refactor + more CI

.github/actions/golang/action.yaml

@@ -4,6 +4,6 @@ description: "Setup Go binary and caching"
 runs:
  using: composite
  steps:
- - uses: actions/setup-go@v4
+ - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
  with:
  go-version: 1.19.x

.github/actions/install-tools/action.yaml

@@ -0,0 +1,14 @@
+name: install-tools
+description: "Install pipeline tools"
+
+runs:
+ using: composite
+ steps:
+ - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+
+ - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+
+ - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"
+ shell: bash
+
+ - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0

.github/actions/save-logs/action.yaml

@@ -9,7 +9,7 @@ runs:
  sudo chown $USER /tmp/uds-*.log || echo ""
  shell: bash
 
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
  with:
  name: debug-log
  path: /tmp/uds-*.log

.github/codeql.yaml

@@ -0,0 +1,10 @@
+paths-ignore:
+ - src/pkg/packager/network.go
+ - src/pkg/utils/network.go
+ - src/pkg/utils/credentials.go
+ - docs-website/**
+ - build/**
+
+query-filters:
+ - exclude:
+ id: go/path-injection

.github/workflows/scan-codeql.yml

@@ -0,0 +1,60 @@
+name: Analyze CodeQL
+
+permissions:
+ contents: read
+
+on:
+ push:
+ branches: ["main"]
+ pull_request:
+ paths-ignore:
+ - "**.md"
+ - "**.jpg"
+ - "**.png"
+ - "**.gif"
+ - "**.svg"
+ - "adr/**"
+ - "docs/**"
+ - "package.json"
+ - "package-lock.json"
+ - "CODEOWNERS"
+ schedule:
+ - cron: "32 2 * * 5"
+
+jobs:
+ validate:
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: ["go"]
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+ - name: Setup golang
+ uses: ./.github/actions/golang
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
+ env:
+ CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
+ with:
+ languages: ${{ matrix.language }}
+ config-file: ./.github/codeql.yaml
+
+ - name: Build
+ run: make build-cli-linux-amd
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
+ with:
+ category: "/language:${{matrix.language}}"

.github/workflows/scan-cves.yml

@@ -0,0 +1,32 @@
+name: Analyze CVEs
+
+permissions:
+ contents: read
+
+on:
+ schedule:
+ - cron: "0 10 * * *"
+ pull_request:
+ paths:
+ - "go.mod"
+ - "go.sum"
+ - "package.json"
+ - "package-lock.json"
+ - "cargo.toml"
+ - "cargo.lock"
+
+jobs:
+ validate:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+ - name: Setup golang
+ uses: ./.github/actions/golang
+
+ - name: Install tools
+ uses: ./.github/actions/install-tools
+
+ - name: Check for CVEs in Dependencies
+ run: "make test-cves"

.github/workflows/scan-lint.yml

@@ -0,0 +1,21 @@
+name: Validate Lint
+on: pull_request
+
+permissions:
+ contents: read
+
+jobs:
+ validate:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+ - name: Run Revive Action by pulling pre-built image
+ uses: docker://morphy/revive-action:v2
+ with:
+ config: revive.toml
+ # Exclude patterns, separated by semicolons (optional)
+ exclude: "src/cmd/viper.go"
+ # Path pattern (default: ./...)
+ path: "./src/..."

.github/workflows/test-k3d.yaml

@@ -24,7 +24,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
  - name: Setup golang
  uses: ./.github/actions/golang

.grype.yaml

@@ -0,0 +1,7 @@
+ignore:
+ # This vulnerability does not affect UDS as we do not instantiate a rekor client
+ - vulnerability: GHSA-2h5h-59f5-c5x9
+
+ # This vulnerability does not affect UDS as we do not instantiate a rekor client
+ - vulnerability: GHSA-frqx-jfcm-6jjr
+

Makefile

@@ -19,5 +19,8 @@ build-cli-mac-apple:
 test:
  cd src/test && go test -failfast -v -timeout 30m
 
+test-cves:
+ go run main.go tools sbom packages . -o json | grype --fail-on low
+
 clean:
  rm -rf build

go.mod

@@ -2,7 +2,7 @@ module github.com/defenseunicorns/uds-cli
 
 go 1.19
 
-replace github.com/defenseunicorns/zarf => github.com/defenseunicorns/zarf v0.28.4-0.20230802134247-d8d73edf8889
+replace github.com/defenseunicorns/zarf => github.com/defenseunicorns/zarf v0.28.4-0.20230803174709-3cda37d2a2af
 
 // TODO (@WSTARR) remove this temporary replacement of oras-go 1.2.2 with defenseunicorns version due to upgraded docker lib
 replace oras.land/oras-go v1.2.2 => github.com/defenseunicorns/oras-go v1.2.4-0.20230605015028-85c595ed4b64
@@ -77,7 +77,7 @@ require (
  github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
  github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b // indirect
  github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501 // indirect
- github.com/anchore/stereoscope v0.0.0-20230627195312-cd49355d934e // indirect
+ github.com/anchore/stereoscope v0.0.0-20230727211946-d1f3d766295e // indirect
  github.com/anchore/syft v0.84.0 // indirect
  github.com/andybalholm/brotli v1.0.4 // indirect
  github.com/armon/go-metrics v0.4.1 // indirect

go.sum

@@ -234,8 +234,8 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501 h1:AV7qjwMcM4r8wFhJq3jLRztew3ywIyPTRapl2T1s9o8=
 github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
-github.com/anchore/stereoscope v0.0.0-20230627195312-cd49355d934e h1:zhk3ZLtomMJ750nNCE+c24PonMzoO/SeL/4uTr1L9kM=
-github.com/anchore/stereoscope v0.0.0-20230627195312-cd49355d934e/go.mod h1:0LsgHgXO4QFnk2hsYwtqd3fR18PIZXlFLIl2qb9tu3g=
+github.com/anchore/stereoscope v0.0.0-20230727211946-d1f3d766295e h1:S6IhYpsBCpvphlHA1tN0glSG/kjVvFzC6OJuU2qW5Pc=
+github.com/anchore/stereoscope v0.0.0-20230727211946-d1f3d766295e/go.mod h1:0LsgHgXO4QFnk2hsYwtqd3fR18PIZXlFLIl2qb9tu3g=
 github.com/anchore/syft v0.84.0 h1:mU0xTGVFjuJDIr9pGjZfjcRmCdpSKsQxghZmWihdPDc=
 github.com/anchore/syft v0.84.0/go.mod h1:QM2WJFbV/mvBnb7nR1yYLm0mIw0MVhjzgd/QaxYMA/g=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
@@ -425,8 +425,8 @@ github.com/daviddengcn/go-colortext v1.0.0 h1:ANqDyC0ys6qCSvuEK7l3g5RaehL/Xck9EX
 github.com/daviddengcn/go-colortext v1.0.0/go.mod h1:zDqEI5NVUop5QPpVJUxE9UO10hRnmkD5G4Pmri9+m4c=
 github.com/defenseunicorns/oras-go v1.2.4-0.20230605015028-85c595ed4b64 h1:SCwmnKa2RSZtW50bKudiPdYUucX3xqlbbUt8AJiu5SA=
 github.com/defenseunicorns/oras-go v1.2.4-0.20230605015028-85c595ed4b64/go.mod h1:9YC1InrDJmkX0HhBLTXIixGH+l8bsPjRURmmaI2TvBk=
-github.com/defenseunicorns/zarf v0.28.4-0.20230802134247-d8d73edf8889 h1:4QkeRPa6+wnNPc9+UuxCXjN9s6U4WQvScQ/iRVxp3g0=
-github.com/defenseunicorns/zarf v0.28.4-0.20230802134247-d8d73edf8889/go.mod h1:Cl4iAS2CkifpmKIRA+zvsg383j15nSF2zYYVl/i7Fws=
+github.com/defenseunicorns/zarf v0.28.4-0.20230803174709-3cda37d2a2af h1:oLmNYI0TXK9bnUAx9rru9f4eyujh+kqFN3G4KfDFL8k=
+github.com/defenseunicorns/zarf v0.28.4-0.20230803174709-3cda37d2a2af/go.mod h1:HWDPqdoHGNSRWdzdXcVEUaKlcX9vIzLq4A5b+bzLjUQ=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=
 github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=

revive.toml

@@ -0,0 +1,31 @@
+ignoreGeneratedHeader = false
+severity = "warning"
+confidence = 0.8
+errorCode = 0
+warningCode = 0
+formatter = "stylish"
+
+[rule.blank-imports]
+[rule.context-as-argument]
+[rule.context-keys-type]
+[rule.dot-imports]
+[rule.error-return]
+[rule.error-strings]
+[rule.error-naming]
+[rule.exported]
+[rule.if-return]
+[rule.increment-decrement]
+[rule.var-naming]
+[rule.var-declaration]
+[rule.package-comments]
+[rule.range]
+[rule.receiver-naming]
+[rule.time-naming]
+[rule.unexported-return]
+[rule.indent-error-flow]
+[rule.errorf]
+[rule.empty-block]
+[rule.superfluous-else]
+[rule.unused-parameter]
+[rule.unreachable-code]
+[rule.redefines-builtin-id]

src/pkg/bundler/bundle.go

@@ -139,10 +139,9 @@ func Bundle(r *oci.OrasRemote, bundle *types.UDSBundle, signature []byte) error
  message.Debug("Pushed", BundleYAMLSignature+":", message.JSONValue(zarfBundleYamlSigDesc))
  }
 
- // push the manifest config
- // todo: dig into this, is the manifest the UDSBundle manifest or a Zarf pkg manifest?
- // todo: make joint types? should this actually be explicitly Zarf types? need to distinguish between Zarf pkg and UDS pkg
- configDesc, err := r.PushManifestConfigFromMetadata((*zarfTypes.ZarfMetadata)(&bundle.Metadata), (*zarfTypes.ZarfBuildData)(&bundle.Build))
+ // push the bundle manifest config
+ //configDesc, err := r.PushManifestConfigFromMetadata((*zarfTypes.ZarfMetadata)(&bundle.Metadata), (*zarfTypes.ZarfBuildData)(&bundle.Build))
+ configDesc, err := pushManifestConfigFromMetadata(r, &bundle.Metadata, &bundle.Build)
  if err != nil {
  return err
  }
@@ -180,3 +179,20 @@ func Bundle(r *oci.OrasRemote, bundle *types.UDSBundle, signature []byte) error
 
  return nil
 }
+
+func pushManifestConfigFromMetadata(r *oci.OrasRemote, metadata *types.UDSMetadata, build *types.UDSBuildData) (ocispec.Descriptor, error) {
+ annotations := map[string]string{
+ ocispec.AnnotationTitle: metadata.Name,
+ ocispec.AnnotationDescription: metadata.Description,
+ }
+ manifestConfig := oci.ConfigPartial{
+ Architecture: build.Architecture,
+ OCIVersion: "1.0.1",
+ Annotations: annotations,
+ }
+ manifestConfigBytes, err := json.Marshal(manifestConfig)
+ if err != nil {
+ return ocispec.Descriptor{}, err
+ }
+ return r.PushLayer(manifestConfigBytes, ocispec.MediaTypeImageConfig)
+}

src/types/package.go

@@ -23,14 +23,15 @@ type UDSMetadata struct {
 
 // UDSBuildData is written during the packager.Create() operation to track details of the created package.
 type UDSBuildData struct {
- Terminal string `json:"terminal" jsonschema:"description=The machine name that created this package"`
- User string `json:"user" jsonschema:"description=The username who created this package"`
- Architecture string `json:"architecture" jsonschema:"description=The architecture this package was created on"`
- Timestamp string `json:"timestamp" jsonschema:"description=The timestamp when this package was created"`
- Version string `json:"version" jsonschema:"description=The version of Zarf used to build this package"`
- Migrations []string `json:"migrations,omitempty" jsonschema:"description=Any migrations that have been run on this package"`
- Differential bool `json:"differential,omitempty" jsonschema:"description=Whether this package was created with differential components"`
- RegistryOverrides map[string]string `json:"registryOverrides,omitempty" jsonschema:"description=Any registry domains that were overridden on package create when pulling images"`
- DifferentialMissing []string `json:"differentialMissing,omitempty" jsonschema:"description=List of components that were not included in this package due to differential packaging"`
- OCIImportedComponents map[string]string `json:"OCIImportedComponents,omitempty" jsonschema:"description=Map of components that were imported via OCI. The keys are OCI Package URLs and values are the component names"`
+ Terminal string `json:"terminal" jsonschema:"description=The machine name that created this package"`
+ User string `json:"user" jsonschema:"description=The username who created this package"`
+ Architecture string `json:"architecture" jsonschema:"description=The architecture this package was created on"`
+ Timestamp string `json:"timestamp" jsonschema:"description=The timestamp when this package was created"`
+ Version string `json:"version" jsonschema:"description=The version of Zarf used to build this package"`
+ Migrations []string `json:"migrations,omitempty" jsonschema:"description=Any migrations that have been run on this package"`
+ Differential bool `json:"differential,omitempty" jsonschema:"description=Whether this package was created with differential components"`
+ RegistryOverrides map[string]string `json:"registryOverrides,omitempty" jsonschema:"description=Any registry domains that were overridden on package create when pulling images"`
+ DifferentialMissing []string `json:"differentialMissing,omitempty" jsonschema:"description=List of components that were not included in this package due to differential packaging"`
+ OCIImportedComponents map[string]string `json:"OCIImportedComponents,omitempty" jsonschema:"description=Map of components that were imported via OCI. The keys are OCI Package URLs and values are the component names"`
+ LastNonBreakingVersion string `json:"lastNonBreakingVersion,omitempty" jsonschema:"description=The minimum version of Zarf that does not have breaking package structure changes"`
 }