/go:${VARIANT}

# [Choice] Node.js version: none, lts/*, 16, 14, 12, 10
ARG NODE_VERSION="none"
@@ -15,14 +15,17 @@ RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/
# [Optional] Uncomment the next lines to use go get to install anything else you need
USER vscode

# Installing govulncheck && tools used by VSCode Go Extension+
RUN go install golang.org/x/vuln/cmd/govulncheck@latest
# Installing tools used by VSCode Go Extension+
RUN go install github.com/cweill/gotests/gotests@latest
RUN go install github.com/fatih/gomodifytags@latest
RUN go install github.com/go-delve/delve/cmd/dlv@latest
RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
RUN go install golang.org/x/tools/gopls@latest

# Installing govulncheck
ARG VULNCHECK_VERSION="v1.0.0"
RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION


# [Optional] Uncomment this line to install global node packages.
# RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1
76 changes: 41 additions & 35 deletions .devcontainer/devcontainer.json
Original file line number Diff line number Diff line change
@@ -8,52 +8,58 @@
// Update the VARIANT arg to pick a version of Go: 1, 1.18, 1.17
// Append -bullseye or -buster to pin to an OS version.
// Use -bullseye variants on local arm64/Apple Silicon.
"VARIANT": "1.19-bullseye",
"VARIANT": "1.22-bullseye",
// Options
"NODE_VERSION": "none"
"NODE_VERSION": "none",
"VULNCHECK_VERSION": "v1.1.3"
}
},
"runArgs": [
"--cap-add=SYS_PTRACE",
"--security-opt",
"seccomp=unconfined"
],
// Set *default* container specific settings.json values on container create.
"settings": {
"go.gocodeAutoBuild": false,
"files.autoSave": "afterDelay",
"editor.formatOnPaste": true,
"editor.formatOnSave": true,
"go.gopath": "/go",
"go.goroot": "/usr/local/go",
"go.toolsGopath": "/go/bin",
"go.buildOnSave": "workspace",
"go.lintOnSave": "package",
"go.vetOnSave": "package",
"go.coverOnSave": false,
"go.useCodeSnippetsOnFunctionSuggest": false,
"go.lintTool": "golangci-lint",
"go.formatTool": "goimports",
"[go]": {
"editor.codeActionsOnSave": {
"source.organizeImports": true
}
},
"[go.mod]": {
"editor.minimap.enabled": false
},
"[go.sum]": {
"editor.minimap.enabled": false
"customizations": {
"vscode": {
"settings": {
"go.useLanguageServer": true,
"files.autoSave": "afterDelay",
"editor.formatOnPaste": true,
"editor.formatOnSave": true,
"gopls": {
"ui.completion.usePlaceholders": true
},
"go.gopath": "/go",
"go.goroot": "/usr/local/go",
"go.toolsGopath": "/go/bin",
"go.lintOnSave": "package",
"go.vetOnSave": "package",
"go.coverOnSave": false,
"go.lintTool": "golangci-lint",
"go.formatTool": "goimports",
"[go]": {
"editor.codeActionsOnSave": {
"source.organizeImports": "always"
}
},
"[go.mod]": {
"editor.minimap.enabled": false
},
"[go.sum]": {
"editor.minimap.enabled": false
}
},
"extensions": [
"golang.Go",
"streetsidesoftware.code-spell-checker",
"wayou.vscode-todo-highlight",
"bierner.github-markdown-preview",
"GitHub.vscode-github-actions"
]
}
},
// Set *default* container specific settings.json values on container create.
// Add the IDs of extensions you want installed when the container is created.
"extensions": [
"golang.Go",
"streetsidesoftware.code-spell-checker",
"premparihar.gotestexplorer",
"wayou.vscode-todo-highlight",
"bierner.github-markdown-preview"
],
// Use 'forwardPorts' to make a list of ports inside the container available locally.
// "forwardPorts": [],
// Use 'postCreateCommand' to run commands after the container is created.
39 changes: 39 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
name: Bug report
about: Create a report to help us improve
title: "[BUG]"
labels: bug
assignees: Templum

---

**Setting a Baseline**
Please start by providing the necessary insights to ensure you can be helped swiftly

Which version of the Action are you using: <>
How does your configuration look like:

```yaml
- uses: actions/checkout@v3
- name: Scan for Vulnerabilities in Code
uses: Templum/govulncheck-action@vX.X.X
with:
go-version: 1.18
env:
DEBUG: "true"
```
Logs:
Please share the output of the action, preferably turning the Action into Debug mode. This can be done by specifying an env called `DEBUG` and setting it to `true`.

```
Your logs here
```
**Bug Description**
Please describe the BUG you encounter be as precise as possible and provide context if needed.
**Screenshots**
If applicable, add screenshots to help explain your problem.
20 changes: 20 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: Feature request
about: Suggest an idea for this project
title: "[FR]"
labels: enhancement
assignees: Templum

---

**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

**Describe the solution you'd like**
A clear and concise description of what you want to happen.

**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.

**Additional context**
Add any other context or screenshots about the feature request here.
18 changes: 9 additions & 9 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
@@ -14,15 +14,15 @@ jobs:
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@v5
with:
go-version: 1.19
go-version: '1.23'
- name: Compile Action
run: go build -v ./...
unit-testing:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
@@ -32,18 +32,18 @@ jobs:
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
- name: Set up Go
uses: actions/setup-go@v3
uses: actions/setup-go@v5
with:
go-version: 1.19
go-version: '1.23'
- name: Run Unit Test with Racecondition Detector
run: go test -race ./...
- name: Run Unit Tests with Coverage
run: go test -coverprofile=coverage.txt -covermode=atomic -v ./...
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@v4
with:
# token is not needed for public repositories
files: coverage.txt
flags: unit-tests
name: codecov-action
fail_ci_if_error: false
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: false
93 changes: 75 additions & 18 deletions .github/workflows/integration.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,75 @@
name: Integration Test
on:
push:
branches:
- main
tags:
- v*
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@main
- name: Debug
run: pwd && ls
shell: bash
- name: Integration Test
id: integration-test
uses: Templum/govulncheck-action@main
name: Integration Test
on:
pull_request:
branches-ignore:
- dependabot/github_actions/*
- dependabot/docker/*
push:
branches:
- main
tags:
- v[0-9]+.[0-9]+.[0-9]+
schedule:
- cron: "0 22 */3 * *"
jobs:
integration-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21.4
- name: Compile Action
run: go build -ldflags="-w -s" -v -o action .
- name: Install govulncheck default version (v1.1.3)
run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.3
- name: Run action against local version of the action
run: ./action
env:
SKIP_UPLOAD: "true"
- name: Ensure at least 10 Vulnerabilities are discovered (based on go version)
run: |
rules=$(cat govulncheck-report.sarif | jq '.runs[0].tool.driver.rules | length')
occurrences=$(cat govulncheck-report.sarif | jq '.runs[0].results | length')
if [[ $rules -ge 10 ]]; then echo "Found expected number of rules"; else echo "Found unexpected number of rules $rules expected 10"; exit 1; fi
if [[ $occurrences -ge 3 ]]; then echo "Found expected number of call sites"; else echo "Found unexpected number of call sites ($occurrences expected 30)"; exit 1; fi
- name: Upload Report if Test failed
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: sarif-report
path: govulncheck-report.sarif

integration-private-test:
runs-on: ubuntu-latest
if: contains(github.ref, 'main')
steps:
- name: Checkout playground repository
uses: actions/checkout@main
with:
repository: Templum/playground
- name: Run Action against known repository and skip upload to compare generated file
uses: Templum/govulncheck-action@main
with:
skip-upload: true
go-version: 1.21.4
env:
GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
GOPRIVATE: "github.com/Templum/private-lib"
- name: Ensure at least 8 Vulnerabilities are discovered
run: |
rules=$(cat govulncheck-report.sarif | jq '.runs[0].tool.driver.rules | length')
occurrences=$(cat govulncheck-report.sarif | jq '.runs[0].results | length')
if [[ $rules -ge 8 ]]; then echo "Found expected number of rules"; else echo "Found unexpected number of rules $rules expected 8"; exit 1; fi
if [[ $occurrences -ge 8 ]]; then echo "Found expected number of call sites"; else echo "Found unexpected number of call sites ($occurrences expected 8)"; exit 1; fi
- name: Upload Report if Test failed
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: sarif-report
path: govulncheck-report.sarif
8 changes: 5 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -2,19 +2,21 @@ name: Release Process
on:
push: # Only trigger for tags with format v****
tags:
- 'v*'
- v[0-9]+.[0-9]+.[0-9]+

jobs:
build:
name: Create Release
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Release with Notes
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
token: ${{ secrets.GITHUB_TOKEN }}
- name: Update Tags
uses: vweevers/additional-tags-action@v2
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -19,4 +19,5 @@

# Used for testing locally
.env
hack/output.json

raw-report.json
2 changes: 1 addition & 1 deletion .vscode/settings.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"cSpell.words": [
"sarif"
]
],
}
16 changes: 11 additions & 5 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
ARG GOLANG_VERSION=1.19
FROM golang:1.19 as builder
ARG GOLANG_VERSION=1.21
# This golang version is for the builder only
FROM golang:1.23 as builder

WORKDIR /go/src/github.com/Templum/govulncheck-action/
ENV GO111MODULE=on
@@ -9,12 +10,17 @@ RUN go mod download

COPY . .

# Statically compile our app for use in a distroless container
RUN CGO_ENABLED=0 go build -ldflags="-w -s" -v -o action .

# This golang version determines in which golang environment the customer code is checked
FROM golang:$GOLANG_VERSION
ARG VULNCHECK_VERSION=latest
ARG VULNCHECK_VERSION=v1.0.0
RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION

# This allows private repositories hosted on Github
ARG GH_PAT_TOKEN
RUN if [[ -n "$GH_PAT_TOKEN" ]]; then echo "No token was provided"; else git config --global --add url."https://govulncheck_action:$GH_PAT_TOKEN@github.com/".insteadOf "https://github.com/"; fi
ARG GOPRIVATE
ENV GOPRIVATE=$GOPRIVATE

COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action
ENTRYPOINT ["/action"]
108 changes: 97 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
@@ -8,8 +8,9 @@ This action uses govulncheck to perform a scan of the code, afterwards it will p

For a full list of currently known limitations please head over to [here](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Limitations). Listed below are an important overview.

* Govulncheck only reads binaries compiled with Go 1.18 and later.
* Govulncheck only reports vulnerabilities that apply to the current Go build system and configuration (GOOS/GOARCH settings).
* Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases.
* Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported.
* There is no support for silencing vulnerability findings.

## :books: Useful links & resources on govulncheck :books:

@@ -18,13 +19,28 @@ For a full list of currently known limitations please head over to [here](https:

## Usage

<details>
<summary>
Where can I find the scan results of this action ?
</summary>

Please be aware there will be no direct output to the console, all found vulnerabilities will be reported to Github via an Sarif Report. Therefore all findings should be located in the *Security*-Tab under the *Code Scanning*-Section.

![Locating Code Scanning](docs/locate_results.png)

![Result List](docs/results.png)

</details>

### Example Workflows

<details>
<summary>
This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token.
This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found.
</summary>

> :warning: Choosing `vulncheck-version: latest` can include breaking changes to the JSON format, which will break this action.
```yaml
name: My Workflow
on: [push, pull_request]
@@ -33,21 +49,43 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Running govulncheck
- name: Scan for Vulnerabilities in Code
uses: Templum/govulncheck-action@<version>
with:
go-version: 1.18
vulncheck-version: latest
package: ./...
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on-vuln: true
```
</details>
<details>
<summary>
This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action
to upload the result directly as build artifact.
Example configuration for repository that relies on a private library.
</summary>
> :information_source: This action for the moment works with [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) while creating one make sure it has write-read access to the dependent repositories as this is required for `$ go get`. Further following best practices create the token with the smallest possible scope.

```yaml
name: My Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for Vulnerabilities in Code
uses: Templum/govulncheck-action@<version>
env:
GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
GOPRIVATE: "github.com/your-name/private-lib"
```
</details>

<details>
<summary>
This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact.
</summary>

```yaml
@@ -58,7 +96,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Running govulncheck
- name: Scan for Vulnerabilities in Code
uses: Templum/govulncheck-action@<version>
with:
skip-upload: true
@@ -70,17 +108,65 @@ jobs:
```
</details>

<details>
<summary>
This configuration shows how to grant required permissions to the action in case you run into permission issues.
</summary>

```yaml
name: My Workflow
on: [push, pull_request]
permissions:
security-events: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for Vulnerabilities in Code
uses: Templum/govulncheck-action@<version>
```
</details>

<details>
<summary>
The following configuration sets the action into DEBUG Mode. Which features verbose logging and allows access to the raw govulncheck JSON report.
</summary>

```yaml
name: My Debug Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for Vulnerabilities in Code
uses: Templum/govulncheck-action@<version>
with:
skip-upload: true
env:
DEBUG: "true"
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: raw-report
path: raw-report.json
```
</details>

### Inputs

| Input | Description |
|----------------------------------|----------------------------------------------------------------------------------------------------------------|
| `go-version` _(optional)_ | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.19` |
| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `latest` |
| `go-version` _(optional)_ | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.21.4` |
| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `v1.0.0` |
| `package` _(optional)_ | The package you want to scan, by default will be `./...` |
| `working-directory` _(optional)_ | The working directory, from where the scan should start, by default will be `github.workspace` |
| `github-token` _(optional)_ | Github Token to upload sarif report. **Needs** `write` permissions for `security_events` |
| `fail-on-vuln` _(optional)_ | This allows you to specify if the action should fail on encountering any vulnerability, by default it will not |
| `skip-upload` _(optional)_ | This flag allows you to skip the sarif upload, it will be instead written to disk as `govulncheck-report.sarif`|

> :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags).

> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
30 changes: 22 additions & 8 deletions action.yml
Original file line number Diff line number Diff line change
@@ -6,36 +6,50 @@ inputs:
description: "The package you want to scan, by default will be ./..."
required: false
default: "./..."
working-directory:
description: "The working directory, from where the scan should start, by default will be github.workspace"
required: false
default: ${{ github.workspace }}
go-version:
description: "Can be any Tag for the golang docker image, but should ideally match your runtime go version. By default 1.19 is assumed"
description: "Can be any Tag for the golang docker image, but should ideally match your runtime go version. By default 1.21.4 is assumed"
required: false
default: "1.19"
default: "1.21.4"
vulncheck-version:
description: "Version of govulncheck that should be used, by default latest"
description: "Version of govulncheck that should be used, by default v1.1.3"
required: false
default: "latest"
default: "v1.1.3"
github-token:
description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value"
default: ${{ github.token }}
required: false
fail-on-vuln:
description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not"
default: false
default: "false"
required: false
skip-upload:
description: "This flag allows you to skip the sarif upload, it will be instead written to disk"
default: false
default: "false"
required: false

runs:
using: "composite"
steps:
- id: determine-working-directory
run: |
source ${{ github.action_path }}/determine-wd.sh ${{ github.workspace }} ${{ inputs.working-directory }}
echo "DOCKER_WD=${DOCKER_WD}" >> "$GITHUB_ENV"
echo "GITHUBH_WD=${GITHUBH_WD}" >> "$GITHUB_ENV"
shell: bash
- id: config
run: echo "GOLANG_VERSION=${{ inputs.go-version }} VULNCHECK_VERSION=${{ inputs.vulncheck-version }}"
shell: bash
- id: build
run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
run: docker build --build-arg GOLANG_VERSION="${{ inputs.go-version }}" --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION="${{ inputs.vulncheck-version }}" -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
shell: bash
- id: run
run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
run: docker run --rm -v $(pwd):${{ env.DOCKER_WD }} --workdir ${{ env.DOCKER_WD }} -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e DEBUG=${DEBUG} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local
shell: bash
working-directory: ${{ env.GITHUBH_WD }}

branding:
icon: "alert-octagon"
21 changes: 21 additions & 0 deletions determine-wd.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash

github_workspace=$1
input_working_directory=$2

if [ -z $github_workspace ]; then
echo "The first argument (github.workspace) is required.";
exit 1;
elif [[ $github_workspace = $input_working_directory || -z $input_working_directory ]]; then
export DOCKER_WD=$github_workspace;
export GITHUBH_WD=$github_workspace;
elif [[ $input_working_directory =~ ^/ ]]; then
export DOCKER_WD=$input_working_directory;
export GITHUBH_WD=.$input_working_directory;
else
export DOCKER_WD=$(echo $input_working_directory | sed 's/\.//');
export GITHUBH_WD=$input_working_directory
fi

echo "export DOCKER_WD=$DOCKER_WD"
echo "export GITHUBH_WD=$GITHUBH_WD"
Binary file added docs/locate_results.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/results.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
29 changes: 10 additions & 19 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,32 +1,23 @@
module github.com/Templum/govulncheck-action

go 1.19

require golang.org/x/vuln v0.0.0-20220914160157-cac67f5c7c81
go 1.20

require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/mattn/go-colorable v0.1.12 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.19 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.28.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
golang.org/x/crypto v0.31.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

require (
github.com/google/go-github/v47 v47.1.0
github.com/owenrumney/go-sarif/v2 v2.1.2
github.com/rs/zerolog v1.28.0
github.com/stretchr/testify v1.8.1
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3 // indirect
github.com/owenrumney/go-sarif/v2 v2.3.3
github.com/rs/zerolog v1.33.0
github.com/stretchr/testify v1.10.0
golang.org/x/oauth2 v0.25.0
golang.org/x/sys v0.28.0 // indirect
)
73 changes: 24 additions & 49 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,19 +1,13 @@
github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-github/v47 v47.1.0 h1:Cacm/WxQBOa9lF0FT0EMjZ2BWMetQ1TQfyurn4yF1z8=
github.com/google/go-github/v47 v47.1.0/go.mod h1:VPZBXNbFSJGjyjFRUKo9vZGawTajnWzC/YjGw/oFKi0=
@@ -24,70 +18,51 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U=
github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU=
github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
github.com/rs/zerolog v1.28.0 h1:MirSo27VyNi7RJYP3078AA1+Cyzd2GB66qy3aUHvsWY=
github.com/rs/zerolog v1.28.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b h1:PxfKdU9lEEDYjdIzOtC4qFWgkU2rGHdKlKowJSMN9h0=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA=
golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3 h1:aE4T3aJwdCNz+s35ScSQYUzeGu7BOLDHZ1bBHVurqqY=
golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/vuln v0.0.0-20220914160157-cac67f5c7c81 h1:PlNfGv/lMyN1WatEzczf4kNOrjQ0dg3KFuqJIo+18Tw=
golang.org/x/vuln v0.0.0-20220914160157-cac67f5c7c81/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio=
4,387 changes: 0 additions & 4,387 deletions hack/found.json

This file was deleted.

2,206 changes: 2,206 additions & 0 deletions hack/found.stream

Large diffs are not rendered by default.

4,324 changes: 0 additions & 4,324 deletions hack/nothing_found.json

This file was deleted.

26 changes: 10 additions & 16 deletions main.go
Original file line number Diff line number Diff line change
@@ -2,7 +2,6 @@ package main

import (
"os"
"runtime"

"github.com/Templum/govulncheck-action/pkg/action"
"github.com/Templum/govulncheck-action/pkg/github"
@@ -19,26 +18,24 @@ func main() {
Logger() // Main Logger

workDir, _ := os.Getwd()
inLocalMode := os.Getenv("LOCAL") == "true"

github := github.NewSarifUploader(logger)
reporter := sarif.NewSarifReporter(logger, workDir)
scanner := vulncheck.NewScanner(logger, workDir)
processor := action.NewVulncheckProcessor(workDir)
scanner := vulncheck.NewScanner(logger, workDir, inLocalMode)

if os.Getenv("DEBUG") == "true" {
zerolog.SetGlobalLevel(zerolog.DebugLevel)
logger.Debug().Msg("Enabled Debug Level logs")
}

if os.Getenv("LOCAL") == "true" {
scanner = vulncheck.NewLocalScanner(logger, "/workspaces/govulncheck-action/hack/found.json")
logger.Debug().Msg("Enabled Local Development mode, scanner will return static result based on found.json")
}
info := action.ReadRuntimeInfoFromEnv()

logger.Info().
Str("Go-Version", runtime.Version()).
Str("Go-Os", runtime.GOOS).
Str("Go-Arch", runtime.GOARCH).
Str("Go-Version", info.Version).
Str("Go-Os", info.Os).
Str("Go-Arch", info.Arch).
Str("GOPRIVATE", os.Getenv("GOPRIVATE")).
Msg("GoEnvironment Details:")

logger.Debug().
@@ -47,16 +44,13 @@ func main() {
Str("Fail on Vulnerabilities", os.Getenv("STRICT")).
Msg("Action Inputs:")

result, err := scanner.Scan()
report, err := scanner.Scan()
if err != nil {
logger.Error().Err(err).Msg("Scanning yielded error")
os.Exit(2)
}

vulnerableStacks := vulncheck.Resolve(result)
vulnerableStacks = processor.RemoveDuplicates(vulnerableStacks)

err = reporter.Convert(vulnerableStacks)
err = reporter.Convert(report)
if err != nil {
logger.Error().Err(err).Msg("Conversion of Scan yielded error")
os.Exit(2)
@@ -95,7 +89,7 @@ func main() {
if os.Getenv("STRICT") == "true" {
logger.Debug().Msg("Action is running in strict mode")

if len(vulnerableStacks) > 0 {
if len(report.Findings) > 0 {
logger.Info().Msg("Encountered at least one vulnerability while running in strict mode, will mark outcome as failed")
os.Exit(2)
}
43 changes: 43 additions & 0 deletions pkg/action/env.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
package action

import (
"os/exec"
"strings"
)

type RuntimeInfos struct {
Version string
Os string
Arch string
}

// ReadRuntimeInfoFromEnv using go env this ensures the real information are used and no compile time versions
func ReadRuntimeInfoFromEnv() *RuntimeInfos {
cmd := exec.Command("go", "env")
out, _ := cmd.Output()

info := RuntimeInfos{Version: "Unknown", Os: "Unknown", Arch: "Unknown"}

envs := strings.Split(string(out), "\n")

for _, env := range envs {

if strings.Contains(env, "GOARCH") {
keyVal := strings.SplitAfter(env, "=")
info.Arch = strings.Trim(strings.Trim(keyVal[1], "\""), "'")
}

if strings.Contains(env, "GOVERSION") {
keyVal := strings.SplitAfter(env, "=")
info.Version = strings.Trim(strings.Trim(keyVal[1], "\""), "'")
}

if strings.Contains(env, "GOOS") {
keyVal := strings.SplitAfter(env, "=")
info.Os = strings.Trim(strings.Trim(keyVal[1], "\""), "'")
}

}

return &info
}
20 changes: 20 additions & 0 deletions pkg/action/env_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package action

import (
"runtime"
"testing"

"github.com/stretchr/testify/assert"
)

func TestReadRuntimeInfoFromEnv(t *testing.T) {
t.Run("should go runtime information from go env", func(t *testing.T) {
info := ReadRuntimeInfoFromEnv()

assert.NotNil(t, info, "should not return nil")

assert.Equal(t, runtime.Version(), info.Version)
assert.Equal(t, runtime.GOOS, info.Os)
assert.Equal(t, runtime.GOARCH, info.Arch)
})
}
76 changes: 0 additions & 76 deletions pkg/action/preprocessor.go

This file was deleted.

152 changes: 0 additions & 152 deletions pkg/action/preprocessor_test.go

This file was deleted.

6 changes: 3 additions & 3 deletions pkg/github/sarif_report_test.go
Original file line number Diff line number Diff line change
@@ -27,8 +27,8 @@ type MockReport struct {
mock.Mock
}

func (m *MockReport) Convert(result types.VulnerableStacks) error {
args := m.Called(result)
func (m *MockReport) Convert(findings *types.Report) error {
args := m.Called(findings)
return args.Error(0)
}

@@ -108,7 +108,7 @@ func TestGithubSarifUploader_UploadReport(t *testing.T) {
t.Errorf("Decompressing Sarif String failed with %v", err)
}

if !strings.HasPrefix(string(sarifReport), "{\"version\":\"2.1.0\",\"$schema\":\"https://json.schemastore.org/sarif-2.1.0-rtm.5.json\"") {
if !strings.HasPrefix(string(sarifReport), "{\"version\":\"2.1.0\",") {
t.Error("Sarif Report did not start as expected")
}

203 changes: 128 additions & 75 deletions pkg/sarif/reporter.go
Original file line number Diff line number Diff line change
@@ -3,15 +3,11 @@ package sarif
import (
"fmt"
"io"
"os"
"strings"

"github.com/Templum/govulncheck-action/pkg/action"
"github.com/Templum/govulncheck-action/pkg/types"
"github.com/owenrumney/go-sarif/v2/sarif"
"github.com/rs/zerolog"
"golang.org/x/vuln/osv"
"golang.org/x/vuln/vulncheck"
)

const (
@@ -36,25 +32,25 @@ func NewSarifReporter(logger zerolog.Logger, workDir string) types.Reporter {
return &SarifReporter{report: nil, run: nil, log: logger, workDir: workDir}
}

func (sr *SarifReporter) Convert(result types.VulnerableStacks) error {
sr.createEmptyReport("initial")
func (sr *SarifReporter) Convert(report *types.Report) error {
sr.createEmptyReport(report.Version)

sr.log.Debug().Msgf("Scan showed code being impacted by %d vulnerabilities", len(result))
for vuln, callStacks := range result {
sr.log.Debug().Int("Number of Call Sites", len(report.Findings)).Msgf("Scan result shows the code is affected by %d vulnerabilities", len(report.Vulnerabilities))

for _, vuln := range report.Vulnerabilities {
sr.addRule(vuln)
}

for _, current := range callStacks {
// callSite can never have Call=nil Function=nil as the curator is using
// the same method and filtering out those cases
callSite := action.FindVulnerableCallSite(sr.workDir, current)
for _, finding := range report.Findings {

text, markdown := sr.generateResultMessage(vuln, callSite, current)
sr.addResult(vuln, callSite.Call, text, markdown)
if len(finding.Trace) > 1 {
sr.addDirectCallResult(finding)
} else {
sr.addImportResult(finding)
}

}

sr.log.Info().Int("Vulnerabilities", len(result)).Int("Call Sites", len(sr.run.Results)).Msg("Conversion yielded following stats")
sr.log.Info().Int("Vulnerabilities", len(sr.run.Tool.Driver.Rules)).Int("Call Sites", len(sr.run.Results)).Msg("Conversion yielded following stats")
return nil
}

@@ -68,22 +64,22 @@ func (sr *SarifReporter) createEmptyReport(vulncheckVersion string) {
report, _ := sarif.New(sarif.Version210)

run := sarif.NewRunWithInformationURI(shortName, uri)
run.Tool.Driver.WithVersion("0.0.1") // TODO: Get version from tag
run.Tool.Driver.WithVersion(vulncheckVersion)
run.Tool.Driver.WithFullName(fullName)
run.ColumnKind = "utf16CodeUnits"

sr.report = report
sr.run = run
}

func (sr *SarifReporter) addRule(vuln *vulncheck.Vuln) {
func (sr *SarifReporter) addRule(vuln types.Entry) {
text, markdown := sr.generateRuleHelp(vuln)

// sr.run.AddRule does check if the rule is present prior to adding it
sr.run.AddRule(vuln.OSV.ID).
sr.run.AddRule(vuln.ID).
WithName(ruleName).
WithDescription(vuln.OSV.ID).
WithFullDescription(sarif.NewMultiformatMessageString(vuln.OSV.Details)).
WithDescription(vuln.ID).
WithFullDescription(sarif.NewMultiformatMessageString(vuln.Details)).
WithHelp(sarif.NewMultiformatMessageString(text).WithMarkdown(markdown)).
WithDefaultConfiguration(sarif.NewReportingConfiguration().WithLevel(severity)).
WithProperties(sarif.Properties{
@@ -94,40 +90,70 @@ func (sr *SarifReporter) addRule(vuln *vulncheck.Vuln) {
"security",
},
"precision": "very-high",
"aliases": vuln.OSV.Aliases,
"aliases": vuln.Aliases,
}).
WithHelpURI(fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID))
WithHelpURI(fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.ID))
}

func (sr *SarifReporter) addResult(vuln *vulncheck.Vuln, call *vulncheck.CallSite, text string, markdown string) {
result := sarif.NewRuleResult(vuln.OSV.ID).
func (sr *SarifReporter) addDirectCallResult(finding types.Finding) {
callSite := sr.extractCallSite(finding.Trace)
indirectCaller := sr.extractIndirectCaller(finding.Trace)
vulnerableSymbol := sr.extractVulnerableSymbol(finding.Trace)

result := sarif.NewRuleResult(finding.OSV).
WithLevel(severity).
WithMessage(sarif.NewMessage().WithMarkdown(markdown).WithText(text))
WithMessage(sarif.NewMessage().WithText(sr.generateCallSummary(callSite, indirectCaller, vulnerableSymbol)))

if call != nil {
sr.log.Debug().
Str("Symbol", vuln.Symbol).
Msgf("Add result for %s called from %s", vuln.OSV.ID, call.Pos)
sr.log.Debug().
Str("Symbol", fmt.Sprintf("%s.%s", vulnerableSymbol.Package, vulnerableSymbol.Function)).
Msgf("Adding a result for %s called from %s:%d:%d", finding.OSV, sr.makePathRelative(callSite.Position.Filename), callSite.Position.Line, callSite.Position.Column)

region := sarif.NewRegion().
WithStartLine(call.Pos.Line).
WithEndLine(call.Pos.Line).
WithStartColumn(call.Pos.Column).
WithEndColumn(call.Pos.Column).
WithCharOffset(call.Pos.Offset)
region := sarif.NewRegion().
WithStartLine(callSite.Position.Line).
WithEndLine(callSite.Position.Line).
WithStartColumn(callSite.Position.Column).
WithEndColumn(callSite.Position.Column).
WithCharOffset(callSite.Position.Offset)

location := sarif.NewPhysicalLocation().
WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(call.Pos.Filename)).WithUriBaseId(baseURI)).
WithRegion(region)
location := sarif.NewPhysicalLocation().
WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(callSite.Position.Filename)).WithUriBaseId(baseURI)).
WithRegion(region)

result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)})
result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)})

if ruleIdx := sr.getRule(finding.OSV); ruleIdx >= 0 {
result.WithRuleIndex(ruleIdx)
sr.run.AddResult(result)
}
}

func (sr *SarifReporter) addImportResult(finding types.Finding) {
vulnerableSymbol := finding.Trace[0]

message := fmt.Sprintf("Package %s is vulnerable to %s, but there are no call stacks leading to the use of these vulnerabilities. You may not need to take any action.", vulnerableSymbol.Package, finding.OSV)

result := sarif.NewRuleResult(finding.OSV).
WithLevel(severity).
WithMessage(sarif.NewMessage().WithText(message).WithMarkdown(message))

sr.log.Debug().
Str("Path", vulnerableSymbol.Package).
Msgf("Adding a result related to an import exposed to %s", finding.OSV)

region := sarif.NewRegion().
WithStartLine(0).
WithEndLine(0).
WithStartColumn(0).
WithEndColumn(0).
WithCharOffset(0)

location := sarif.NewPhysicalLocation().
WithArtifactLocation(sarif.NewSimpleArtifactLocation("go.mod").WithUriBaseId(baseURI)).
WithRegion(region)

// TODO: Research option to provide fix instructions
// result.Fixes = append(result.Fixes, sarif.NewFix().WithDescription(fmt.Sprintf("Was fixed with version %s")))
result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)})

ruleIdx := sr.getRule(vuln.OSV.ID)
if ruleIdx >= 0 {
if ruleIdx := sr.getRule(finding.OSV); ruleIdx >= 0 {
result.WithRuleIndex(ruleIdx)
sr.run.AddResult(result)
}
@@ -143,58 +169,85 @@ func (sr *SarifReporter) getRule(ruleId string) int {
}

func (sr *SarifReporter) makePathRelative(absolute string) string {
return strings.ReplaceAll(absolute, sr.workDir, "")
relative := strings.ReplaceAll(absolute, sr.workDir, "")
return strings.TrimPrefix(relative, "/")
}

func (sr *SarifReporter) searchFixVersion(versions []osv.Affected) string {
func (sr *SarifReporter) searchFixVersion(versions []types.Affected) string {
// Maybe in the future we can return all fixedVersions, so user can look for a version closer to his semver
lastFix := "None"

for _, current := range versions {
for _, r := range current.Ranges {
for _, ev := range r.Events {
if ev.Fixed != "" {
return ev.Fixed
lastFix = ev.Fixed
}
}
}
}

return "None"
return lastFix
}

func (sr *SarifReporter) generateRuleHelp(vuln *vulncheck.Vuln) (text string, markdown string) {
fixVersion := sr.searchFixVersion(vuln.OSV.Affected)
uri := fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID)
func (sr *SarifReporter) searchPackage(versions []types.Affected) string {
for _, current := range versions {
return current.Module.Path
}

return fmt.Sprintf("Vulnerability %s \n Module: %s \n Package: %s \n Fixed in Version: %s \n", vuln.OSV.ID, vuln.ModPath, vuln.PkgPath, fixVersion),
fmt.Sprintf("**Vulnerability [%s](%s)**\n%s\n| Module | Package | Fixed in Version |\n| --- | --- |:---:|\n|%s|%s|%s|\n", vuln.OSV.ID, uri, vuln.OSV.Details, vuln.ModPath, vuln.PkgPath, fixVersion)
return "N/A"
}

func (sr *SarifReporter) generateResultMessage(vuln *vulncheck.Vuln, entry vulncheck.StackEntry, stack vulncheck.CallStack) (text string, markdown string) {
relativeFile := sr.makePathRelative(entry.Call.Pos.String())
linkToFile := fmt.Sprintf("https://github.com/%s/blob/main/%s#L%d", os.Getenv(envRepo), sr.makePathRelative(entry.Call.Pos.Filename), entry.Call.Pos.Line)
linkToVuln := fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID)
func (sr *SarifReporter) generateRuleHelp(vuln types.Entry) (text string, markdown string) {
fixVersion := sr.searchFixVersion(vuln.Affected)
pkg := sr.searchPackage(vuln.Affected)

uri := fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.ID)

var txtBuilder strings.Builder
var markBuilder strings.Builder
return fmt.Sprintf("Vulnerability %s \n Package: %s \n Fixed in Version: %s \n", vuln.ID, pkg, fixVersion),
fmt.Sprintf("**Vulnerability [%s](%s)**\n%s\n| Package | Fixed in Version |\n| --- |:---:|\n|%s|%s|\n", vuln.ID, uri, vuln.Details, pkg, fixVersion)
}

txtBuilder.WriteString(fmt.Sprintf("%s calls %s which has vulnerability %s\n",
fmt.Sprintf("[%s] %s.%s", relativeFile, entry.Function.PkgPath, entry.Function.Name),
fmt.Sprintf("%s.%s", vuln.PkgPath, entry.Call.Name),
vuln.OSV.ID))
txtBuilder.WriteString("Stacktrace: \n")
// extractCallSite will go over the provided call stack and extract the call site.
// As the call stack starts with the vulnerable symbol and moves towards the users code the last call
// is where the user calls the vulnerable code (either direct or indirect)
func (sr *SarifReporter) extractCallSite(callStack []*types.Frame) *types.Frame {
return callStack[len(callStack)-1]
}

markBuilder.WriteString(fmt.Sprintf("%s calls %s which has vulnerability [%s](%s)\n",
fmt.Sprintf("[%s](%s) %s.%s", relativeFile, linkToFile, entry.Function.PkgPath, entry.Function.Name),
fmt.Sprintf("%s.%s", vuln.PkgPath, entry.Call.Name),
vuln.OSV.ID,
linkToVuln,
))
// extractIndirectCaller will go over the provided call stack and extract the indirect call site.
// This will be nil if the call site is directly calling the vulnerable code. In other cases it
// will be the code that is directly called by the user and eventually ends up calling the vulnerable code
func (sr *SarifReporter) extractIndirectCaller(callStack []*types.Frame) *types.Frame {
if len(callStack) > 2 {
return callStack[len(callStack)-2]
}

markBuilder.WriteString("Stacktrace: \n")
return nil
}

// extractVulnerableSymbol will return the first element of the provided call stack. Following the
// assumption that the call stack starts from the vulnerable code and moves towards the call site
func (sr *SarifReporter) extractVulnerableSymbol(callStack []*types.Frame) *types.Frame {
return callStack[0]
}

func (sr *SarifReporter) generateCallSummary(callSite *types.Frame, indirectCaller *types.Frame, vulnerableSymbol *types.Frame) string {
callingLocation := fmt.Sprintf("%s:%d:%d", sr.makePathRelative(callSite.Position.Filename), callSite.Position.Line, callSite.Position.Column)
callingCode := fmt.Sprintf("%s.%s", callSite.Package, callSite.Function)

var vulnerableCode string

if vulnerableSymbol.Receiver == "" {
vulnerableCode = fmt.Sprintf("%s.%s", vulnerableSymbol.Package, vulnerableSymbol.Function)
} else {
vulnerableCode = fmt.Sprintf("%s.%s.%s", vulnerableSymbol.Package, strings.TrimPrefix(vulnerableSymbol.Receiver, "*"), vulnerableSymbol.Function)
}

for _, line := range types.FormatCallStack(stack) {
txtBuilder.WriteString(fmt.Sprintf("%s \n", line))
markBuilder.WriteString(fmt.Sprintf("* %s \n", line))
if indirectCaller != nil {
indirectCalledCode := fmt.Sprintf("%s.%s", indirectCaller.Package, indirectCaller.Function)
return fmt.Sprintf("%s: %s calls %s, which eventually calls %s", callingLocation, callingCode, indirectCalledCode, vulnerableCode)
}

return txtBuilder.String(), markBuilder.String()
return fmt.Sprintf("%s: %s calls %s", callingLocation, callingCode, vulnerableCode)
}
16 changes: 7 additions & 9 deletions pkg/sarif/reporter_test.go
Original file line number Diff line number Diff line change
@@ -4,10 +4,10 @@ import (
"bytes"
"encoding/json"
"io"
"os"
"path"
"testing"

"github.com/Templum/govulncheck-action/pkg/action"
"github.com/Templum/govulncheck-action/pkg/types"
helper "github.com/Templum/govulncheck-action/pkg/vulncheck"
"github.com/owenrumney/go-sarif/v2/sarif"
@@ -16,31 +16,29 @@ import (
)

func TestSarifReporter_Convert(t *testing.T) {
scanner := helper.NewLocalScanner(zerolog.Nop(), path.Join("..", "..", "hack", "found.json"))
preprocessor := action.NewVulncheckProcessor("/workspaces/govulncheck-action")
wd, _ := os.Getwd()
scanner := helper.NewScanner(zerolog.Nop(), path.Join(wd, "..", ".."), true)
result, _ := scanner.Scan()
input := helper.Resolve(result)
input = preprocessor.RemoveDuplicates(input)

t.Run("Should convert a preprocessed report into sarif format", func(t *testing.T) {
target := NewSarifReporter(zerolog.Nop(), "/workspaces/govulncheck-action")
ref := target.(*SarifReporter)

_ = target.Convert(input)
_ = target.Convert(result)

assert.NotNil(t, ref.report, "should have create an empty report")
assert.NotNil(t, ref.run, "should have filled a run with details")

assert.GreaterOrEqual(t, len(ref.run.Results), 9, "example report should have 9 calls to vulnerabilities")
assert.GreaterOrEqual(t, len(ref.run.Tool.Driver.Rules), 6, "example report should have 6 vulnerabilities")
assert.Equal(t, len(ref.run.Results), 24, "example report should have 24 calls to vulnerabilities")
assert.Equal(t, len(ref.run.Tool.Driver.Rules), 9, "example report should have 9 vulnerabilities")
assert.Equal(t, len(ref.report.Runs), 0, "should have not yet added the run to the report")
})

t.Run("Should create a empty report if nothing was found", func(t *testing.T) {
target := NewSarifReporter(zerolog.Nop(), "/workspaces/govulncheck-action")
ref := target.(*SarifReporter)

_ = target.Convert(make(types.VulnerableStacks))
_ = target.Convert(&types.Report{Vulnerabilities: []types.Entry{}, Findings: []types.Finding{}})

assert.NotNil(t, ref.report, "should have create an empty report")
assert.NotNil(t, ref.run, "should have filled a run with details")
44 changes: 0 additions & 44 deletions pkg/types/call_chain.go

This file was deleted.

8 changes: 7 additions & 1 deletion pkg/types/reporter.go
Original file line number Diff line number Diff line change
@@ -5,6 +5,12 @@ import (
)

type Reporter interface {
Convert(result VulnerableStacks) error
Convert(result *Report) error
Write(dest io.Writer) error
}

type Report struct {
Vulnerabilities []Entry
Findings []Finding
Version string
}
5 changes: 0 additions & 5 deletions pkg/types/result.go

This file was deleted.

213 changes: 213 additions & 0 deletions pkg/types/vulncheck.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
package types

import (
"time"
)

// StreamMessage (Message) links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L21
type StreamMessage struct {
Config *Config `json:"config,omitempty"`
Progress *Progress `json:"progress,omitempty"`
OSV *Entry `json:"osv,omitempty"`
Finding *Finding `json:"finding,omitempty"`
}

// Config links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L31C1-L58C2
type Config struct {
// ProtocolVersion specifies the version of the JSON protocol.
ProtocolVersion string `json:"protocol_version"`

// ScannerName is the name of the tool, for example, govulncheck.
//
// We expect this JSON format to be used by other tools that wrap
// govulncheck, which will have a different name.
ScannerName string `json:"scanner_name,omitempty"`

// ScannerVersion is the version of the tool.
ScannerVersion string `json:"scanner_version,omitempty"`

// DB is the database used by the tool, for example,
// vuln.go.dev.
DB string `json:"db,omitempty"`

// LastModified is the last modified time of the data source.
DBLastModified *time.Time `json:"db_last_modified,omitempty"`

// GoVersion is the version of Go used for analyzing standard library
// vulnerabilities.
GoVersion string `json:"go_version,omitempty"`

// ScanLevel instructs govulncheck to analyze at a specific level of detail.
// Valid values include module, package and symbol.
ScanLevel string `json:"scan_level,omitempty"`
}

// Progress links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L64
type Progress struct {
// A time stamp for the message.
Timestamp *time.Time `json:"time,omitempty"`

// Message is the progress message.
Message string `json:"message,omitempty"`
}

// Finding links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L73
type Finding struct {
// OSV is the id of the detected vulnerability.
OSV string `json:"osv,omitempty"`

// FixedVersion is the module version where the vulnerability was
// fixed. This is empty if a fix is not available.
//
// If there are multiple fixed versions in the OSV report, this will
// be the fixed version in the latest range event for the OSV report.
//
// For example, if the range events are
// {introduced: 0, fixed: 1.0.0} and {introduced: 1.1.0}, the fixed version
// will be empty.
//
// For the stdlib, we will show the fixed version closest to the
// Go version that is used. For example, if a fix is available in 1.17.5 and
// 1.18.5, and the GOVERSION is 1.17.3, 1.17.5 will be returned as the
// fixed version.
FixedVersion string `json:"fixed_version,omitempty"`

// Trace contains an entry for each frame in the trace.
//
// Frames are sorted starting from the imported vulnerable symbol
// until the entry point. The first frame in Frames should match
// Symbol.
//
// In binary mode, trace will contain a single-frame with no position
// information.
//
// When a package is imported but no vulnerable symbol is called, the trace
// will contain a single-frame with no symbol or position information.
Trace []*Frame `json:"trace,omitempty"`
}

// Frame links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L73
type Frame struct {
// Module is the module path of the module containing this symbol.
//
// Importable packages in the standard library will have the path "stdlib".
Module string `json:"module"`

// Version is the module version from the build graph.
Version string `json:"version,omitempty"`

// Package is the import path.
Package string `json:"package,omitempty"`

// Function is the function name.
Function string `json:"function,omitempty"`

// Receiver is the receiver type if the called symbol is a method.
//
// The client can create the final symbol name by
// prepending Receiver to FuncName.
Receiver string `json:"receiver,omitempty"`

// Position describes an arbitrary source position
// including the file, line, and column location.
// A Position is valid if the line number is > 0.
Position *Position `json:"position,omitempty"`
}

// Position links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/govulncheck/govulncheck.go#L136
type Position struct {
Filename string `json:"filename,omitempty"` // filename, if any
Offset int `json:"offset"` // byte offset, starting at 0
Line int `json:"line"` // line number, starting at 1
Column int `json:"column"` // column number, starting at 1 (byte count)
}

// Entry links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L180
type Entry struct {
// SchemaVersion is the OSV schema version used to encode this
// vulnerability.
SchemaVersion string `json:"schema_version,omitempty"`
// ID is a unique identifier for the vulnerability. Required.
// The Go vulnerability database issues IDs of the form
// GO-<YEAR>-<ENTRYID>.
ID string `json:"id"`
// Modified is the time the entry was last modified. Required.
Modified time.Time `json:"modified,omitempty"`
// Published is the time the entry should be considered to have
// been published.
Published time.Time `json:"published,omitempty"`
// Withdrawn is the time the entry should be considered to have
// been withdrawn. If the field is missing, then the entry has
// not been withdrawn.
Withdrawn *time.Time `json:"withdrawn,omitempty"`
// Aliases is a list of IDs for the same vulnerability in other
// databases.
Aliases []string `json:"aliases,omitempty"`
// Summary gives a one-line, English textual summary of the vulnerability.
// It is recommended that this field be kept short, on the order of no more
// than 120 characters.
Summary string `json:"summary,omitempty"`
// Details contains additional English textual details about the vulnerability.
Details string `json:"details"`
// Affected contains information on the modules and versions
// affected by the vulnerability.
Affected []Affected `json:"affected"`
// References contains links to more information about the
// vulnerability.
References []struct{} `json:"references,omitempty"`
// Credits contains credits to entities that helped find or fix the
// vulnerability.
Credits []struct{} `json:"credits,omitempty"`
// DatabaseSpecific contains additional information about the
// vulnerability, specific to the Go vulnerability database.
DatabaseSpecific *struct{} `json:"database_specific,omitempty"`
}

// Affected links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L136
type Affected struct {
// The affected Go module. Required.
// Note that this field is called "package" in the OSV specification.
Module Module `json:"package"`
// The module version ranges affected by the vulnerability.
Ranges []Range `json:"ranges,omitempty"`
// Details on the affected packages and symbols within the module.
EcosystemSpecific *struct{} `json:"ecosystem_specific"`
}

// Module links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L54
type Module struct {
// The Go module path. Required.
// For the Go standard library, this is "stdlib".
// For the Go toolchain, this is "toolchain."
Path string `json:"name"`
// The ecosystem containing the module. Required.
// This should always be "Go".
Ecosystem string `json:"ecosystem"`
}

// Range links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L85C1-L85C1
type Range struct {
// Type is the version type that should be used to interpret the
// versions in Events. Required.
// In this implementation, only the "SEMVER" type is supported.
Type string `json:"type"`
// Events is a list of versions representing the ranges in which
// the module is vulnerable. Required.
// The events should be sorted, and MUST represent non-overlapping
// ranges.
// There must be at least one RangeEvent containing a value for
// Introduced.
// See https://ossf.github.io/osv-schema/#examples for examples.
Events []RangeEvent `json:"events"`
}

// RangeEvent links to: https://github.com/golang/vuln/blob/1568f338f20421c10ef3dcf745755769c4e52a68/internal/osv/osv.go#L72
type RangeEvent struct {
// Introduced is a version that introduces the vulnerability.
// A special value, "0", represents a version that sorts before
// any other version, and should be used to indicate that the
// vulnerability exists from the "beginning of time".
Introduced string `json:"introduced,omitempty"`
// Fixed is a version that fixes the vulnerability.
Fixed string `json:"fixed,omitempty"`
}
177 changes: 0 additions & 177 deletions pkg/vulncheck/resolver.go

This file was deleted.

149 changes: 128 additions & 21 deletions pkg/vulncheck/runner.go
Original file line number Diff line number Diff line change
@@ -2,12 +2,14 @@ package vulncheck

import (
"encoding/json"
"errors"
"fmt"
"os"
"os/exec"
"path"
"strings"

"github.com/Templum/govulncheck-action/pkg/types"
"github.com/rs/zerolog"
"golang.org/x/vuln/vulncheck"
)

const (
@@ -17,45 +19,150 @@ const (
)

type Scanner interface {
Scan() (*vulncheck.Result, error)
Scan() (*types.Report, error)
}

type CmdScanner struct {
log zerolog.Logger
workDir string
type CLIScanner struct {
log zerolog.Logger
invokeCli CLIInvoker
workDir string
}

func NewScanner(logger zerolog.Logger, workDir string) Scanner {
return &CmdScanner{log: logger, workDir: workDir}
type CLIInvoker func(workDir string, command string, flag string, pkg string) ([]byte, error)

func NewScanner(logger zerolog.Logger, workDir string, inLocalMode bool) Scanner {
scanner := CLIScanner{log: logger, workDir: workDir}

if inLocalMode {
scanner.invokeCli = staticLocalCli
} else {
scanner.invokeCli = vulncheckCli
}

return &scanner
}

func (r *CmdScanner) Scan() (*vulncheck.Result, error) {
func (r *CLIScanner) Scan() (*types.Report, error) {
pkg := os.Getenv(envPackage)
r.log.Info().Msgf("Running govulncheck for package %s in dir %s", pkg, r.workDir)

cmd := exec.Command(command, flag, pkg)
cmd.Dir = r.workDir
out, cmdErr := r.invokeCli(r.workDir, command, flag, pkg)

if os.Getenv("DEBUG") == "true" {
r.dumpRawReport(string(out))
}

out, cmdErr := cmd.Output()
// govulncheck exits with none zero exit code if any vulnerability are found
if err, ok := cmdErr.(*exec.ExitError); ok {
// Only if stderr is present the CLI failed
if len(err.Stderr) > 0 {
receivedError := string(err.Stderr)

if strings.Contains(receivedError, "go:") {
receivedError = strings.Trim(receivedError[strings.Index(receivedError, "go:")+3:], " ")
}

r.log.Error().
Err(err).
Str("Stderr", string(err.Stderr)).
Str("Stderr", receivedError).
Msg("govulncheck exited with none 0 code")

// Building up a set of known "mistakes"
if strings.Contains(receivedError, "requires go >=") {
return nil, fmt.Errorf("the used go version is lower than required by your code. original error: %s", receivedError)
}

return nil, fmt.Errorf("running govulncheck binary produced %s", receivedError)
}
}

report := r.findFindingsInStream(out)

r.log.Info().Msg("Successfully scanned project")
return report, nil
}

// findFindingsInStream is going over the raw output of govulncheck which at the moment contains multiple json objects and tries to locate the report
func (r *CLIScanner) findFindingsInStream(stream []byte) *types.Report {
var vulnerabilities []types.Entry
var findings []types.Finding
var version string

MESSAGE_SEPARATOR := "\n{\n"

messages := strings.SplitN(string(stream), MESSAGE_SEPARATOR, -1)

for _, rawMsg := range messages {
// Fixing broken JSON where needed
if !strings.HasPrefix(rawMsg, "{") {
rawMsg = "{\n" + rawMsg
}

var msg types.StreamMessage
err := json.Unmarshal([]byte(rawMsg), &msg)
if err != nil {
r.log.Warn().Str("Message", rawMsg).Msgf("Parsing message yielded %v", err)
continue
}

} else if cmdErr != nil {
return nil, cmdErr
if msg.Config != nil {
r.log.Info().
Str("Protocol Version", msg.Config.ProtocolVersion).
Str("Scanner Version", msg.Config.ScannerVersion).
Str("Database", msg.Config.DB).
Msg("govulncheck information")

version = msg.Config.ScannerVersion
}

if msg.Progress != nil && len(msg.Progress.Message) > 0 {
r.log.Info().Msg(msg.Progress.Message)
}

if msg.Finding != nil {
findings = append(findings, *msg.Finding)
}

if msg.OSV != nil {
vulnerabilities = append(vulnerabilities, *msg.OSV)
}
}

var result vulncheck.Result
err := json.Unmarshal(out, &result)
return &types.Report{Vulnerabilities: vulnerabilities, Findings: findings, Version: version}
}

// dumpRawReport takes the raw report and writes it to raw-report.json if something fails it will proceed with the regular flow
func (r *CLIScanner) dumpRawReport(rawReport string) {
fileName := "raw-report.json"
reportFile, err := os.Create(fileName)

r.log.Debug().Str("fileName", fileName).Msg("Making a copy of the raw vulncheck json report which can be exposed for debugging")

if err != nil {
r.log.Error().Err(err).Msg("parsing govulncheck output yielded error")
return nil, errors.New("scan failed to produce proper report")
r.log.Debug().Err(err).Msg("Failed to create copy will proceed with normal flow")
return
}

r.log.Info().Msg("Successfully scanned project")
return &result, nil
defer reportFile.Close()

_, err = reportFile.Write([]byte(rawReport))
if err != nil {
r.log.Debug().Err(err).Msg("Failed to write copy to disk will proceed with normal flow")
}
}

// vulncheckCli
func vulncheckCli(workDir string, command string, flag string, pkg string) ([]byte, error) {
cmd := exec.Command(command, flag, pkg)
cmd.Dir = workDir

out, err := cmd.Output()
return out, err
}

func staticLocalCli(workDir string, command string, flag string, pkg string) ([]byte, error) {
path := path.Join(workDir, "hack", "found.stream")
out, _ := os.ReadFile(path)

return out, nil
}
32 changes: 0 additions & 32 deletions pkg/vulncheck/static_runner.go

This file was deleted.