mirror of
https://github.com/securego/gosec.git
synced 2024-12-26 04:25:52 +00:00
ed386818fd
* gha: remove go1.17, temporarily force 1.18.7, 1.19.2 The security scanner is flagging the code to have a vulnerability, but it's detecting that we're running go1.18.6, not "latest" (go1.18.7 at time of writing). Temporarily pinning to go1.18.7 to force installing the latest version: Vulnerability #1: GO-2022-1039 Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. Call stacks in your code: Error: helpers.go:463:26: github.com/securego/gosec/v2.ExcludedDirsRegExp calls regexp.MustCompile, which eventually calls regexp/syntax.Parse Found in: regexp/syntax@go1.18.6 Fixed in: regexp/syntax@go1.19.2 More info: https://pkg.go.dev/vuln/GO-2022-1039 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: github.com/onsi/ginkgo/v2 v2.3.1 CI was failing because of a mismatch: /home/runner/go/bin/ginkgo -v --fail-fast Ginkgo detected a version mismatch between the Ginkgo CLI and the version of Ginkgo imported by your packages: Ginkgo CLI Version: 2.3.1 Mismatched package versions found: 2.2.0 used by gosec Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: golang.org/x/text v0.3.8 to address GO-2022-1059 The vulnerabilities below are in packages that you import, but your code doesn't appear to call any vulnerable functions. You may not need to take any action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details. Vulnerability #1: GO-2022-1059 An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. Found in: golang.org/x/text/language@v0.3.7 Fixed in: golang.org/x/text/language@v0.3.8 More info: https://pkg.go.dev/vuln/GO-2022-1059 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
62 lines
1.8 KiB
YAML
62 lines
1.8 KiB
YAML
name: CI
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
jobs:
|
|
test:
|
|
strategy:
|
|
matrix:
|
|
go_version:
|
|
- '1.18.7' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
|
|
- '1.19.2' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
GO111MODULE: on
|
|
steps:
|
|
- name: Setup go ${{ matrix.go_version }}
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version: ${{ matrix.go_version }}
|
|
- name: Checkout Source
|
|
uses: actions/checkout@v3
|
|
- uses: actions/cache@v3
|
|
with:
|
|
path: ~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
- name: lint
|
|
uses: golangci/golangci-lint-action@v3
|
|
with:
|
|
version: latest
|
|
- name: Run Tests
|
|
run: make test
|
|
coverage:
|
|
needs: [test]
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
GO111MODULE: on
|
|
steps:
|
|
- name: Setup go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version: '1.19.2' # TODO: remove this once actions/setup-go@v3 uses latest as latest; see https://github.com/securego/gosec/pull/880
|
|
- name: Checkout Source
|
|
uses: actions/checkout@v3
|
|
- uses: actions/cache@v3
|
|
with:
|
|
path: ~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
- name: Create Test Coverage
|
|
run: make test-coverage
|
|
- name: Upload Test Coverage
|
|
uses: codecov/codecov-action@v3
|
|
with:
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
fail_ci_if_error: true
|