Skip to content

Commit

Permalink
Introduce make targets for gosec (#302)
Browse files Browse the repository at this point in the history
  • Loading branch information
MartinWeindel authored Oct 18, 2024
1 parent c61142d commit 2e32544
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 2 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,6 @@ TODO
.fuse_hidden*

.go-version

# gosec
gosec-report.sarif
19 changes: 17 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ tidy:
@mkdir -p $(REPO_ROOT)/.ci/hack && cp $(GARDENER_HACK_DIR)/.ci/* $(REPO_ROOT)/.ci/hack/ && chmod +xw $(REPO_ROOT)/.ci/hack/*
@GARDENER_HACK_DIR=$(GARDENER_HACK_DIR) $(REPO_ROOT)/hack/update-github-templates.sh
@cp $(GARDENER_HACK_DIR)/cherry-pick-pull.sh $(HACK_DIR)/cherry-pick-pull.sh && chmod +xw $(HACK_DIR)/cherry-pick-pull.sh
@cp $(GARDENER_HACK_DIR)/sast.sh $(HACK_DIR)/sast.sh && chmod +xw $(HACK_DIR)/sast.sh

.PHONY: clean
clean:
Expand All @@ -92,6 +93,20 @@ generate: $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(HELM) $(MOCKGEN) $(Y
format: $(GOIMPORTS) $(GOIMPORTSREVISER)
@bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg ./test

# TODO(martinweindel): Remove once https://github.com/gardener/gardener/pull/10642 is available as release.
TOOLS_PKG_PATH := $(shell go list -tags tools -f '{{ .Dir }}' github.com/gardener/gardener/hack/tools 2>/dev/null)
.PHONY: adjust-install-gosec.sh
adjust-install-gosec.sh:
@chmod +xw $(TOOLS_PKG_PATH)/install-gosec.sh

.PHONY: sast
sast: adjust-install-gosec.sh $(GOSEC)
@./hack/sast.sh

.PHONY: sast-report
sast-report: adjust-install-gosec.sh $(GOSEC)
@./hack/sast.sh --gosec-report true

.PHONY: test
test:
@bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/...
Expand All @@ -105,7 +120,7 @@ test-clean:
@bash $(GARDENER_HACK_DIR)/test-cover-clean.sh

.PHONY: verify
verify: check format test
verify: check format test sast

.PHONY: verify-extended
verify-extended: check-generate check format test-cov test-clean
verify-extended: check-generate check format test-cov test-clean sast-report
44 changes: 44 additions & 0 deletions hack/sast.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#!/usr/bin/env bash
#
# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
#
# SPDX-License-Identifier: Apache-2.0

set -e

root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )"

gosec_report="false"
gosec_report_parse_flags=""

parse_flags() {
while test $# -gt 1; do
case "$1" in
--gosec-report)
shift; gosec_report="$1"
;;
*)
echo "Unknown argument: $1"
exit 1
;;
esac
shift
done
}

parse_flags "$@"

echo "> Running gosec"
gosec --version
if [[ "$gosec_report" != "false" ]]; then
echo "Exporting report to $root_dir/gosec-report.sarif"
gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout"
fi

# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf
# which create lots of G103 (CWE-242: Use of unsafe calls should be audited) & G104 (CWE-703: Errors unhandled) errors.
# However, those generators are best-pratice in Kubernetes environment and their results are tested well.
# Thus, generated code is excluded from gosec scan.
# Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder
# is excluded too. It does not contain productive code anyway.
gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...

0 comments on commit 2e32544

Please sign in to comment.