Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-11 23:49:30 -05:00
Code Issues Packages Projects Releases Wiki Activity
eb08fe1025
constellation/bazel/ci/govulncheck.sh.in
Markus Rudy 60dcac1f1b
ci: ignore GO-2024-3166 in govulncheck (#3404) 
* ci: ignore GO-2024-3166 in govulncheck
2024-10-11 15:39:44 +02:00

60 lines
1.4 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
###### script header ######
lib=$(realpath @@BASE_LIB@@) || exit 1
stat "${lib}" >> /dev/null || exit 1
# shellcheck source=../sh/lib.bash
if ! source "${lib}"; then
echo "Error: could not find import"
exit 1
fi
go=$(realpath @@GO@@)
stat "${go}" >> /dev/null
govulncheck=$(realpath @@GOVULNCHECK@@)
stat "${govulncheck}" >> /dev/null
jq=$(realpath @@JQ@@)
stat "${jq}" >> /dev/null
cd "${BUILD_WORKSPACE_DIRECTORY}"
###### script body ######
submodules=$(${go} list -f '{{.Dir}}' -m)
PATH=$(dirname "${go}"):${PATH}
check_module() {
# shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
"${jq}" -sr '
(map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs |
map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
group_by(.osv) |
map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
if length > 0 then halt_error(1) else .[] end'
}
check() {
err=0
echo "Scanning Go vulnerability DB for known vulnerabilities in modules:"
for mod in ${submodules}; do
echo " ${mod}"
echo -n " "
check_module "${mod}"
done
exit "${err}"
}
if test -v SILENT; then
check > /dev/null
else
check
fi
Reference in New Issue View Git Blame Copy Permalink