From 2e3254478e75c3b988022e2368b1a488d5295662 Mon Sep 17 00:00:00 2001 From: Martin Weindel Date: Fri, 18 Oct 2024 11:09:36 +0200 Subject: [PATCH] Introduce make targets for `gosec` (#302) --- .gitignore | 3 +++ Makefile | 19 +++++++++++++++++-- hack/sast.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 2 deletions(-) create mode 100755 hack/sast.sh diff --git a/.gitignore b/.gitignore index 70c54ebe..f90c6538 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,6 @@ TODO .fuse_hidden* .go-version + +# gosec +gosec-report.sarif diff --git a/Makefile b/Makefile index 1c14dfac..6bf6400c 100644 --- a/Makefile +++ b/Makefile @@ -68,6 +68,7 @@ tidy: @mkdir -p $(REPO_ROOT)/.ci/hack && cp $(GARDENER_HACK_DIR)/.ci/* $(REPO_ROOT)/.ci/hack/ && chmod +xw $(REPO_ROOT)/.ci/hack/* @GARDENER_HACK_DIR=$(GARDENER_HACK_DIR) $(REPO_ROOT)/hack/update-github-templates.sh @cp $(GARDENER_HACK_DIR)/cherry-pick-pull.sh $(HACK_DIR)/cherry-pick-pull.sh && chmod +xw $(HACK_DIR)/cherry-pick-pull.sh + @cp $(GARDENER_HACK_DIR)/sast.sh $(HACK_DIR)/sast.sh && chmod +xw $(HACK_DIR)/sast.sh .PHONY: clean clean: @@ -92,6 +93,20 @@ generate: $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(HELM) $(MOCKGEN) $(Y format: $(GOIMPORTS) $(GOIMPORTSREVISER) @bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg ./test +# TODO(martinweindel): Remove once https://github.com/gardener/gardener/pull/10642 is available as release. +TOOLS_PKG_PATH := $(shell go list -tags tools -f '{{ .Dir }}' github.com/gardener/gardener/hack/tools 2>/dev/null) +.PHONY: adjust-install-gosec.sh +adjust-install-gosec.sh: + @chmod +xw $(TOOLS_PKG_PATH)/install-gosec.sh + +.PHONY: sast +sast: adjust-install-gosec.sh $(GOSEC) + @./hack/sast.sh + +.PHONY: sast-report +sast-report: adjust-install-gosec.sh $(GOSEC) + @./hack/sast.sh --gosec-report true + .PHONY: test test: @bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/... @@ -105,7 +120,7 @@ test-clean: @bash $(GARDENER_HACK_DIR)/test-cover-clean.sh .PHONY: verify -verify: check format test +verify: check format test sast .PHONY: verify-extended -verify-extended: check-generate check format test-cov test-clean +verify-extended: check-generate check format test-cov test-clean sast-report diff --git a/hack/sast.sh b/hack/sast.sh new file mode 100755 index 00000000..d2f1298c --- /dev/null +++ b/hack/sast.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash +# +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )" + +gosec_report="false" +gosec_report_parse_flags="" + +parse_flags() { + while test $# -gt 1; do + case "$1" in + --gosec-report) + shift; gosec_report="$1" + ;; + *) + echo "Unknown argument: $1" + exit 1 + ;; + esac + shift + done +} + +parse_flags "$@" + +echo "> Running gosec" +gosec --version +if [[ "$gosec_report" != "false" ]]; then + echo "Exporting report to $root_dir/gosec-report.sarif" + gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout" +fi + +# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf +# which create lots of G103 (CWE-242: Use of unsafe calls should be audited) & G104 (CWE-703: Errors unhandled) errors. +# However, those generators are best-pratice in Kubernetes environment and their results are tested well. +# Thus, generated code is excluded from gosec scan. +# Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder +# is excluded too. It does not contain productive code anyway. +gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...