From 50ba4396c93d4411d45c78cd4a4d75f0652c56ea Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Thu, 6 Jun 2024 11:16:49 -0700
Subject: [PATCH] Fix govulncheck wrapper + run govulncheck on latest release
 periodically too

---
 .github/workflows/ci.yml      | 16 +++++--------
 .github/workflows/release.yml | 44 +++++++++++++++++++++++++++++++++++
 govulncheck-with-excludes.sh  | 25 +++++++++++++++++---
 3 files changed, 72 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f3ff975..e601c81 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,7 @@ on:
   push:
   schedule:
     - cron: 0 0 * * 0
+  workflow_dispatch:
 
 defaults:
   run:
@@ -25,13 +26,8 @@ jobs:
       - run: docker build --pull --file hub/Dockerfile.alpine hub
       - run: docker build --pull --file hub/Dockerfile.debian hub
 
-      - uses: actions/setup-go@v4
-        with:
-          go-version: 1.18
-      # https://github.com/golang/vuln/commits/master
-      # https://github.com/golang/vuln/releases
-      # https://github.com/golang/vuln/tags
-      - run: go install golang.org/x/vuln/cmd/govulncheck@v1.0.4
-      # (update "go-version" above when updating this version; https://github.com/golang/vuln/blob/v1.0.1/go.mod#L3)
-
-      - run: for gosu in gosu-*; do ./govulncheck-with-excludes.sh -mode=binary "$gosu"; done
+      - name: govulncheck
+        run: |
+          for gosu in gosu-*; do
+            ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+          done
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..26a5ee9
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,44 @@
+name: Release
+
+on:
+  schedule:
+    - cron: 0 0 * * 0
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+  test:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: download
+        run: |
+          # find and download the latest release for testing
+          tags="$(git ls-remote --tags https://github.com/tianon/gosu.git | cut -d/ -f3 | cut -d^ -f1 | sort -urV)"
+          for tag in $tags; do
+            echo "checking $tag ..."
+            url="https://github.com/tianon/gosu/releases/download/$tag"
+            if wget -qO SHA256SUMS "$url/SHA256SUMS" && [ -s SHA256SUMS ]; then
+              files="$(grep -oE '[ *]gosu-[^.]+$' SHA256SUMS | grep -oE 'gosu-.*$')"
+              for file in $files; do
+                wget -qO "$file" "$url/$file"
+              done
+              if grep -E '[ *]gosu-[^.]+$' SHA256SUMS | sha256sum --strict --check -; then
+                echo "success with $tag !"
+                exit 0
+              fi
+            fi
+          done
+
+          echo >&2 'error: failed to find latest release'
+
+      - name: govulncheck
+        run: |
+          for gosu in gosu-*; do
+            ./govulncheck-with-excludes.sh -mode=binary "$gosu"
+          done
diff --git a/govulncheck-with-excludes.sh b/govulncheck-with-excludes.sh
index b535177..616f656 100755
--- a/govulncheck-with-excludes.sh
+++ b/govulncheck-with-excludes.sh
@@ -9,7 +9,7 @@ excludeVulns="$(jq -nc '[
 	# fixed in Go 1.20.5+
 	# https://pkg.go.dev/vuln/GO-2023-1840
 	# we already mitigate setuid in our code
-	#"GO-2023-1840", "CVE-2023-29403",
+	"GO-2023-1840", "CVE-2023-29403",
 	# (https://github.com/tianon/gosu/issues/128#issuecomment-1607803883)
 
 	empty # trailing comma hack (makes diffs smaller)
@@ -30,7 +30,9 @@ if ! command -v govulncheck > /dev/null; then
 			--workdir /wd
 			"${GOLANG_IMAGE:-golang:latest}"
 			sh -euc '
-				go install golang.org/x/vuln/cmd/govulncheck@latest > /dev/null
+				# https://github.com/golang/vuln/releases
+				# (pinning version to avoid format changes like https://github.com/tianon/gosu/issues/144 surprising us unexpectedly)
+				go install golang.org/x/vuln/cmd/govulncheck@v1.1.2 > /dev/null
 				exec "$GOPATH/bin/govulncheck" "$@"
 			' --
 		)
@@ -45,7 +47,24 @@ fi
 
 json="$(govulncheck -json "$@")"
 
-vulns="$(jq <<<"$json" -cs 'map(select(has("osv")) | .osv)')"
+vulns="$(jq <<<"$json" -cs '
+	(
+		map(
+			.osv // empty
+			| { key: .id, value: . }
+		)
+		| from_entries
+	) as $meta
+	# https://github.com/tianon/gosu/issues/144
+	| map(
+		.finding // empty
+		# https://github.com/golang/vuln/blob/3740f5cb12a3f93b18dbe200c4bcb6256f8586e2/internal/scan/template.go#L97-L104
+		| select((.trace[0].function // "") != "")
+		| .osv
+	)
+	| unique
+	| map($meta[.])
+')"
 if [ "$(jq <<<"$vulns" -r 'length')" -le 0 ]; then
 	printf '%s\n' "$out"
 	exit 1