Integrate gosec, a static code vulnerability checker: #29
Conversation
Dockerfile.tests
Outdated
| RUN bundle install --with test | ||
|
|
||
| RUN rm ./spec/docker/docker_spec.rb && rm ./spec/static_analysis/rubocop_spec.rb | ||
| RUN rm ./spec/docker/docker_spec.rb |
There was a problem hiding this comment.
rm ./spec/static_analysis/rubocop_spec.rb kept failing stating file doesn't exist, I can add it back in if necessary.
There was a problem hiding this comment.
Hmmm yeah that doesn't exist anymore thanks to the new CircleCI flow. Isn't this container built in the tests? How come this was only noticed now?
There was a problem hiding this comment.
not sure, it happened as I was building the container locally. Could the image settings be different on circleci?
There was a problem hiding this comment.
I hit this too. AFAICT we're just not running the in-container tests (and hence not building Dockerfile.tests) in CI, which is why we hadn't noticed the issue.
If anything I feel like the in-container tests are more useful since they're running against the real versions of our dependencies (yarn, go, sift, etc.)
There was a problem hiding this comment.
I find the Dockerfile.tests really useful as well. Noting this as an improvement.
| @@ -13,6 +13,8 @@ class Repo | |||
| { handle: :npmrc, filename: '.npmrc' }, | |||
| # Go | |||
| { handle: :dep_lock, filename: 'Gopkg.lock' }, | |||
| { handle: :go_mod, filename: 'go.mod' }, | |||
There was a problem hiding this comment.
Can you add comments about what these files are?
Helps for the less Go familiar folk.
I should have done the same for the others.
lib/salus/scanners/gosec.rb
Outdated
| # - -fmt=json for JSON output | ||
| # - gosec only successfully scans repos within $GOPATH, we force the | ||
| # go path reference via symlink within Dockerfile & Dockerfile.tests | ||
| if ENV['RUNNING_SALUS_TESTS'] == "true" |
There was a problem hiding this comment.
Can we avoid this branching if we add /home/repo to GOPATH instead of symlinking it?
There was a problem hiding this comment.
From the digging and testing I did, it looks like we are stuck with this solution until gosec figures how to support go modules (aka until gosec stops requiring we run repo against a $GOPATH). reference: securego/gosec#234 (comment)
| context 'go project with no known vulnerabilities' do | ||
| let(:repo) { Salus::Repo.new('spec/fixtures/gosec/safe_goapp') } | ||
|
|
||
| it 'should record failure and record the STDOUT from gosec' do |
There was a problem hiding this comment.
copy-paste error from above
|
Few comments - looking pretty good! |
xolaz
force-pushed
the
integrate-gosec
branch
from
5be0293 to
68bd7f6
Compare
lib/salus/scanners/gosec.rb
Outdated
| if ENV['RUNNING_SALUS_TESTS'] == "true" | ||
| shell_return = run_shell("gosec -fmt=json /go/src/repo/#{@repository.path_to_repo}") | ||
| else | ||
| shell_return = run_shell("gosec -fmt=json /go/src/repo") |
There was a problem hiding this comment.
Would it be better to recursively scan from this directory if there are multiple folders within a project (via /go/src/repo/...)? If so, there might be a problem because symlinks seem to be skipped (securego/gosec#203).
My only workaround for recursive scan was to mount a directory under /go/src/ and specify it to salus with -d option. Hope this helps.
xolaz
force-pushed
the
integrate-gosec
branch
from
68bd7f6 to
6d5d406
Compare
|
#36 patches failing circle tests |
- default scanner for any project with .go file, go.mod, go.sum, and Gopkg.lock - create symlink for successfully run gosec against $GOPATH projects - adds tests for integration
xolaz
force-pushed
the
integrate-gosec
branch
2 times, most recently
from
472e4a0 to
60821cd
Compare
…ge return of env var for conditional check, remove parens
xolaz
force-pushed
the
integrate-gosec
branch
from
60821cd to
8e3877a
Compare
|
circleci integration test is failing because the result includes gosec data: ^^ this will pass once I rebuild docker after the merge and release |
|
Test cases around what scanners actually test is a great idea. It does create redundancy but I like the explicit failures it can give us depending on how scanners change as we bump them. |
gosec: https://github.com/securego/gosec