build: security checks (#220)

semaphoreci · Aug 4, 2023 · 75029b5 · 75029b5
1 parent 32b1677
commit 75029b5
Show file tree

Hide file tree

Showing 43 changed files with 691 additions and 160 deletions.
diff --git a/.semaphore/edge.yml b/.semaphore/edge.yml
@@ -2,8 +2,8 @@ version: "v1.0"
 name: Edge
 agent:
   machine:
-    type: e1-standard-2
-    os_image: ubuntu1804
+    type: e2-standard-2
+    os_image: ubuntu2004
 
 blocks:
   - name: "Edge Release"

diff --git a/.semaphore/release.yml b/.semaphore/release.yml
@@ -2,8 +2,8 @@ version: "v1.0"
 name: "Github Release & Brew Tap Release"
 agent:
   machine:
-    type: e1-standard-2
-    os_image: ubuntu1804
+    type: e2-standard-2
+    os_image: ubuntu2004
 blocks:
   - name: "Github Release & Brew Tap Release"
     task:
@@ -14,7 +14,7 @@ blocks:
         - name: sem-robot-ghtoken
       prologue:
         commands:
-          - sem-version go 1.16
+          - sem-version go 1.18
           - "export GOPATH=~/go"
           - "export PATH=/home/semaphore/go/bin:$PATH"
           - checkout

diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
@@ -3,20 +3,40 @@ name: Pipeline
 
 agent:
   machine:
-    type: e1-standard-2
-    os_image: ubuntu1804
-
-  containers:
-    - name: main
-      image: registry.semaphoreci.com/golang:1.16
+    type: e2-standard-2
+    os_image: ubuntu2004
 
 blocks:
+  - name: "Security checks"
+    task:
+      secrets:
+        - name: security-toolbox-shared-read-access
+      prologue:
+        commands:
+          - checkout
+          - mv ~/.ssh/security-toolbox ~/.ssh/id_rsa
+          - sudo chmod 600 ~/.ssh/id_rsa
+      epilogue:
+        always:
+          commands:
+            - if [ -f results.xml ]; then test-results publish results.xml; fi
+      jobs:
+        - name: Check dependencies
+          commands:
+            - make check.deps
+        - name: Check code
+          commands:
+            - make check.static
+
   - name: "Test"
     task:
       env_vars:
         - name: GO111MODULE
           value: "on"
-
+      epilogue:
+        always:
+          commands:
+            - if [ -f results.xml ]; then test-results publish results.xml; fi
       jobs:
         - name: "Test"
           commands:

diff --git a/.semaphore/stable.yml b/.semaphore/stable.yml
@@ -2,8 +2,8 @@ version: "v1.0"
 name: Stable
 agent:
   machine:
-    type: e1-standard-2
-    os_image: ubuntu1804
+    type: e2-standard-2
+    os_image: ubuntu2004
 
 blocks:
   - name: "Stable Release"

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -0,0 +1,5 @@
+FROM golang:1.18
+
+RUN go install gotest.tools/gotestsum@latest
+
+WORKDIR /app
diff --git a/Makefile b/Makefile
@@ -2,35 +2,46 @@
 
 REL_VERSION=$(shell git rev-parse HEAD)
 REL_BUCKET=sem-cli-releases
+SECURITY_TOOLBOX_BRANCH ?= master
+SECURITY_TOOLBOX_TMP_DIR ?= /tmp/security-toolbox
+
+check.prepare:
+	rm -rf $(SECURITY_TOOLBOX_TMP_DIR)
+	git clone [email protected]:renderedtext/security-toolbox.git $(SECURITY_TOOLBOX_TMP_DIR) && (cd $(SECURITY_TOOLBOX_TMP_DIR) && git checkout $(SECURITY_TOOLBOX_BRANCH) && cd -)
+
+check.static: check.prepare
+	docker run -it -v $$(pwd):/app \
+		-v $(SECURITY_TOOLBOX_TMP_DIR):$(SECURITY_TOOLBOX_TMP_DIR) \
+		registry.semaphoreci.com/ruby:2.7 \
+		bash -c 'cd /app && $(SECURITY_TOOLBOX_TMP_DIR)/code --language go -d'
+
+check.deps: check.prepare
+	docker run -it -v $$(pwd):/app \
+		-v $(SECURITY_TOOLBOX_TMP_DIR):$(SECURITY_TOOLBOX_TMP_DIR) \
+		registry.semaphoreci.com/ruby:2.7 \
+		bash -c 'cd /app && $(SECURITY_TOOLBOX_TMP_DIR)/dependencies --language go -d'
 
 install.goreleaser:
 	curl -L https://github.com/goreleaser/goreleaser/releases/download/v1.14.1/goreleaser_Linux_x86_64.tar.gz -o /tmp/goreleaser.tar.gz
 	tar -xf /tmp/goreleaser.tar.gz -C /tmp
 	sudo mv /tmp/goreleaser /usr/bin/goreleaser
 
-go.install:
-	cd /tmp
-	sudo curl -O https://dl.google.com/go/go1.17.13.linux-amd64.tar.gz
-	sudo tar -xf go1.17.13.linux-amd64.tar.gz
-	sudo mv go /usr/local
-	cd -
-
 gsutil.configure:
 	gcloud auth activate-service-account $(GCP_REGISTRY_WRITER_EMAIL) --key-file ~/gce-registry-writer-key.json
 	gcloud --quiet auth configure-docker
 	gcloud --quiet config set project semaphore2-prod
 
 go.get:
-	go get
+	docker-compose run --rm cli go get
 
 go.fmt:
-	go fmt ./...
+	docker-compose run --rm cli go fmt ./...
 
 test:
-	go test -v ./...
+	docker-compose run --rm cli gotestsum --format short-verbose --junitfile results.xml --packages="./..." -- -p 1
 
 build:
-	env GOOS=$(OS) GOARCH=$(ARCH) go build -ldflags "-s -w -X cmd.VERSION=$(shell git describe --tags --abbrev=0)" -o sem
+	docker-compose run --rm cli env GOOS=$(OS) GOARCH=$(ARCH) go build -ldflags "-s -w -X cmd.VERSION=$(shell git describe --tags --abbrev=0)" -o sem
 	tar -czvf /tmp/sem.tar.gz sem
 
 # Automation of CLI tagging.

diff --git a/api/client/base_client.go b/api/client/base_client.go
@@ -248,6 +248,7 @@ func (c *BaseClient) Patch(kind string, name string, resource []byte) ([]byte, i
 }
 
 func newfileUploadRequest(uri string, args map[string]string, fileArgName, path string) (*http.Request, error) {
+	// #nosec
 	file, err := os.Open(path)
 	if err != nil {
 		return nil, err

diff --git a/api/models/notification_v1_alpha.go b/api/models/notification_v1_alpha.go
@@ -38,11 +38,11 @@ type NotificationV1AlphaSpecRuleNotify struct {
 	} `json:"email,omitempty" yaml:"email,omitempty"`
 
 	Webhook struct {
-		Endpoint  string   `json:"endpoint,omitempty" yaml:"endpoint,omitempty"`
-		Timeout   int32    `json:"timeout,omitempty" yaml:"timeout,omitempty"`
-		Action    string   `json:"action,omitempty" yaml:"action,omitempty"`
-		Retries   int32    `json:"retries,omitempty" yaml:"retries,omitempty"`
-		Secret    string   `json:"secret,omitempty" yaml:"secret,omitempty"`
+		Endpoint string `json:"endpoint,omitempty" yaml:"endpoint,omitempty"`
+		Timeout  int32  `json:"timeout,omitempty" yaml:"timeout,omitempty"`
+		Action   string `json:"action,omitempty" yaml:"action,omitempty"`
+		Retries  int32  `json:"retries,omitempty" yaml:"retries,omitempty"`
+		Secret   string `json:"secret,omitempty" yaml:"secret,omitempty"`
 	} `json:"webhook,omitempty" yaml:"webhook,omitempty"`
 }
 

diff --git a/api/models/project_v1_alpha.go b/api/models/project_v1_alpha.go
@@ -17,7 +17,7 @@ type Scheduler struct {
 }
 
 type ForkedPullRequests struct {
-	AllowedSecrets []string `json:"allowed_secrets,omitempty" yaml:"allowed_secrets,omitempty"`
+	AllowedSecrets      []string `json:"allowed_secrets,omitempty" yaml:"allowed_secrets,omitempty"`
 	AllowedContributors []string `json:"allowed_contributors,omitempty" yaml:"allowed_contributors,omitempty"`
 }
 

diff --git a/cmd/apply.go b/cmd/apply.go
@@ -33,6 +33,7 @@ func RunApply(cmd *cobra.Command, args []string) {
 
 	utils.CheckWithMessage(err, "Path not provided")
 
+	// #nosec
 	data, err := ioutil.ReadFile(path)
 
 	utils.CheckWithMessage(err, "Failed to read from resource file.")

diff --git a/cmd/apply_test.go b/cmd/apply_test.go
@@ -5,10 +5,10 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	models "github.com/semaphoreci/cli/api/models"
 	"github.com/semaphoreci/cli/api/uuid"
 	assert "github.com/stretchr/testify/assert"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 )
 
 func Test__ApplySecret__FromYaml__Response200(t *testing.T) {

diff --git a/cmd/attach.go b/cmd/attach.go
@@ -55,7 +55,8 @@ var attachCmd = &cobra.Command{
 		utils.Check(err)
 		defer conn.Close()
 
-		conn.Session()
+		err = conn.Session()
+		utils.Check(err)
 	},
 }
 

diff --git a/cmd/connect_test.go b/cmd/connect_test.go
@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	assert "github.com/stretchr/testify/assert"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 )
 
 func Test__Connect__Response200(t *testing.T) {

diff --git a/cmd/create.go b/cmd/create.go
@@ -26,6 +26,7 @@ var createCmd = &cobra.Command{
 
 		utils.CheckWithMessage(err, "Path not provided")
 
+		// #nosec
 		data, err := ioutil.ReadFile(path)
 
 		utils.CheckWithMessage(err, "Failed to read from resource file.")
@@ -224,11 +225,12 @@ func createSnapshot(projectName, label, archiveName string, follow bool) {
 		utils.Check(err)
 
 		RootCmd.SetArgs([]string{"get", "ppl", body.PplID, "--follow"})
-		RootCmd.Execute()
+		_ = RootCmd.Execute()
 	}
 }
 
 func encodeFromFileAt(path string) string {
+	// #nosec
 	content, err := ioutil.ReadFile(path)
 	utils.Check(err)
 

diff --git a/cmd/create_notification_test.go b/cmd/create_notification_test.go
@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	models "github.com/semaphoreci/cli/api/models"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 
 	assert "github.com/stretchr/testify/assert"
 )

diff --git a/cmd/create_secret_test.go b/cmd/create_secret_test.go
@@ -7,8 +7,8 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	assert "github.com/stretchr/testify/assert"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 )
 
 func Test__CreateSecret__WithSubcommand__Response200(t *testing.T) {

diff --git a/cmd/create_target_test.go b/cmd/create_target_test.go
@@ -7,9 +7,9 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	"github.com/semaphoreci/cli/api/uuid"
 	assert "github.com/stretchr/testify/assert"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 )
 
 func Test__CreateDeploymentTarget__WithSubcommand__Response200(t *testing.T) {

diff --git a/cmd/create_test.go b/cmd/create_test.go
@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	assert "github.com/stretchr/testify/assert"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 
 	models "github.com/semaphoreci/cli/api/models"
 	"github.com/semaphoreci/cli/api/uuid"

diff --git a/cmd/debug_job.go b/cmd/debug_job.go
@@ -50,5 +50,6 @@ Semaphore CI Debug Session.
 Documentation: https://docs.semaphoreci.com/essentials/debugging-with-ssh-access/.
 `
 
-	ssh.StartDebugJobSession(debug, sshIntroMessage)
+	err = ssh.StartDebugJobSession(debug, sshIntroMessage)
+	utils.Check(err)
 }
diff --git a/cmd/debug_project.go b/cmd/debug_project.go
@@ -67,5 +67,6 @@ Semaphore CI Debug Session.
 Documentation: https://docs.semaphoreci.com/essentials/debugging-with-ssh-access/.
 `
 
-	ssh.StartDebugProjectSession(debugPrj, sshIntroMessage)
+	err = ssh.StartDebugProjectSession(debugPrj, sshIntroMessage)
+	utils.Check(err)
 }
diff --git a/cmd/delete_test.go b/cmd/delete_test.go
@@ -5,9 +5,9 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	"github.com/semaphoreci/cli/api/uuid"
 	assert "github.com/stretchr/testify/assert"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 )
 
 func TestDeleteProject__Response200(t *testing.T) {

diff --git a/cmd/edit_test.go b/cmd/edit_test.go
@@ -7,10 +7,10 @@ import (
 	"net/http"
 	"testing"
 
+	httpmock "github.com/jarcoal/httpmock"
 	models "github.com/semaphoreci/cli/api/models"
 	"github.com/semaphoreci/cli/api/uuid"
 	assert "github.com/stretchr/testify/assert"
-	httpmock "gopkg.in/jarcoal/httpmock.v1"
 )
 
 func Test__EditDashboard__Response200(t *testing.T) {