From 398fd56ad5d8783b90c77d4cd17685e442b7190f Mon Sep 17 00:00:00 2001 From: Thomas Buchner Date: Mon, 18 Nov 2024 15:34:03 +0100 Subject: [PATCH] enable gosec for static code analysis (#145) as enabled by https://github.com/gardener/gardener/pull/9959 --- .gitignore | 3 +++ Makefile | 12 ++++++++++-- hack/sast.sh | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100755 hack/sast.sh diff --git a/.gitignore b/.gitignore index 14ed70c2..8d53b176 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,6 @@ TODO # Virtual go & fuse .virtualgo .fuse_hidden* + +# gosec +gosec-report.sarif diff --git a/Makefile b/Makefile index df175afc..51db4845 100644 --- a/Makefile +++ b/Makefile @@ -86,6 +86,14 @@ generate: $(VGOPATH) $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(HELM) $(M format: $(GOIMPORTS) $(GOIMPORTSREVISER) @bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg +.PHONY: sast +sast: $(GOSEC) + @./hack/sast.sh + +.PHONY: sast-report +sast-report: $(GOSEC) + @./hack/sast.sh --gosec-report true + .PHONY: test test: @bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/... @@ -99,7 +107,7 @@ test-clean: @bash $(GARDENER_HACK_DIR)/test-cover-clean.sh .PHONY: verify -verify: check format test +verify: check format sast test .PHONY: verify-extended -verify-extended: check-generate check format test-cov test-clean +verify-extended: check-generate check format sast-report test-cov test-clean diff --git a/hack/sast.sh b/hack/sast.sh new file mode 100755 index 00000000..24d834a9 --- /dev/null +++ b/hack/sast.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )" + +gosec_report="false" +gosec_report_parse_flags="" + +parse_flags() { + while test $# -gt 1; do + case "$1" in + --gosec-report) + shift; gosec_report="$1" + ;; + *) + echo "Unknown argument: $1" + exit 1 + ;; + esac + shift + done +} + +parse_flags "$@" + +echo "> Running gosec" +gosec --version +if [[ "$gosec_report" != "false" ]]; then + echo "Exporting report to $root_dir/gosec-report.sarif" + gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout" +fi + +# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf +# which create lots of G103 (CWE-242: Use of unsafe calls should be audited) & G104 (CWE-703: Errors unhandled) errors. +# However, those generators are best-pratice in Kubernetes environment and their results are tested well. +# Thus, generated code is excluded from gosec scan. +# Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder +# is excluded too. It does not contain productive code anyway. + +# shellcheck disable=SC2086 +gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./...