From 908805b053651732e1b55b6d48635b35e579ffd1 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Fri, 14 Feb 2025 11:42:08 +0000 Subject: [PATCH] Run vulnerability scan on latest release tags Vulnerability scans were previously run only on the latest state of currently developed branches. This provided assurance that the current branch state did not contain known vulnerabilities in dependencies, but did not provide assurance that the currently released code was free of vulnerabilities. This change runs additional vulnerability scans on the most recent release version tag for currently developed branches. Scan failures now indicate that a new release is required to address vulnerabilities in dependencies. Signed-off-by: Mark S. Lewis --- .github/workflows/vulnerability-scan.yml | 39 +++++++++++++++++++++--- Makefile | 18 +++++------ gotools.mk | 1 - 3 files changed, 44 insertions(+), 14 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index d506182dc51..a3782e4d6ed 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -13,7 +13,7 @@ permissions: contents: read jobs: - scan: + latest: # Only run the scheduled job in hyperledger/fabric repository, not on personal forks if: github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository == 'hyperledger/fabric') runs-on: ${{ github.repository == 'hyperledger/fabric' && 'fabric-ubuntu-22.04' || 'ubuntu-22.04' }} @@ -24,12 +24,43 @@ jobs: - main - release-2.5 steps: - - uses: actions/checkout@v4 + - name: Checkout ${{ matrix.ref }} branch + uses: actions/checkout@v4 with: ref: ${{ matrix.ref }} - name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.24.0 + go-version: stable - name: Scan - run: make scan + run: go run github.com/google/osv-scanner/cmd/osv-scanner@b37c83e scan --lockfile=go.mod || (( $? > 1 && $? < 127 )) + + release: + # Only run the scheduled job in hyperledger/fabric repository, not on personal forks + if: github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository == 'hyperledger/fabric') + runs-on: ${{ github.repository == 'hyperledger/fabric' && 'fabric-ubuntu-22.04' || 'ubuntu-22.04' }} + strategy: + fail-fast: false + matrix: + ref: + - main + - release-2.5 + steps: + - name: Checkout ${{ matrix.ref }} branch + uses: actions/checkout@v4 + with: + ref: ${{ matrix.ref }} + fetch-depth: 0 + - name: Get latest release tag + id: latest-release + run: echo "tag=$(git -c versionsort.suffix=- tag --merged HEAD --sort=-version:refname | head -1)" >> "${GITHUB_OUTPUT}" + - name: Checkout ${{ steps.latest-release.outputs.tag }} + uses: actions/checkout@v4 + with: + ref: ${{ steps.latest-release.outputs.tag }} + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: stable + - name: Scan + run: go run github.com/google/osv-scanner/cmd/osv-scanner@b37c83e scan --lockfile=go.mod || (( $? > 1 && $? < 127 )) diff --git a/Makefile b/Makefile index 862471612d7..18626c15930 100644 --- a/Makefile +++ b/Makefile @@ -106,19 +106,19 @@ help: ## List all commands with documentation @awk 'BEGIN {FS = ":.*?## "}; /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-15s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) .PHONY: all -all: ## Builds all targets and runs all non-integration tests/checks +all: ## Builds all targets and runs all non-integration tests/checks check-go-version native docker checks .PHONY: checks -checks: ## Runs basic checks along with unit and integration tests +checks: ## Runs basic checks along with unit and integration tests basic-checks unit-test integration-test .PHONY: basic-checks -basic-checks: check-go-version license spelling references trailing-spaces linter check-help-docs check-metrics-doc filename-spaces check-swagger ## Performs basic checks like license, spelling, trailing spaces and linter +basic-checks: check-go-version license spelling references trailing-spaces linter check-help-docs check-metrics-doc filename-spaces check-swagger ## Performs basic checks like license, spelling, trailing spaces and linter .PHONY: desk-checks -desk-check: ## Runs linters and verify to test changed packages +desk-check: ## Runs linters and verify to test changed packages checks verify .PHONY: help-docs @@ -344,7 +344,7 @@ release-clean: $(RELEASE_PLATFORMS:%=%-release-clean) ## Clean release packages -@rm -rf release/$* .PHONY: unit-test-clean -unit-test-clean: +unit-test-clean: .PHONY: filename-spaces spaces: # Check for spaces in file names @@ -372,8 +372,8 @@ ccaasbuilder/%: ccaasbuilder-clean ccaasbuilder: ccaasbuilder/$(MARCH) .PHONY: scan -scan: scan-govulncheck ## Run all security scans +scan: scan-osv-scanner ## Run all vulnerability scans -.PHONY: scan-govulncheck -scan-govulncheck: gotool.govulncheck ## Run gosec security scan - govulncheck ./... +.PHONY: scan-osv-scanner ## Run OSV-Scanner vulnerability scan +scan-osv-scanner: + go run github.com/google/osv-scanner/cmd/osv-scanner@b37c83e scan --lockfile=go.mod || [ \( $$? -gt 1 \) -a \( $$? -lt 127 \) ] diff --git a/gotools.mk b/gotools.mk index 9cf5fe438f6..875dd493400 100644 --- a/gotools.mk +++ b/gotools.mk @@ -16,7 +16,6 @@ go.fqp.gocov-xml := github.com/AlekSi/gocov-xml go.fqp.gofumpt := mvdan.cc/gofumpt go.fqp.goimports := golang.org/x/tools/cmd/goimports go.fqp.golint := golang.org/x/lint/golint -go.fqp.govulncheck := golang.org/x/vuln/cmd/govulncheck@latest go.fqp.misspell := github.com/client9/misspell/cmd/misspell go.fqp.mockery := github.com/vektra/mockery/v2 go.fqp.protoc-gen-go := google.golang.org/protobuf/cmd/protoc-gen-go