Fix govulncheck wrapper + run govulncheck on latest release periodica…

…lly too

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
  push:
  schedule:
  - cron: 0 0 * * 0
+ workflow_dispatch:
 
 defaults:
  run:
@@ -25,13 +26,8 @@ jobs:
  - run: docker build --pull --file hub/Dockerfile.alpine hub
  - run: docker build --pull --file hub/Dockerfile.debian hub
 
- - uses: actions/setup-go@v4
- with:
- go-version: 1.18
- # https://github.com/golang/vuln/commits/master
- # https://github.com/golang/vuln/releases
- # https://github.com/golang/vuln/tags
- - run: go install golang.org/x/vuln/cmd/[email protected]
- # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.1/go.mod#L3)
-
- - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done
+ - name: govulncheck
+ run: |
+ for gosu in gosu-*; do
+ ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+ done

.github/workflows/release.yml

@@ -0,0 +1,52 @@
+name: Release
+
+on:
+ pull_request:
+ paths:
+ - '.github/workflows/release.yml'
+ - 'govulncheck-with-excludes.sh'
+ push:
+ paths:
+ - '.github/workflows/release.yml'
+ - 'govulncheck-with-excludes.sh'
+ schedule:
+ - cron: 0 0 * * 0
+ workflow_dispatch:
+
+defaults:
+ run:
+ shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+ test:
+ name: govulncheck
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: download
+ run: |
+ # find and download the latest release for testing
+ tags="$(git ls-remote --tags https://github.com/tianon/gosu.git | cut -d/ -f3 | cut -d^ -f1 | sort -urV)"
+ for tag in $tags; do
+ echo >&2 "checking $tag ..."
+ url="https://github.com/tianon/gosu/releases/download/$tag"
+ if wget -O SHA256SUMS "$url/SHA256SUMS" && [ -s SHA256SUMS ]; then
+ files="$(grep -oE '[ *]gosu-[^.]+$' SHA256SUMS | grep -oE 'gosu-.*$')"
+ for file in $files; do
+ wget -O "$file" "$url/$file"
+ done
+ if grep -E '[ *]gosu-[^.]+$' SHA256SUMS | sha256sum --strict --check -; then
+ echo >&2 "success with $tag !"
+ exit 0
+ fi
+ fi
+ done
+
+ echo >&2 'error: failed to find latest release'
+
+ - name: govulncheck
+ run: |
+ for gosu in gosu-*; do
+ ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+ done

govulncheck-with-excludes.sh

@@ -9,7 +9,7 @@ excludeVulns="$(jq -nc '[
  # fixed in Go 1.20.5+
  # https://pkg.go.dev/vuln/GO-2023-1840
  # we already mitigate setuid in our code
- #"GO-2023-1840", "CVE-2023-29403",
+ "GO-2023-1840", "CVE-2023-29403",
  # (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883)
 
  empty # trailing comma hack (makes diffs smaller)
@@ -30,7 +30,9 @@ if ! command -v govulncheck > /dev/null; then
  --workdir /wd
  "${GOLANG_IMAGE:-golang:latest}"
  sh -euc '
- go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null
+ # https://github.com/golang/vuln/releases
+ # (pinning version to avoid format changes like https://github.com/tianon/gosu/issues/144 surprising us unexpectedly)
+ go install golang.org/x/vuln/cmd/[email protected] > /dev/null
  exec "$GOPATH/bin/govulncheck" "$@"
  ' --
  )
@@ -45,7 +47,24 @@ fi
 
 json="$(govulncheck -json "$@")"
 
-vulns="$(jq <<<"$json" -cs 'map(select(has("osv")) | .osv)')"
+vulns="$(jq <<<"$json" -cs '
+ (
+ map(
+ .osv // empty
+ | { key: .id, value: . }
+ )
+ | from_entries
+ ) as $meta
+ # https://github.com/tianon/gosu/issues/144
+ | map(
+ .finding // empty
+ # https://github.com/golang/vuln/blob/3740f5cb12a3f93b18dbe200c4bcb6256f8586e2/internal/scan/template.go#L97-L104
+ | select((.trace[0].function // "") != "")
+ | .osv
+ )
+ | unique
+ | map($meta[.])
+')"
 if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then
  printf '%s\n' "$out"
  exit 1