From f0fde86b76466b7c21bc3ace475336a17d71f33d Mon Sep 17 00:00:00 2001 From: Templum Date: Mon, 12 Sep 2022 22:51:47 +0200 Subject: [PATCH 01/13] :pushpin: Pinning feature branch for integration test --- .github/workflows/integration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 8aafc60..cb84108 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -10,4 +10,4 @@ jobs: shell: bash - name: Integration Test id: integration-test - uses: Templum/govulncheck-action@main + uses: Templum/govulncheck-action@feature/2 From 77bc90f573f31e2e305da8e5e02591ed9bcfa48d Mon Sep 17 00:00:00 2001 From: Templum Date: Mon, 12 Sep 2022 22:52:03 +0200 Subject: [PATCH 02/13] :sparkles: Back to composite with build args --- Dockerfile | 10 +++++----- action.yml | 23 +++++++++++++++++------ 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index ad244e3..6a7dd82 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,9 @@ +ARG GOLANG_VERSION=1.19 FROM golang:1.19 as builder WORKDIR /go/src/github.com/Templum/govulncheck-action/ ENV GO111MODULE=on -RUN CGO_ENABLED=0 go install golang.org/x/vuln/cmd/govulncheck@latest - COPY go.mod go.sum ./ RUN go mod download @@ -13,8 +12,9 @@ COPY . . # Statically compile our app for use in a distroless container RUN CGO_ENABLED=0 go build -ldflags="-w -s" -v -o action . -FROM golang:1.19 -COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action -COPY --from=builder /go/bin/govulncheck /usr/local/bin/govulncheck +FROM golang:$GOLANG_VERSION +ARG VULNCHECK_VERSION=latest +RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION +COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action ENTRYPOINT ["/action"] \ No newline at end of file diff --git a/action.yml b/action.yml index a05d71b..007fe31 100644 --- a/action.yml +++ b/action.yml @@ -6,17 +6,28 @@ inputs: description: "The package you want to scan, by default will be ./..." required: false default: "./..." + go-version: + description: "Can be any Tag for the golang docker image, but should ideally match your runtime go version. By default 1.19 is assumed" + required: false + default: "1.19" + vulncheck-version: + description: "Version of govulncheck that should be used, by default latest" + required: false + default: "latest" github-token: description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value" default: ${{ github.token }} - required: true + required: false runs: - using: "docker" - image: "Dockerfile" - env: - GITHUB_TOKEN: "${{ inputs.github-token }}" - PACKAGE: "${{ inputs.package }}" + using: "composite" + steps: + - id: build + run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -t Templum/govulncheck-action:local + shell: bash + - id: run + run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} Templum/govulncheck-action:local + shell: bash branding: icon: "alert-octagon" From 9d0e98b33f299b51bd58fcec680423cb2d5b8dad Mon Sep 17 00:00:00 2001 From: Templum Date: Mon, 12 Sep 2022 22:52:23 +0200 Subject: [PATCH 03/13] :truck: Backed up old action.yml --- old.action.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 old.action.yml diff --git a/old.action.yml b/old.action.yml new file mode 100644 index 0000000..5c051c4 --- /dev/null +++ b/old.action.yml @@ -0,0 +1,23 @@ +name: "Golang Vulncheck" +description: "Performs vulnerability scan using govulncheck and afterwards uploads it as Sarif Report to Github" +author: "Templum" +inputs: + package: + description: "The package you want to scan, by default will be ./..." + required: false + default: "./..." + github-token: + description: "Github App token to upload sarif report. Needs write permissions for security_events. By default it will use 'github.token' value" + default: ${{ github.token }} + required: true + +runs: + using: "docker" + image: "Dockerfile" + env: + GITHUB_TOKEN: "${{ inputs.github-token }}" + PACKAGE: "${{ inputs.package }}" + +branding: + icon: "alert-octagon" + color: "red" From 1c4cb3227b6813619eaad016cd739e5cc536fb8b Mon Sep 17 00:00:00 2001 From: Templum Date: Mon, 12 Sep 2022 22:54:48 +0200 Subject: [PATCH 04/13] :bug: Corrected Image Name --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 007fe31..d1596ae 100644 --- a/action.yml +++ b/action.yml @@ -23,10 +23,10 @@ runs: using: "composite" steps: - id: build - run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -t Templum/govulncheck-action:local + run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -t templum/govulncheck-action:local shell: bash - id: run - run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} Templum/govulncheck-action:local + run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local shell: bash branding: From 7c2aa9452376e6b2691aa0c4fd09daafcedd5d34 Mon Sep 17 00:00:00 2001 From: Templum Date: Mon, 12 Sep 2022 22:55:39 +0200 Subject: [PATCH 05/13] :bug: Forgot parameter --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index d1596ae..fe8de3d 100644 --- a/action.yml +++ b/action.yml @@ -23,7 +23,7 @@ runs: using: "composite" steps: - id: build - run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -t templum/govulncheck-action:local + run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -t templum/govulncheck-action:local . shell: bash - id: run run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local From 58389ea943beea5d86048d75bae0e76268975465 Mon Sep 17 00:00:00 2001 From: Templum Date: Mon, 12 Sep 2022 22:59:31 +0200 Subject: [PATCH 06/13] Test --- .github/workflows/integration.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index cb84108..e5a564e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -11,3 +11,5 @@ jobs: - name: Integration Test id: integration-test uses: Templum/govulncheck-action@feature/2 + with: + go-version: 1.18.3 From 96c2e7f02d296f07b55939f92b93ae4cd0b61d3a Mon Sep 17 00:00:00 2001 From: Templum Date: Tue, 13 Sep 2022 20:12:57 +0200 Subject: [PATCH 07/13] :truck: Moved old action definition as backup --- old.action.yml => hack/old.action.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename old.action.yml => hack/old.action.yml (100%) diff --git a/old.action.yml b/hack/old.action.yml similarity index 100% rename from old.action.yml rename to hack/old.action.yml From 88bfac2384bf67061e68380456377f4b549aa447 Mon Sep 17 00:00:00 2001 From: Templum Date: Tue, 13 Sep 2022 20:13:13 +0200 Subject: [PATCH 08/13] :bug: Fixed Bug where Action is not build correctly --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index fe8de3d..716e0fb 100644 --- a/action.yml +++ b/action.yml @@ -23,7 +23,7 @@ runs: using: "composite" steps: - id: build - run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -t templum/govulncheck-action:local . + run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH shell: bash - id: run run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local From 7517c78d85fac791564f0ae03c0056824180779b Mon Sep 17 00:00:00 2001 From: Templum Date: Tue, 13 Sep 2022 18:34:48 +0000 Subject: [PATCH 09/13] :memo: Updated docs to reflect new inputs --- README.md | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index d3b3d4a..d22e190 100644 --- a/README.md +++ b/README.md @@ -3,17 +3,22 @@ Performs vulnerability scan using govulncheck and afterwards uploads it as [Sari [![Build](https://github.com/Templum/govulncheck-action/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/Templum/govulncheck-action/actions/workflows/build.yml) -- [Vulnerability Management for Go](https://go.dev/blog/vuln) -- [govulncheck docs](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) +## :information_source: Limitations of govulncheck :information_source: +For a full list of currently known limitations please head over to [here](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Limitations). Listed below are an important overview. + +* Govulncheck only reads binaries compiled with Go 1.18 and later. +* Govulncheck only reports vulnerabilities that apply to the current Go build system and configuration (GOOS/GOARCH settings). + +## :books: Useful links & resources on govulncheck :books: + +* Official Package Documentation: [Link](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) +* Introduction Blogpost: [Link](https://go.dev/blog/vuln) ## Usage ### Example Workflow -Please be aware that this workflow highlights all available inputs. But all inputs come with a default value. -Hence it is not required to provide any values. - ```yaml name: My Workflow on: [push, pull_request] @@ -25,15 +30,21 @@ jobs: - name: Running govulncheck uses: Templum/govulncheck-action@ with: + go-version: 1.18 + vulncheck-version: latest package: ./... github-token: ${{ secrets.GITHUB_TOKEN }} ``` ### Inputs -| Input | Description | -|-----------------------------|--------------------------------------------------------------------------------------| -| `package` _(optional)_ | The package you want to scan, by default will be `./...` | -| `github-token` _(optional)_ | Github Token to upload sarif report. Needs *write* permissions for `security_events` | +| Input | Description | +|----------------------------------|---------------------------------------------------------------------------------------------------| +| `go-version` _(optional)_ | Version of Go used for scanning the code, should equal *your* runtime version. Defaults to `1.19` | +| `vulncheck-version` _(optional)_ | Version of govulncheck that should be used, by default `latest` | +| `package` _(optional)_ | The package you want to scan, by default will be `./...` | +| `github-token` _(optional)_ | Github Token to upload sarif report. Needs *write* permissions for `security_events` | + +> :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags). -> Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) +> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) From ba6fdfb7294b16dbcefd117b95cea3fd67ceeae3 Mon Sep 17 00:00:00 2001 From: Templum Date: Wed, 14 Sep 2022 14:57:43 +0000 Subject: [PATCH 10/13] :heavy_plus_sign: Added zerolog --- go.mod | 3 +++ go.sum | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/go.mod b/go.mod index da161e1..9ed61ed 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,8 @@ require golang.org/x/vuln v0.0.0-20220908210932-64dbbd7bba4f require ( github.com/golang/protobuf v1.5.2 // indirect github.com/google/go-querystring v1.1.0 // indirect + github.com/mattn/go-colorable v0.1.12 // indirect + github.com/mattn/go-isatty v0.0.14 // indirect golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect google.golang.org/appengine v1.6.7 // indirect @@ -16,6 +18,7 @@ require ( require ( github.com/google/go-github/v47 v47.0.0 github.com/owenrumney/go-sarif/v2 v2.1.2 + github.com/rs/zerolog v1.28.0 golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 diff --git a/go.sum b/go.sum index e6893d8..05d9a00 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,11 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI= +github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= @@ -20,11 +22,19 @@ github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= +github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= +github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= +github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U= github.com/owenrumney/go-sarif/v2 v2.1.2 h1:PMDK7tXShJ9zsB7bfvlpADH5NEw1dfA9xwU8Xtdj73U= github.com/owenrumney/go-sarif/v2 v2.1.2/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= +github.com/rs/zerolog v1.28.0 h1:MirSo27VyNi7RJYP3078AA1+Cyzd2GB66qy3aUHvsWY= +github.com/rs/zerolog v1.28.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -45,6 +55,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 h1:lxqLZaMad/dJHMFZH0NiNpiEZI/nhgWhe4wgzpE+MuA= golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f h1:v4INt8xihDGvnrfjMDVXGxw9wrfxYyCjk0KbXjhR55s= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From 482df7a86894568c210923932c6e3a01a813053a Mon Sep 17 00:00:00 2001 From: Templum Date: Wed, 14 Sep 2022 14:58:34 +0000 Subject: [PATCH 11/13] :sparkles: Introduced Logging via zerolog --- main.go | 39 +++++++--- pkg/github/sarif_report.go | 47 ++++++------ pkg/sarif/reporter.go | 132 +++++++++++++++++++-------------- pkg/types/reporter.go | 12 +++ pkg/vulncheck/converter.go | 61 --------------- pkg/vulncheck/runner.go | 22 +++--- pkg/vulncheck/static_runner.go | 12 +-- 7 files changed, 155 insertions(+), 170 deletions(-) create mode 100644 pkg/types/reporter.go delete mode 100644 pkg/vulncheck/converter.go diff --git a/main.go b/main.go index ecebdbd..3bff9ec 100644 --- a/main.go +++ b/main.go @@ -1,42 +1,57 @@ package main import ( - "fmt" "os" + "runtime" "github.com/Templum/govulncheck-action/pkg/github" "github.com/Templum/govulncheck-action/pkg/sarif" "github.com/Templum/govulncheck-action/pkg/vulncheck" + "github.com/rs/zerolog" ) func main() { - scanner := vulncheck.NewScanner() + zerolog.SetGlobalLevel(zerolog.InfoLevel) - if os.Getenv("LOCAL") == "true" { - scanner = vulncheck.NewLocalScanner() + logger := zerolog.New(zerolog.ConsoleWriter{Out: os.Stdout, TimeFormat: zerolog.TimeFormatUnix}). + With(). + Timestamp(). + Logger() // Main Logger + + reporter := sarif.NewSarifReporter(logger) + github := github.NewSarifUploader(logger) + scanner := vulncheck.NewScanner(logger) + + if os.Getenv("DEBUG") == "true" { + zerolog.SetGlobalLevel(zerolog.DebugLevel) + logger.Debug().Msg("Running in Debug-Mode will use hardcoded scan result and enable debug logs") + + scanner = vulncheck.NewLocalScanner(logger, "/workspaces/govulncheck-action/hack/output.json") } - reporter := sarif.NewSarifReporter() - converter := vulncheck.NewVulncheckConverter(reporter) - github := github.NewSarifUploader() + logger.Info(). + Str("Go-Version", runtime.Version()). + Str("Go-Os", runtime.GOOS). + Str("Go-Arch", runtime.GOARCH). + Msg("GoEnvironment Details:") result, err := scanner.Scan() if err != nil { - fmt.Printf("%v \n", err) // TODO: Start using proper logger + logger.Error().Err(err).Msg("Scanning yielded error") os.Exit(2) } - err = converter.Convert(result) + err = reporter.Convert(result) if err != nil { - fmt.Printf("%v \n", err) // TODO: Start using proper logger + logger.Error().Err(err).Msg("Conversion of Scan yielded error") os.Exit(2) } err = github.UploadReport(reporter) if err != nil { - fmt.Printf("%v \n", err) // TODO: Start using proper logger + logger.Error().Err(err).Msg("Upload of Sarif Report GitHub yielded error") os.Exit(2) } - fmt.Println("Successfully processed uploaded vulncheck report to Github") + logger.Info().Msg("Successfully uploaded Sarif Report to Github, it will be available after processing") } diff --git a/pkg/github/sarif_report.go b/pkg/github/sarif_report.go index d7151aa..1bbc190 100644 --- a/pkg/github/sarif_report.go +++ b/pkg/github/sarif_report.go @@ -8,12 +8,12 @@ import ( "encoding/base64" "encoding/json" "errors" - "fmt" "os" "strings" - "github.com/Templum/govulncheck-action/pkg/sarif" + "github.com/Templum/govulncheck-action/pkg/types" "github.com/google/go-github/v47/github" + "github.com/rs/zerolog" "golang.org/x/oauth2" ) @@ -25,29 +25,34 @@ const ( ) type SarifUploader interface { - UploadReport(report sarif.Report) error + UploadReport(report types.Reporter) error } type GithubSarifUploader struct { client *github.Client + log zerolog.Logger } -func NewSarifUploader() SarifUploader { +func NewSarifUploader(logger zerolog.Logger) SarifUploader { ctx := context.Background() ts := oauth2.StaticTokenSource( &oauth2.Token{AccessToken: os.Getenv(envToken)}, ) tc := oauth2.NewClient(ctx, ts) - return &GithubSarifUploader{client: github.NewClient(tc)} + return &GithubSarifUploader{client: github.NewClient(tc), log: logger} } -func (g *GithubSarifUploader) UploadReport(report sarif.Report) error { +func (g *GithubSarifUploader) UploadReport(report types.Reporter) error { ownerAndRepo := strings.Split(os.Getenv(envRepo), "/") commit := os.Getenv(envSha) gitRef := os.Getenv(envGitRef) - fmt.Printf("Preparing Report for commit %s on ref %s \n", commit, gitRef) + g.log.Info(). + Str("Commit", commit). + Str("Ref", gitRef). + Msg("Preparing Report for upload to Github") + encodedAndCompressedReport, err := g.prepareReport(report) if err != nil { return err @@ -58,11 +63,14 @@ func (g *GithubSarifUploader) UploadReport(report sarif.Report) error { Ref: &gitRef, Sarif: &encodedAndCompressedReport, }) + if _, ok := err.(*github.AcceptedError); ok { var response github.SarifID _ = json.Unmarshal(err.(*github.AcceptedError).Raw, &response) - fmt.Printf("Successfully uploaded Report to Github it received ID %s \n", *response.ID) + g.log.Info(). + Str("sarif_id", *response.ID). + Msg("Report was uploaded to GitHub") return nil } @@ -73,13 +81,13 @@ func (g *GithubSarifUploader) UploadReport(report sarif.Report) error { return errors.New("unexpected response from github") } -func (g *GithubSarifUploader) prepareReport(report sarif.Report) (string, error) { +func (g *GithubSarifUploader) prepareReport(report types.Reporter) (string, error) { var b bytes.Buffer // Can only throw for invalid level, which can not be the case here writer, _ := gzip.NewWriterLevel(&b, flate.BestSpeed) - err := report.Flush(writer) + err := report.Write(writer) if err != nil { return "", err } @@ -90,19 +98,10 @@ func (g *GithubSarifUploader) prepareReport(report sarif.Report) (string, error) return "", err } - return base64.StdEncoding.EncodeToString(b.Bytes()), nil -} - -/** -func debugCompressedContent(raw []byte) { - var readB = bytes.NewBuffer(raw) + g.log.Debug(). + Int("Original Size", b.Len()). + Int("Compressed Size", b.Cap()). + Msg("Report was successfully gzipped") - reader, _ := gzip.NewReader(readB) - b, err := io.ReadAll(reader) - if err != nil { - fmt.Printf("Error %v", err) - } else { - fmt.Printf("Decoded string %s", string(b)) - } + return base64.StdEncoding.EncodeToString(b.Bytes()), nil } -**/ diff --git a/pkg/sarif/reporter.go b/pkg/sarif/reporter.go index efa2214..97c05d3 100644 --- a/pkg/sarif/reporter.go +++ b/pkg/sarif/reporter.go @@ -6,57 +6,85 @@ import ( "os" "strings" + "github.com/Templum/govulncheck-action/pkg/types" "github.com/owenrumney/go-sarif/v2/sarif" + "github.com/rs/zerolog" "golang.org/x/vuln/osv" "golang.org/x/vuln/vulncheck" ) const ( - ruleName = "LanguageSpecificPackageVulnerability" // TODO: Research if more specific rule name is possible - severity = "warning" // There are no Severities published on that page + ruleName = "LanguageSpecificPackageVulnerability" + severity = "warning" shortName = "govulncheck" fullName = "Golang Vulncheck" uri = "https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" baseURI = "SRCROOT" ) -type Reporter interface { - CreateEmptyReport(vulncheckVersion string) error - AddRule(vuln vulncheck.Vuln) - AddCallResult(vuln *vulncheck.Vuln, call *vulncheck.CallSite, parent *vulncheck.FuncNode) - AddImportResult(vuln *vulncheck.Vuln, pkg *vulncheck.PkgNode) -} - -type Report interface { - Flush(writer io.Writer) error -} - -type Reportable interface { - Reporter - Report -} - type SarifReporter struct { report *sarif.Report run *sarif.Run + log zerolog.Logger workDir string } -func NewSarifReporter() Reportable { +func NewSarifReporter(logger zerolog.Logger) types.Reporter { localDir, _ := os.Getwd() - return &SarifReporter{report: nil, run: nil, workDir: localDir} + return &SarifReporter{report: nil, run: nil, log: logger, workDir: localDir} +} + +func (sr *SarifReporter) Convert(result *vulncheck.Result) error { + if err := sr.createEmptyReport("initial"); err != nil { + return fmt.Errorf("failed to create an empty sarif report due to %v", err) + } + + for _, current := range result.Vulns { + sr.addRule(*current) + + if current.CallSink == 0 { + if len(result.Imports.Packages) >= current.ImportSink { + pkg := result.Imports.Packages[current.ImportSink] + message := fmt.Sprintf("Project is indirectly using vulnerable package %s", pkg.Path) + + sr.addResult(current, message, nil) + } + } else { + if len(result.Calls.Functions) >= current.CallSink { + for _, call := range result.Calls.Functions[current.CallSink].CallSites { + // Only reporting code that is used + if strings.Contains(call.Pos.Filename, sr.workDir) { + parent := result.Calls.Functions[call.Parent] + message := sr.generateResultMessage(current, call, parent) + + sr.addResult(current, message, call) + } + } + } + } + + } + + return nil +} + +func (sr *SarifReporter) Write(dest io.Writer) error { + sr.run.ColumnKind = "utf16CodeUnits" + sr.report.AddRun(sr.run) + + return sr.report.PrettyWrite(dest) } -func (sr *SarifReporter) CreateEmptyReport(vulncheckVersion string) error { +func (sr *SarifReporter) createEmptyReport(vulncheckVersion string) error { report, err := sarif.New(sarif.Version210) if err != nil { return err } run := sarif.NewRunWithInformationURI(shortName, uri) - run.Tool.Driver.WithVersion(vulncheckVersion) + run.Tool.Driver.WithVersion("0.0.1") // TODO: Get version from tag run.Tool.Driver.WithFullName(fullName) sr.report = report @@ -65,8 +93,8 @@ func (sr *SarifReporter) CreateEmptyReport(vulncheckVersion string) error { return nil } -func (sr *SarifReporter) AddRule(vuln vulncheck.Vuln) { - text, markdown := generateRuleHelp(vuln) +func (sr *SarifReporter) addRule(vuln vulncheck.Vuln) { + text, markdown := sr.generateRuleHelp(vuln) // sr.run.AddRule does check if the rule is present prior to adding it sr.run.AddRule(vuln.OSV.ID). @@ -88,49 +116,39 @@ func (sr *SarifReporter) AddRule(vuln vulncheck.Vuln) { WithHelpURI(fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID)) } -func (sr *SarifReporter) AddCallResult(vuln *vulncheck.Vuln, call *vulncheck.CallSite, parent *vulncheck.FuncNode) { +func (sr *SarifReporter) addResult(vuln *vulncheck.Vuln, message string, call *vulncheck.CallSite) { + sr.log.Debug(). + Str("ID", vuln.OSV.ID). + Str("Pkg", vuln.PkgPath). + Str("Symbol", vuln.Symbol). + Msg("Adding a new Result to the Sarif Report") + result := sarif.NewRuleResult(vuln.OSV.ID). WithLevel(severity). - WithMessage(sarif.NewTextMessage(sr.generateResultMessage(vuln, call, parent))) - region := sarif.NewRegion(). - WithStartLine(call.Pos.Line). - WithEndLine(call.Pos.Line). - WithStartColumn(call.Pos.Column). - WithEndColumn(call.Pos.Column). - WithCharOffset(call.Pos.Offset) + WithMessage(sarif.NewTextMessage(message)) - location := sarif.NewPhysicalLocation(). - WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(call.Pos.Filename)).WithUriBaseId(baseURI)). - WithRegion(region) + if call != nil { + region := sarif.NewRegion(). + WithStartLine(call.Pos.Line). + WithEndLine(call.Pos.Line). + WithStartColumn(call.Pos.Column). + WithEndColumn(call.Pos.Column). + WithCharOffset(call.Pos.Offset) - result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) + location := sarif.NewPhysicalLocation(). + WithArtifactLocation(sarif.NewSimpleArtifactLocation(sr.makePathRelative(call.Pos.Filename)).WithUriBaseId(baseURI)). + WithRegion(region) - ruleIdx := sr.getRuleIndex(vuln.OSV.ID) - if ruleIdx >= 0 { - result.WithRuleIndex(ruleIdx) - sr.run.AddResult(result) + result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) } -} - -func (sr *SarifReporter) AddImportResult(vuln *vulncheck.Vuln, pkg *vulncheck.PkgNode) { - result := sarif.NewRuleResult(vuln.OSV.ID). - WithLevel(severity). - WithMessage(sarif.NewTextMessage(fmt.Sprintf("Import of vulnerable package %s", pkg.Path))) ruleIdx := sr.getRuleIndex(vuln.OSV.ID) - if ruleIdx > 0 { + if ruleIdx >= 0 { result.WithRuleIndex(ruleIdx) sr.run.AddResult(result) } } -func (sr *SarifReporter) Flush(writer io.Writer) error { - sr.run.ColumnKind = "utf16CodeUnits" - - sr.report.AddRun(sr.run) - return sr.report.PrettyWrite(writer) -} - func (sr *SarifReporter) getRuleIndex(ruleId string) int { for idx, rule := range sr.run.Tool.Driver.Rules { if rule.ID == ruleId { @@ -153,7 +171,7 @@ func (sr *SarifReporter) makePathRelative(absolute string) string { return strings.Replace(absolute, sr.workDir, "", 1) } -func searchFixVersion(versions []osv.Affected) string { +func (sr *SarifReporter) searchFixVersion(versions []osv.Affected) string { for _, current := range versions { for _, r := range current.Ranges { for _, ev := range r.Events { @@ -167,8 +185,8 @@ func searchFixVersion(versions []osv.Affected) string { return "None" } -func generateRuleHelp(vuln vulncheck.Vuln) (text string, markdown string) { - fixVersion := searchFixVersion(vuln.OSV.Affected) +func (sr *SarifReporter) generateRuleHelp(vuln vulncheck.Vuln) (text string, markdown string) { + fixVersion := sr.searchFixVersion(vuln.OSV.Affected) uri := fmt.Sprintf("https://pkg.go.dev/vuln/%s", vuln.OSV.ID) return fmt.Sprintf("Vulnerability %s \n Module: %s \n Package: %s \n Fixed in Version: %s \n", vuln.OSV.ID, vuln.ModPath, vuln.PkgPath, fixVersion), diff --git a/pkg/types/reporter.go b/pkg/types/reporter.go new file mode 100644 index 0000000..26464d5 --- /dev/null +++ b/pkg/types/reporter.go @@ -0,0 +1,12 @@ +package types + +import ( + "io" + + "golang.org/x/vuln/vulncheck" +) + +type Reporter interface { + Convert(result *vulncheck.Result) error + Write(dest io.Writer) error +} diff --git a/pkg/vulncheck/converter.go b/pkg/vulncheck/converter.go deleted file mode 100644 index 2e2fba5..0000000 --- a/pkg/vulncheck/converter.go +++ /dev/null @@ -1,61 +0,0 @@ -package vulncheck - -import ( - "fmt" - "os" - "strings" - - "github.com/Templum/govulncheck-action/pkg/sarif" - "golang.org/x/vuln/vulncheck" -) - -type VulncheckConverter interface { - Convert(result *vulncheck.Result) error -} - -type Converter struct { - reporter sarif.Reporter -} - -func NewVulncheckConverter(reporter sarif.Reporter) VulncheckConverter { - return &Converter{reporter: reporter} -} - -func (c *Converter) getVulncheckVersion() string { - specifiedVersion := os.Getenv("VERSION") - - return specifiedVersion -} - -func (c *Converter) Convert(result *vulncheck.Result) error { - localDir, _ := os.Getwd() - - err := c.reporter.CreateEmptyReport(c.getVulncheckVersion()) - if err != nil { - return err - } - - for _, current := range result.Vulns { - c.reporter.AddRule(*current) - - if current.CallSink == 0 { - if len(result.Imports.Packages) >= current.ImportSink { - c.reporter.AddImportResult(current, result.Imports.Packages[current.ImportSink]) - } - } else { - if len(result.Calls.Functions) >= current.CallSink { - for _, call := range result.Calls.Functions[current.CallSink].CallSites { - // Only reporting code that is used - if strings.Contains(call.Pos.Filename, localDir) { - parent := result.Calls.Functions[call.Parent] - c.reporter.AddCallResult(current, call, parent) - } - } - } - } - - } - - fmt.Println("Converted Report to Sarif format") - return nil -} diff --git a/pkg/vulncheck/runner.go b/pkg/vulncheck/runner.go index 18f2a53..e790bd1 100644 --- a/pkg/vulncheck/runner.go +++ b/pkg/vulncheck/runner.go @@ -3,10 +3,10 @@ package vulncheck import ( "encoding/json" "errors" - "fmt" "os" "os/exec" + "github.com/rs/zerolog" "golang.org/x/vuln/vulncheck" ) @@ -21,29 +21,29 @@ type Scanner interface { } type CmdScanner struct { + log zerolog.Logger } -func NewScanner() Scanner { - return &CmdScanner{} +func NewScanner(logger zerolog.Logger) Scanner { + return &CmdScanner{log: logger} } func (r *CmdScanner) Scan() (*vulncheck.Result, error) { pkg := os.Getenv(envPackage) workDir, _ := os.Getwd() - fmt.Printf("Running govulncheck for package %s in dir %s\n", pkg, workDir) + r.log.Info().Msgf("Running govulncheck for package %s in dir %s", pkg, workDir) + cmd := exec.Command(command, flag, pkg) cmd.Dir = workDir out, cmdErr := cmd.Output() if err, ok := cmdErr.(*exec.ExitError); ok { - if err.ExitCode() > 0 { - println("Scan found vulnerabilities in codebase") - } - if len(err.Stderr) > 0 { - fmt.Printf("Stderr: %s\n", string(err.Stderr)) - fmt.Printf("Error: %v\n", err) + r.log.Error(). + Err(err). + Str("Stderr", string(err.Stderr)). + Msg("govulncheck exited with none 0 code") } } else if cmdErr != nil { @@ -56,6 +56,6 @@ func (r *CmdScanner) Scan() (*vulncheck.Result, error) { return nil, errors.New("scan failed to produce proper report") } - fmt.Println("Successfully parsed report") + r.log.Info().Msg("Successfully scanned project") return &result, nil } diff --git a/pkg/vulncheck/static_runner.go b/pkg/vulncheck/static_runner.go index 430008b..e9d2070 100644 --- a/pkg/vulncheck/static_runner.go +++ b/pkg/vulncheck/static_runner.go @@ -3,21 +3,23 @@ package vulncheck import ( "encoding/json" "errors" - "fmt" "os" + "github.com/rs/zerolog" "golang.org/x/vuln/vulncheck" ) type StaticScanner struct { + log zerolog.Logger + path string } -func NewLocalScanner() Scanner { - return &StaticScanner{} +func NewLocalScanner(logger zerolog.Logger, pathToFile string) Scanner { + return &StaticScanner{log: logger, path: pathToFile} } func (r *StaticScanner) Scan() (*vulncheck.Result, error) { - out, _ := os.ReadFile("/workspaces/govulncheck-action/hack/found.json") + out, _ := os.ReadFile(r.path) var result vulncheck.Result err := json.Unmarshal(out, &result) @@ -25,6 +27,6 @@ func (r *StaticScanner) Scan() (*vulncheck.Result, error) { return nil, errors.New("scan failed to produce proper report") } - fmt.Println("Successfully parsed report") + r.log.Debug().Msgf("Successfully parsed report located at %s", r.path) return &result, nil } From 18cff361a4db7ee6afd43dbd3d1a1c54ed94f94c Mon Sep 17 00:00:00 2001 From: Templum Date: Wed, 14 Sep 2022 21:49:14 +0000 Subject: [PATCH 12/13] :sparkles: Implemented Call Chain Lookup --- pkg/sarif/reporter.go | 88 +++++++++++++++++++++++++++++++------------ 1 file changed, 64 insertions(+), 24 deletions(-) diff --git a/pkg/sarif/reporter.go b/pkg/sarif/reporter.go index 97c05d3..2aba883 100644 --- a/pkg/sarif/reporter.go +++ b/pkg/sarif/reporter.go @@ -44,27 +44,21 @@ func (sr *SarifReporter) Convert(result *vulncheck.Result) error { for _, current := range result.Vulns { sr.addRule(*current) - if current.CallSink == 0 { + callingVuln := sr.searchCallChainForUserCode(current, result.Calls) + + if callingVuln == nil { if len(result.Imports.Packages) >= current.ImportSink { pkg := result.Imports.Packages[current.ImportSink] message := fmt.Sprintf("Project is indirectly using vulnerable package %s", pkg.Path) sr.addResult(current, message, nil) } - } else { - if len(result.Calls.Functions) >= current.CallSink { - for _, call := range result.Calls.Functions[current.CallSink].CallSites { - // Only reporting code that is used - if strings.Contains(call.Pos.Filename, sr.workDir) { - parent := result.Calls.Functions[call.Parent] - message := sr.generateResultMessage(current, call, parent) - - sr.addResult(current, message, call) - } - } - } + break } + parent := result.Calls.Functions[callingVuln.Parent] + message := sr.generateResultMessage(current, callingVuln, parent) + sr.addResult(current, message, callingVuln) } return nil @@ -117,11 +111,18 @@ func (sr *SarifReporter) addRule(vuln vulncheck.Vuln) { } func (sr *SarifReporter) addResult(vuln *vulncheck.Vuln, message string, call *vulncheck.CallSite) { + if sr.alreadyReported(vuln, message) { + sr.log.Debug(). + Str("ID", vuln.OSV.ID). + Str("Pkg", vuln.PkgPath). + Str("Caller", call.Name). + Msg("There is already a result for this vuln-call tuple") + return + } + sr.log.Debug(). - Str("ID", vuln.OSV.ID). - Str("Pkg", vuln.PkgPath). Str("Symbol", vuln.Symbol). - Msg("Adding a new Result to the Sarif Report") + Msgf("[Add Result] %s", message) result := sarif.NewRuleResult(vuln.OSV.ID). WithLevel(severity). @@ -142,14 +143,14 @@ func (sr *SarifReporter) addResult(vuln *vulncheck.Vuln, message string, call *v result.WithLocations([]*sarif.Location{sarif.NewLocationWithPhysicalLocation(location)}) } - ruleIdx := sr.getRuleIndex(vuln.OSV.ID) + ruleIdx := sr.getRule(vuln.OSV.ID) if ruleIdx >= 0 { result.WithRuleIndex(ruleIdx) sr.run.AddResult(result) } } -func (sr *SarifReporter) getRuleIndex(ruleId string) int { +func (sr *SarifReporter) getRule(ruleId string) int { for idx, rule := range sr.run.Tool.Driver.Rules { if rule.ID == ruleId { return idx @@ -158,17 +159,47 @@ func (sr *SarifReporter) getRuleIndex(ruleId string) int { return -1 } -func (sr *SarifReporter) generateResultMessage(vuln *vulncheck.Vuln, call *vulncheck.CallSite, parent *vulncheck.FuncNode) string { - relativeFile := sr.makePathRelative(call.Pos.Filename) +func (sr *SarifReporter) searchCallChainForUserCode(vuln *vulncheck.Vuln, graph *vulncheck.CallGraph) *vulncheck.CallSite { + if vuln.CallSink == 0 { + return nil + } - caller := fmt.Sprintf("%s:%d:%d %s.%s", relativeFile, call.Pos.Line, call.Pos.Column, parent.PkgPath, parent.Name) - calledVuln := fmt.Sprintf("%s.%s", vuln.ModPath, vuln.Symbol) + // TODO: It might be that graph.Functions[vuln.CallSink] itself is a vulnerability + callChain := graph.Functions[vuln.CallSink].CallSites - return fmt.Sprintf("%s calls %s which has vulnerability %s", caller, calledVuln, vuln.OSV.ID) + for len(callChain) > 0 { + var updatedChain []*vulncheck.CallSite + for _, current := range callChain { + parent := graph.Functions[current.Parent] + + if strings.Contains(current.Pos.Filename, sr.workDir) { + return current + } + + updatedChain = append(updatedChain, parent.CallSites...) + } + + callChain = updatedChain + } + + return nil } func (sr *SarifReporter) makePathRelative(absolute string) string { - return strings.Replace(absolute, sr.workDir, "", 1) + return strings.ReplaceAll(absolute, sr.workDir, "") +} + +func (sr *SarifReporter) alreadyReported(vuln *vulncheck.Vuln, message string) bool { + for _, current := range sr.run.Results { + ruleId := *current.RuleID + text := *current.Message.Text + + if ruleId == vuln.OSV.ID && text == message { + return true + } + } + + return false } func (sr *SarifReporter) searchFixVersion(versions []osv.Affected) string { @@ -192,3 +223,12 @@ func (sr *SarifReporter) generateRuleHelp(vuln vulncheck.Vuln) (text string, mar return fmt.Sprintf("Vulnerability %s \n Module: %s \n Package: %s \n Fixed in Version: %s \n", vuln.OSV.ID, vuln.ModPath, vuln.PkgPath, fixVersion), fmt.Sprintf("**Vulnerability [%s](%s)**\n%s\n| Module | Package | Fixed in Version |\n| --- | --- |:---:|\n|%s|%s|%s|\n", vuln.OSV.ID, uri, vuln.OSV.Details, vuln.ModPath, vuln.PkgPath, fixVersion) } + +func (sr *SarifReporter) generateResultMessage(vuln *vulncheck.Vuln, call *vulncheck.CallSite, parent *vulncheck.FuncNode) string { + relativeFile := sr.makePathRelative(call.Pos.String()) + + caller := fmt.Sprintf("[%s] %s.%s", relativeFile, parent.PkgPath, parent.Name) + calledVuln := fmt.Sprintf("%s.%s", vuln.PkgPath, call.Name) + + return fmt.Sprintf("%s calls %s which has vulnerability %s", caller, calledVuln, vuln.OSV.ID) +} From 70b65d311f244c17627da2e7502cbc5be92acf9f Mon Sep 17 00:00:00 2001 From: Templum Date: Wed, 14 Sep 2022 22:06:46 +0000 Subject: [PATCH 13/13] :wrench: Making docker build less verbose --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 716e0fb..ab8b0c3 100644 --- a/action.yml +++ b/action.yml @@ -23,7 +23,7 @@ runs: using: "composite" steps: - id: build - run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH + run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH shell: bash - id: run run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e PACKAGE=${{ inputs.package }} -e VERSION=${{ inputs.version }} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local