-
Notifications
You must be signed in to change notification settings - Fork 310
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new "govulncheck-with-excludes.sh" wrapper script
This allows us to exclude GO-2023-1840 (aka CVE-2023-29403) from our report since we already refuse to operate when users have enabled the `setuid` bit on the binary. Additionally, this updates our in-code check for `setuid` to also disallow `setgid`, but the impact of that configuration is lesser (so this is considered a best-effort pre-emptive mitigation -- hopefully the block on `setuid` has already discouraged users from using `gosu` in this way).
- Loading branch information
Showing
4 changed files
with
76 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -34,4 +34,4 @@ jobs: | |
- run: go install golang.org/x/vuln/cmd/[email protected] | ||
# (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v0.1.0/go.mod#L3) | ||
|
||
- run: for gosu in gosu-*; do govulncheck -mode=binary "$gosu"; done | ||
- run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
#!/usr/bin/env bash | ||
set -Eeuo pipefail | ||
|
||
# a wrapper / replacement for "govulncheck" which allows for excluding vulnerabilities | ||
# (https://github.com/golang/go/issues/59507) | ||
|
||
excludeVulns="$(jq -nc '[ | ||
# https://pkg.go.dev/vuln/GO-2023-1840 | ||
# we already mitigate setuid in our code | ||
"GO-2023-1840", "CVE-2023-29403", | ||
# (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883) | ||
empty # trailing comma hack (makes diffs smaller) | ||
]')" | ||
export excludeVulns | ||
|
||
if ! command -v govulncheck > /dev/null; then | ||
govulncheck() { | ||
local user; user="$(id -u):$(id -g)" | ||
local args=( | ||
--rm --interactive --init | ||
--user "$user" | ||
--env HOME=/tmp | ||
--env GOPATH=/tmp/go | ||
--volume govulncheck:/tmp | ||
--env CGO_ENABLED=0 | ||
--mount "type=bind,src=$PWD,dst=/wd,ro" | ||
--workdir /wd | ||
"${GOLANG_IMAGE:-golang:latest}" | ||
sh -euc ' | ||
go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null | ||
exec "$GOPATH/bin/govulncheck" "$@" | ||
' -- | ||
) | ||
docker run "${args[@]}" "$@" | ||
} | ||
fi | ||
|
||
if out="$(govulncheck "$@")"; then | ||
printf '%s\n' "$out" | ||
exit 0 | ||
fi | ||
|
||
json="$(govulncheck -json "$@")" | ||
|
||
vulns="$(jq <<<"$json" -cs 'map(select(has("vulnerability")) | .vulnerability.osv)')" | ||
if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then | ||
printf '%s\n' "$out" | ||
exit 1 | ||
fi | ||
|
||
filtered="$(jq <<<"$vulns" -c ' | ||
(env.excludeVulns | fromjson) as $exclude | ||
| map(select( | ||
.id as $id | ||
| $exclude | index($id) | not | ||
)) | ||
')" | ||
|
||
text="$(jq <<<"$filtered" -r 'map("- \(.id) (aka \(.aliases | join(", ")))\n\n\t\(.details | gsub("\n"; "\n\t"))") | join("\n\n")')" | ||
|
||
if [ -z "$text" ]; then | ||
printf 'No vulnerabilities found.\n' | ||
exit 0 | ||
else | ||
printf '%s\n' "$text" | ||
exit 1 | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters