Skip to content

Commit

Permalink
Merge pull request #867 from coinbase/golang_1_21
Browse files Browse the repository at this point in the history
Version bumping GoLang & GoSec
  • Loading branch information
joshuaostrom-cb authored Sep 29, 2023
2 parents e927762 + 0ec9d56 commit d17fb75
Show file tree
Hide file tree
Showing 9 changed files with 51 additions and 45 deletions.
8 changes: 4 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -78,16 +78,16 @@ RUN cd /home \
### Golang
# required for sift and gosec

ENV GOLANG_VERSION 1.20.2
ENV GOLANG_DOWNLOAD_SHA256 4eaea32f59cde4dc635fbc42161031d13e1c780b87097f4b4234cfce671f1768
ENV GOLANG_VERSION 1.21.1
ENV GOLANG_DOWNLOAD_SHA256 b3075ae1ce5dab85f89bc7905d1632de23ca196bd8336afd93fa97434cfa55ae

ENV GOLANG_TARBALL_FILE go$GOLANG_VERSION.linux-amd64.tar.gz
ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/${GOLANG_TARBALL_FILE}

ENV GOSEC_VERSION 2.15.0
ENV GOSEC_VERSION 2.17.0
ENV GOSEC_TARBALL_FILE gosec_${GOSEC_VERSION}_linux_amd64.tar.gz
ENV GOSEC_DOWNLOAD_URL https://github.com/securego/gosec/releases/download/v${GOSEC_VERSION}/${GOSEC_TARBALL_FILE}
ENV GOSEC_DOWNLOAD_SHA256 2312388e9ce0dcfed23893ffd2b719f9de5b1d262c84f4e3c8e2e2cb0d1785d2
ENV GOSEC_DOWNLOAD_SHA256 e268c49e3382d43a1bd1a24d15f5c0e249841cd2a6befc53b5d7986f07a97d2f
ENV GO111MODULE on

RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \
Expand Down
6 changes: 3 additions & 3 deletions Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@ source 'https://rubygems.org'

ruby '3.2.1'

gem 'activemodel', '~> 6.1.7.3'
gem 'activesupport', '~> 6.1.7.3'
gem 'activemodel', '~> 6.1.7.5'
gem 'activesupport', '~> 6.1.7.5'
gem 'bugsnag', '~> 6.19.0'
gem 'bundler', '= 2.4.8'
gem 'cocoapods', '~> 1.12.0'
gem 'deepsort', '~> 0.4.5'
gem 'faraday', '~> 1.3'
gem 'github-linguist', '~> 7.13.0'
gem 'nokogiri', '~> 1.13.6'
gem 'nokogiri', '~> 1.14.3'
gem 'parser', '~> 3.1.3'
gem 'rgl', '~> 0.5.9'
gem 'rubyzip', '~> 2.3.2'
Expand Down
24 changes: 12 additions & 12 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ GEM
specs:
CFPropertyList (3.0.6)
rexml
activemodel (6.1.7.3)
activesupport (= 6.1.7.3)
activesupport (6.1.7.3)
activemodel (6.1.7.6)
activesupport (= 6.1.7.6)
activesupport (6.1.7.6)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
Expand Down Expand Up @@ -92,21 +92,21 @@ GEM
rugged (>= 0.25.1)
hashdiff (1.0.1)
httpclient (2.8.3)
i18n (1.12.0)
i18n (1.14.1)
concurrent-ruby (~> 1.0)
json (2.6.3)
json-schema (3.0.0)
addressable (>= 2.8)
method_source (1.0.0)
mini_mime (1.0.2)
mini_portile2 (2.8.0)
minitest (5.18.0)
mini_portile2 (2.8.4)
minitest (5.20.0)
molinillo (0.8.0)
multipart-post (2.1.1)
nanaimo (0.3.0)
nap (1.1.0)
netrc (0.11.0)
nokogiri (1.13.10)
nokogiri (1.14.5)
mini_portile2 (~> 2.8.0)
racc (~> 1.4)
pairing_heap (1.0.0)
Expand All @@ -121,7 +121,7 @@ GEM
byebug (~> 11.0)
pry (>= 0.13, < 0.15)
public_suffix (4.0.7)
racc (1.6.1)
racc (1.7.1)
rainbow (3.0.0)
regexp_parser (1.8.2)
rexml (3.2.5)
Expand Down Expand Up @@ -187,14 +187,14 @@ GEM
colored2 (~> 3.1)
nanaimo (~> 0.3.0)
rexml (~> 3.2.4)
zeitwerk (2.6.7)
zeitwerk (2.6.12)

PLATFORMS
ruby

DEPENDENCIES
activemodel (~> 6.1.7.3)
activesupport (~> 6.1.7.3)
activemodel (~> 6.1.7.5)
activesupport (~> 6.1.7.5)
brakeman (= 5.4.1)
bugsnag (~> 6.19.0)
bundler (= 2.4.8)
Expand All @@ -204,7 +204,7 @@ DEPENDENCIES
faraday (~> 1.3)
github-linguist (~> 7.13.0)
json-schema (~> 3.0)
nokogiri (~> 1.13.6)
nokogiri (~> 1.14.3)
parser (~> 3.1.3)
pry (~> 0.14)
pry-byebug (~> 3.10)
Expand Down
13 changes: 0 additions & 13 deletions lib/salus/scanners/base.rb
Original file line number Diff line number Diff line change
Expand Up @@ -532,19 +532,6 @@ def build_options(prefix:, suffix:, separator:, args:, join_by: ',', config_over
join_by: join_by,
regex: type_value
)
# In new versions of gosec, nosec-tag matches the exact string
# For example, In previous versions;
# - running the command `gosec -nosec-tag=falsepositive .`
# would match all occurrences of /* #falsepositive */ in go files
# In current versions:
# - running the command `gosec -nosec-tag=falsepositive .`
# would match only match /* falsepositive */ in go files
# - you would have to modify your string to match #falsepositive
# running the command `gosec -nosec-tag=#falsepositive .`
# would match all occurrences of /* #falsepositive */ in go files
# To prevent salus functionality from changing, this line adds a pound
# sign to alternative nosec string
result = "-nosec-tag=##{config_value} " if result.include? "-nosec-tag="
result
else
warning = "Could not interpolate config for #{keyword} "\
Expand Down
6 changes: 6 additions & 0 deletions salus.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,9 @@ scanner_configs:
- spec/fixtures/gosec/multifolder_goapp
- spec/fixtures/gosec/recursive_vulnerable_goapp
- spec/fixtures/gosec/multi_goapps
RubyVersionScanner:
warn:
min_version: '3.0.0'
max_version: '3.1.0'
error:
min_version: '3.0.0'
12 changes: 11 additions & 1 deletion spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,14 @@ scanner_configs:
advisory_id: "1091018",
changed_by: "joshua.ostrom",
notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.",
}
}
- {
advisory_id: "1091686",
changed_by: "joshua.ostrom",
notes: "False positive",
}
- {
advisory_id: "1091710",
changed_by: "joshua.ostrom",
notes: "False positive",
}
24 changes: 13 additions & 11 deletions spec/lib/salus/scanners/yarn_audit_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@

expect(scanner.report.to_h.fetch(:passed)).to eq(false)
vulns = JSON.parse(scanner.report.to_h[:info][:stdout]).sort { |a, b| a["ID"] <=> b["ID"] }
expect(vulns.size).to eq(17)
expect(vulns.size).to eq(18)

vulns.each do |vul|
["Package", "Patched in", "Dependency of", "More info", "Severity", "Title"].each do |attr|
Expand All @@ -81,22 +81,24 @@
expect(vul["ID"]).to be_kind_of(Integer)
end

id_vuls = vulns.find { |v| v['ID'] == 1_091_360 }
id_vuls = vulns.find { |v| v['ID'] == 1_091_832 }

# vul has 1 dependency of
expected_vul = { "Package" => "trim-newlines",
"Patched in" => ">=3.0.1",
"Dependency of" => "gulp-cssmin",
"More info" => "https://www.npmjs.com/advisories/1091360",
expected_vul = { "Package" => "lodash",
"Patched in" => ">=4.17.21",
"Dependency of" => "gulp-modify-file",
"More info" => "https://www.npmjs.com/advisories/1091832",
"Severity" => "high",
"Title" => "Uncontrolled Resource Consumption in trim-newlines",
"ID" => 1_091_360 }
"Title" => "Command Injection in lodash",
"ID" => 1_091_832 }

expect(id_vuls).to eq(expected_vul)

id_vuls_w_paths = scanner.instance_variable_get(:@vulns_w_paths)
.find { |v| v['ID'] == 1_091_360 }
.find { |v| v['ID'] == 1_091_832 }

expected_vul['Path'] = "gulp-cssmin > gulp-util > "\
"dateformat > meow > trim-newlines"
expected_vul['Path'] = "gulp-modify-file > gulp > "\
"vinyl-fs > glob-watcher > gaze > globule > lodash"
expect(id_vuls_w_paths).to eq(expected_vul)
end

Expand Down
2 changes: 1 addition & 1 deletion spec/lib/sarif/cargo_audit_sarif_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"title": { "text": "MultiDecoder::read() drops uninitialized memory of"\
" arbitrary type on panic in client code" },
"severity": { "text": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" },
"cwe": { "text": "[\"CVE-2019-15552\"]" },
"cwe": { "text": "[\"CVE-2019-15552\", \"GHSA-rpcm-whqc-jfw8\"]" },
"patched_versions": { "text": "[\">=0.1.25\"]" },
"unaffected_versions": { "text": "[\"<0.1.14\"]" } },
help_url: "https://github.com/sile/libflate/issues/35",
Expand Down
1 change: 1 addition & 0 deletions spec/lib/sarif/npm_audit_sarif_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,7 @@
report = Salus::Report.new(project_name: "Neon Genesis")
report.add_scan_report(scanner.report, required: false)
report_object = JSON.parse(report.to_sarif)['runs'][0]

expect(report_object['results'].length).to eq(0)
expect(report_object['invocations'][0]['executionSuccessful']).to eq(true)
end
Expand Down

0 comments on commit d17fb75

Please sign in to comment.