gosec/.github/workflows/ci.yml

63 lines
1.8 KiB
YAML
Raw Normal View History

name: CI
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
test:
strategy:
matrix:
go_version:
2022-11-08 08:54:40 +00:00
- '1.18.8' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
- '1.19.3' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Setup go ${{ matrix.go_version }}
uses: actions/setup-go@v3
with:
go-version: ${{ matrix.go_version }}
- name: Checkout Source
uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: lint
uses: golangci/golangci-lint-action@v3
with:
version: latest
- name: Run Tests
run: make test
coverage:
needs: [test]
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Setup go
uses: actions/setup-go@v3
with:
go.mod: ginkgo/v2 v2.3.1, golang.org/x/text v0.3.8, update go versions (#880) * gha: remove go1.17, temporarily force 1.18.7, 1.19.2 The security scanner is flagging the code to have a vulnerability, but it's detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing). Temporarily pinning to go1.18.7 to force installing the latest version: Vulnerability #1: GO-2022-1039 Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. Call stacks in your code: Error: helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse Found in: regexp/syntax@go1.18.6 Fixed in: regexp/syntax@go1.19.2 More info: https://pkg.go.dev/vuln/GO-2022-1039 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: github.com/onsi/ginkgo/v2 v2.3.1 CI was failing because of a mismatch: /home/runner/go/bin/ginkgo -v --fail-fast Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages: Ginkgo CLI Version: 2.3.1 Mismatched package versions found: 2.2.0 used by gosec Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: golang.org/x/text v0.3.8 to address GO-2022-1059 The vulnerabilities below are in packages that you import, but your code doesn't appear to call any vulnerable functions. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details. Vulnerability #1: GO-2022-1059 An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Found in: golang.org/x/text/language@v0.3.7 Fixed in: golang.org/x/text/language@v0.3.8 More info: https://pkg.go.dev/vuln/GO-2022-1059 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 09:05:13 +01:00
go-version: '1.19.2' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
- name: Checkout Source
uses: actions/checkout@v3
- uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Create Test Coverage
run: make test-coverage
- name: Upload Test Coverage
uses: codecov/codecov-action@v3
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true