From c09676175240a93149724b4279a3a23629f215b1 Mon Sep 17 00:00:00 2001 From: unclegedd Date: Thu, 3 Aug 2023 14:22:26 -0500 Subject: [PATCH] refactor + more CI --- .github/actions/golang/action.yaml | 2 +- .github/actions/install-tools/action.yaml | 14 ++++++ .github/actions/save-logs/action.yaml | 2 +- .github/codeql.yaml | 10 ++++ .github/workflows/scan-codeql.yml | 60 +++++++++++++++++++++++ .github/workflows/scan-cves.yml | 32 ++++++++++++ .github/workflows/scan-lint.yml | 21 ++++++++ .github/workflows/test-k3d.yaml | 2 +- .grype.yaml | 7 +++ Makefile | 3 ++ go.mod | 4 +- go.sum | 8 +-- revive.toml | 31 ++++++++++++ src/pkg/bundler/bundle.go | 24 +++++++-- src/types/package.go | 21 ++++---- 15 files changed, 218 insertions(+), 23 deletions(-) create mode 100644 .github/actions/install-tools/action.yaml create mode 100644 .github/workflows/scan-codeql.yml create mode 100644 .github/workflows/scan-cves.yml create mode 100644 .github/workflows/scan-lint.yml create mode 100644 .grype.yaml create mode 100644 revive.toml diff --git a/.github/actions/golang/action.yaml b/.github/actions/golang/action.yaml index e63dd9e2b..e665d9091 100644 --- a/.github/actions/golang/action.yaml +++ b/.github/actions/golang/action.yaml @@ -4,6 +4,6 @@ description: "Setup Go binary and caching" runs: using: composite steps: - - uses: actions/setup-go@v4 + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: 1.19.x diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml new file mode 100644 index 000000000..21e346048 --- /dev/null +++ b/.github/actions/install-tools/action.yaml @@ -0,0 +1,14 @@ +name: install-tools +description: "Install pipeline tools" + +runs: + using: composite + steps: + - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 + + - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 + + - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin" + shell: bash + + - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a # v2.8.0 diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 4230de3e4..56c0fd2c7 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -9,7 +9,7 @@ runs: sudo chown $USER /tmp/uds-*.log || echo "" shell: bash - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: debug-log path: /tmp/uds-*.log diff --git a/.github/codeql.yaml b/.github/codeql.yaml index e69de29bb..3d376c23c 100644 --- a/.github/codeql.yaml +++ b/.github/codeql.yaml @@ -0,0 +1,10 @@ +paths-ignore: + - src/pkg/packager/network.go + - src/pkg/utils/network.go + - src/pkg/utils/credentials.go + - docs-website/** + - build/** + +query-filters: + - exclude: + id: go/path-injection diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml new file mode 100644 index 000000000..060c5c2fa --- /dev/null +++ b/.github/workflows/scan-codeql.yml @@ -0,0 +1,60 @@ +name: Analyze CodeQL + +permissions: + contents: read + +on: + push: + branches: ["main"] + pull_request: + paths-ignore: + - "**.md" + - "**.jpg" + - "**.png" + - "**.gif" + - "**.svg" + - "adr/**" + - "docs/**" + - "package.json" + - "package-lock.json" + - "CODEOWNERS" + schedule: + - cron: "32 2 * * 5" + +jobs: + validate: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["go"] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Setup golang + uses: ./.github/actions/golang + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + env: + CODEQL_EXTRACTOR_GO_BUILD_TRACING: on + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql.yaml + + - name: Build + run: make build-cli-linux-amd + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml new file mode 100644 index 000000000..9f6522d30 --- /dev/null +++ b/.github/workflows/scan-cves.yml @@ -0,0 +1,32 @@ +name: Analyze CVEs + +permissions: + contents: read + +on: + schedule: + - cron: "0 10 * * *" + pull_request: + paths: + - "go.mod" + - "go.sum" + - "package.json" + - "package-lock.json" + - "cargo.toml" + - "cargo.lock" + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Setup golang + uses: ./.github/actions/golang + + - name: Install tools + uses: ./.github/actions/install-tools + + - name: Check for CVEs in Dependencies + run: "make test-cves" diff --git a/.github/workflows/scan-lint.yml b/.github/workflows/scan-lint.yml new file mode 100644 index 000000000..1a9b83f27 --- /dev/null +++ b/.github/workflows/scan-lint.yml @@ -0,0 +1,21 @@ +name: Validate Lint +on: pull_request + +permissions: + contents: read + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Run Revive Action by pulling pre-built image + uses: docker://morphy/revive-action:v2 + with: + config: revive.toml + # Exclude patterns, separated by semicolons (optional) + exclude: "src/cmd/viper.go" + # Path pattern (default: ./...) + path: "./src/..." diff --git a/.github/workflows/test-k3d.yaml b/.github/workflows/test-k3d.yaml index d4a54653b..31d01ab5f 100644 --- a/.github/workflows/test-k3d.yaml +++ b/.github/workflows/test-k3d.yaml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup golang uses: ./.github/actions/golang diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 000000000..8d89ff014 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,7 @@ +ignore: + # This vulnerability does not affect UDS as we do not instantiate a rekor client + - vulnerability: GHSA-2h5h-59f5-c5x9 + + # This vulnerability does not affect UDS as we do not instantiate a rekor client + - vulnerability: GHSA-frqx-jfcm-6jjr + diff --git a/Makefile b/Makefile index f45ccc348..99cb5e202 100644 --- a/Makefile +++ b/Makefile @@ -19,5 +19,8 @@ build-cli-mac-apple: test: cd src/test && go test -failfast -v -timeout 30m +test-cves: + go run main.go tools sbom packages . -o json | grype --fail-on low + clean: rm -rf build diff --git a/go.mod b/go.mod index 0e9e8e1d4..25d4c431e 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/defenseunicorns/uds-cli go 1.19 -replace github.com/defenseunicorns/zarf => github.com/defenseunicorns/zarf v0.28.4-0.20230802134247-d8d73edf8889 +replace github.com/defenseunicorns/zarf => github.com/defenseunicorns/zarf v0.28.4-0.20230803174709-3cda37d2a2af // TODO (@WSTARR) remove this temporary replacement of oras-go 1.2.2 with defenseunicorns version due to upgraded docker lib replace oras.land/oras-go v1.2.2 => github.com/defenseunicorns/oras-go v1.2.4-0.20230605015028-85c595ed4b64 @@ -77,7 +77,7 @@ require ( github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b // indirect github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501 // indirect - github.com/anchore/stereoscope v0.0.0-20230627195312-cd49355d934e // indirect + github.com/anchore/stereoscope v0.0.0-20230727211946-d1f3d766295e // indirect github.com/anchore/syft v0.84.0 // indirect github.com/andybalholm/brotli v1.0.4 // indirect github.com/armon/go-metrics v0.4.1 // indirect diff --git a/go.sum b/go.sum index a739421d5..82c176284 100644 --- a/go.sum +++ b/go.sum @@ -234,8 +234,8 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501 h1:AV7qjwMcM4r8wFhJq3jLRztew3ywIyPTRapl2T1s9o8= github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4= -github.com/anchore/stereoscope v0.0.0-20230627195312-cd49355d934e h1:zhk3ZLtomMJ750nNCE+c24PonMzoO/SeL/4uTr1L9kM= -github.com/anchore/stereoscope v0.0.0-20230627195312-cd49355d934e/go.mod h1:0LsgHgXO4QFnk2hsYwtqd3fR18PIZXlFLIl2qb9tu3g= +github.com/anchore/stereoscope v0.0.0-20230727211946-d1f3d766295e h1:S6IhYpsBCpvphlHA1tN0glSG/kjVvFzC6OJuU2qW5Pc= +github.com/anchore/stereoscope v0.0.0-20230727211946-d1f3d766295e/go.mod h1:0LsgHgXO4QFnk2hsYwtqd3fR18PIZXlFLIl2qb9tu3g= github.com/anchore/syft v0.84.0 h1:mU0xTGVFjuJDIr9pGjZfjcRmCdpSKsQxghZmWihdPDc= github.com/anchore/syft v0.84.0/go.mod h1:QM2WJFbV/mvBnb7nR1yYLm0mIw0MVhjzgd/QaxYMA/g= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= @@ -425,8 +425,8 @@ github.com/daviddengcn/go-colortext v1.0.0 h1:ANqDyC0ys6qCSvuEK7l3g5RaehL/Xck9EX github.com/daviddengcn/go-colortext v1.0.0/go.mod h1:zDqEI5NVUop5QPpVJUxE9UO10hRnmkD5G4Pmri9+m4c= github.com/defenseunicorns/oras-go v1.2.4-0.20230605015028-85c595ed4b64 h1:SCwmnKa2RSZtW50bKudiPdYUucX3xqlbbUt8AJiu5SA= github.com/defenseunicorns/oras-go v1.2.4-0.20230605015028-85c595ed4b64/go.mod h1:9YC1InrDJmkX0HhBLTXIixGH+l8bsPjRURmmaI2TvBk= -github.com/defenseunicorns/zarf v0.28.4-0.20230802134247-d8d73edf8889 h1:4QkeRPa6+wnNPc9+UuxCXjN9s6U4WQvScQ/iRVxp3g0= -github.com/defenseunicorns/zarf v0.28.4-0.20230802134247-d8d73edf8889/go.mod h1:Cl4iAS2CkifpmKIRA+zvsg383j15nSF2zYYVl/i7Fws= +github.com/defenseunicorns/zarf v0.28.4-0.20230803174709-3cda37d2a2af h1:oLmNYI0TXK9bnUAx9rru9f4eyujh+kqFN3G4KfDFL8k= +github.com/defenseunicorns/zarf v0.28.4-0.20230803174709-3cda37d2a2af/go.mod h1:HWDPqdoHGNSRWdzdXcVEUaKlcX9vIzLq4A5b+bzLjUQ= github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M= github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk= github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= diff --git a/revive.toml b/revive.toml new file mode 100644 index 000000000..ebda8f5cb --- /dev/null +++ b/revive.toml @@ -0,0 +1,31 @@ +ignoreGeneratedHeader = false +severity = "warning" +confidence = 0.8 +errorCode = 0 +warningCode = 0 +formatter = "stylish" + +[rule.blank-imports] +[rule.context-as-argument] +[rule.context-keys-type] +[rule.dot-imports] +[rule.error-return] +[rule.error-strings] +[rule.error-naming] +[rule.exported] +[rule.if-return] +[rule.increment-decrement] +[rule.var-naming] +[rule.var-declaration] +[rule.package-comments] +[rule.range] +[rule.receiver-naming] +[rule.time-naming] +[rule.unexported-return] +[rule.indent-error-flow] +[rule.errorf] +[rule.empty-block] +[rule.superfluous-else] +[rule.unused-parameter] +[rule.unreachable-code] +[rule.redefines-builtin-id] diff --git a/src/pkg/bundler/bundle.go b/src/pkg/bundler/bundle.go index 6c3244d93..1df6bab30 100644 --- a/src/pkg/bundler/bundle.go +++ b/src/pkg/bundler/bundle.go @@ -139,10 +139,9 @@ func Bundle(r *oci.OrasRemote, bundle *types.UDSBundle, signature []byte) error message.Debug("Pushed", BundleYAMLSignature+":", message.JSONValue(zarfBundleYamlSigDesc)) } - // push the manifest config - // todo: dig into this, is the manifest the UDSBundle manifest or a Zarf pkg manifest? - // todo: make joint types? should this actually be explicitly Zarf types? need to distinguish between Zarf pkg and UDS pkg - configDesc, err := r.PushManifestConfigFromMetadata((*zarfTypes.ZarfMetadata)(&bundle.Metadata), (*zarfTypes.ZarfBuildData)(&bundle.Build)) + // push the bundle manifest config + //configDesc, err := r.PushManifestConfigFromMetadata((*zarfTypes.ZarfMetadata)(&bundle.Metadata), (*zarfTypes.ZarfBuildData)(&bundle.Build)) + configDesc, err := pushManifestConfigFromMetadata(r, &bundle.Metadata, &bundle.Build) if err != nil { return err } @@ -180,3 +179,20 @@ func Bundle(r *oci.OrasRemote, bundle *types.UDSBundle, signature []byte) error return nil } + +func pushManifestConfigFromMetadata(r *oci.OrasRemote, metadata *types.UDSMetadata, build *types.UDSBuildData) (ocispec.Descriptor, error) { + annotations := map[string]string{ + ocispec.AnnotationTitle: metadata.Name, + ocispec.AnnotationDescription: metadata.Description, + } + manifestConfig := oci.ConfigPartial{ + Architecture: build.Architecture, + OCIVersion: "1.0.1", + Annotations: annotations, + } + manifestConfigBytes, err := json.Marshal(manifestConfig) + if err != nil { + return ocispec.Descriptor{}, err + } + return r.PushLayer(manifestConfigBytes, ocispec.MediaTypeImageConfig) +} diff --git a/src/types/package.go b/src/types/package.go index ea00dc3e4..e30ff5cd4 100644 --- a/src/types/package.go +++ b/src/types/package.go @@ -23,14 +23,15 @@ type UDSMetadata struct { // UDSBuildData is written during the packager.Create() operation to track details of the created package. type UDSBuildData struct { - Terminal string `json:"terminal" jsonschema:"description=The machine name that created this package"` - User string `json:"user" jsonschema:"description=The username who created this package"` - Architecture string `json:"architecture" jsonschema:"description=The architecture this package was created on"` - Timestamp string `json:"timestamp" jsonschema:"description=The timestamp when this package was created"` - Version string `json:"version" jsonschema:"description=The version of Zarf used to build this package"` - Migrations []string `json:"migrations,omitempty" jsonschema:"description=Any migrations that have been run on this package"` - Differential bool `json:"differential,omitempty" jsonschema:"description=Whether this package was created with differential components"` - RegistryOverrides map[string]string `json:"registryOverrides,omitempty" jsonschema:"description=Any registry domains that were overridden on package create when pulling images"` - DifferentialMissing []string `json:"differentialMissing,omitempty" jsonschema:"description=List of components that were not included in this package due to differential packaging"` - OCIImportedComponents map[string]string `json:"OCIImportedComponents,omitempty" jsonschema:"description=Map of components that were imported via OCI. The keys are OCI Package URLs and values are the component names"` + Terminal string `json:"terminal" jsonschema:"description=The machine name that created this package"` + User string `json:"user" jsonschema:"description=The username who created this package"` + Architecture string `json:"architecture" jsonschema:"description=The architecture this package was created on"` + Timestamp string `json:"timestamp" jsonschema:"description=The timestamp when this package was created"` + Version string `json:"version" jsonschema:"description=The version of Zarf used to build this package"` + Migrations []string `json:"migrations,omitempty" jsonschema:"description=Any migrations that have been run on this package"` + Differential bool `json:"differential,omitempty" jsonschema:"description=Whether this package was created with differential components"` + RegistryOverrides map[string]string `json:"registryOverrides,omitempty" jsonschema:"description=Any registry domains that were overridden on package create when pulling images"` + DifferentialMissing []string `json:"differentialMissing,omitempty" jsonschema:"description=List of components that were not included in this package due to differential packaging"` + OCIImportedComponents map[string]string `json:"OCIImportedComponents,omitempty" jsonschema:"description=Map of components that were imported via OCI. The keys are OCI Package URLs and values are the component names"` + LastNonBreakingVersion string `json:"lastNonBreakingVersion,omitempty" jsonschema:"description=The minimum version of Zarf that does not have breaking package structure changes"` }