ci: testing

ProtonMail · Jun 5, 2024 · c478802 · c478802
1 parent 1a81ec7
commit c478802
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 0 deletions.
diff --git a/.github/actions/govulncheck-action.yml b/.github/actions/govulncheck-action.yml
@@ -0,0 +1,26 @@
+name: 'golang-govulncheck-action'
+description: 'Run govulncheck'
+inputs:
+  go-version-input:  # version of Go to use for govulncheck
+    description: 'Version of Go to use for govulncheck'
+    required: false
+  go-package:
+    description: 'Go Package to scan with govulncheck'
+    required: false
+    default: './...'
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/setup-go@v5.0.0
+      with:
+        go-version: ${{ inputs.go-version-input }}
+        check-latest: false
+        cache: false
+    - name: Install govulncheck
+      run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      shell: bash
+    - name: Run govulncheck
+      run: |
+        chmod +x .github/actions/govulncheck.sh
+        .github/actions/govulncheck.sh ${{ inputs.go-package }}
+      shell: bash
diff --git a/.github/actions/govulncheck.sh b/.github/actions/govulncheck.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2024 Proton AG
+#
+# This file is part of Proton Mail Bridge.
+#
+# Proton Mail Bridge is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Proton Mail Bridge is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Proton Mail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+
+set -eo pipefail
+
+main(){
+    local go_package="$1"
+    govulncheck -json "$go_package" > vulns.json
+
+    jq -r '.finding | select( (.osv != null) and (.trace[0].function != null) ) | .osv ' < vulns.json > vulns_osv_ids.txt
+
+    ignore GO-2023-2328 "GODT-3124 RESTY race condition"
+    ignore GO-2024-2887 "BRIDGE-95 net/http vulnerability"
+    ignore GO-2024-2888 "BRIDGE-95 archive/zip vulnerability"
+
+    has_vulns
+
+    echo
+    echo "No new vulnerabilities found."
+}
+
+ignore(){
+    echo "ignoring $1 fix: $2"
+    cp vulns_osv_ids.txt tmp
+    grep -v "$1" < tmp > vulns_osv_ids.txt || true
+    rm tmp
+}
+
+has_vulns(){
+    has=false
+    while read -r osv; do
+        jq \
+            --arg osvid "$osv" \
+            '.osv | select ( .id == $osvid) | {"id":.id, "ranges": .affected[0].ranges,  "import": .affected[0].ecosystem_specific.imports[0].path}' \
+            < vulns.json
+        has=true
+    done < vulns_osv_ids.txt
+
+    if [ "$has" == true ]; then
+        echo
+        echo "Vulnerability found"
+        return 1
+    fi
+}
+
+main
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -26,3 +26,10 @@ jobs:
 
       - name: Run tests with race check
         run: go test -v -race ./...
+
+      - name: Run govulncheck
+        uses: ./.github/actions/govulncheck-action
+        with:
+          go-version-input: 1.21
+          go-package: ./...
+