add targets for verifying code and images for vulnerabilities

Signed-off-by: Prajyot-Parab <[email protected]>
kubernetes-sigs · Nov 10, 2023 · a3e87c2 · a3e87c2
1 parent 26a1f61
commit a3e87c2
Show file tree

Hide file tree

Showing 9 changed files with 1,876 additions and 194 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -15,7 +15,7 @@
 # limitations under the License.
 
 # Build the manager binary
-FROM golang:1.20.4 as toolchain
+FROM golang:1.20.11 as toolchain
 
 # Run this with docker build --build_arg $(go env GOPROXY) to override the goproxy
 ARG goproxy=https://proxy.golang.org,direct

diff --git a/Makefile b/Makefile
@@ -18,6 +18,8 @@ ROOT_DIR_RELATIVE := .
 
 include $(ROOT_DIR_RELATIVE)/common.mk
 
+GO_VERSION ?= 1.20.11
+
 # Image URL to use all building/pushing image targets
 IMG ?= controller:latest
 # Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
@@ -45,6 +47,8 @@ MOCKGEN := $(TOOLS_BIN_DIR)/mockgen
 CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen
 CONVERSION_VERIFIER := $(TOOLS_BIN_DIR)/conversion-verifier
 SETUP_ENVTEST := $(TOOLS_BIN_DIR)/setup-envtest
+GOVULNCHECK := $(TOOLS_BIN_DIR)/govulncheck
+TRIVY := $(TOOLS_BIN_DIR)/trivy
 
 STAGING_REGISTRY ?= gcr.io/k8s-staging-capi-ibmcloud
 STAGING_BUCKET ?= artifacts.k8s-staging-capi-ibmcloud.appspot.com
@@ -517,6 +521,27 @@ verify-gen: generate ## Verfiy go generated files are up to date
 verify-conversions: $(CONVERSION_VERIFIER) ## Verifies expected API conversion are in place
 	$(CONVERSION_VERIFIER)
 
+.PHONY: verify-container-images
+verify-container-images: $(TRIVY) ## Verify container images
+	TRACE=$(TRACE) ./hack/verify-container-images.sh
+
+.PHONY: verify-govulncheck
+verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
+	$(GOVULNCHECK) ./... && R1=$$? || R1=$$?; \
+	$(GOVULNCHECK) -C "$(TOOLS_DIR)" ./... && R2=$$? || R2=$$?; \
+	if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
+		exit 1; \
+	fi
+
+.PHONY: verify-security
+verify-security: ## Verify code and images for vulnerabilities
+	$(MAKE) verify-container-images && R1=$$? || R1=$$?; \
+	$(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \
+	if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
+	  echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \
+		exit 1; \
+	fi
+
 ## --------------------------------------
 ## Cleanup / Verification
 ## --------------------------------------
@@ -548,6 +573,10 @@ clean-temporary: ## Remove all temporary files and folders
 clean-release: ## Remove the release folder
 	rm -rf $(RELEASE_DIR)
 
+.PHONY: clean-release-git
+clean-release-git: ## Restores the git files usually modified during a release
+	git restore ./*manager_image_patch.yaml ./*manager_pull_policy.yaml
+
 .PHONY: clean-generated-conversions
 clean-generated-conversions: ## Remove files generated by conversion-gen from the mentioned dirs
 	(IFS=','; for i in $(SRC_DIRS); do find $$i -type f -name 'zz_generated.conversion*' -exec rm -f {} \;; done)
@@ -566,3 +595,11 @@ clean-kind: ## Cleans up the kind cluster with the name $CAPI_KIND_CLUSTER_NAME
 kind-cluster: ## Create a new kind cluster designed for development with Tilt
 	hack/kind-install.sh
 
+## --------------------------------------
+## Helpers
+## --------------------------------------
+
+##@ helpers:
+
+go-version: ## Print the go version we use to compile our binaries and images
+	@echo $(GO_VERSION)
diff --git a/controllers/ibmpowervscluster_controller.go b/controllers/ibmpowervscluster_controller.go
@@ -108,7 +108,7 @@ func (r *IBMPowerVSClusterReconciler) Reconcile(ctx context.Context, req ctrl.Re
 	return r.reconcile(clusterScope), nil
 }
 
-func (r *IBMPowerVSClusterReconciler) reconcile(clusterScope *scope.PowerVSClusterScope) ctrl.Result {
+func (r *IBMPowerVSClusterReconciler) reconcile(clusterScope *scope.PowerVSClusterScope) ctrl.Result { //nolint:unparam
 	if !controllerutil.ContainsFinalizer(clusterScope.IBMPowerVSCluster, infrav1beta2.IBMPowerVSClusterFinalizer) {
 		controllerutil.AddFinalizer(clusterScope.IBMPowerVSCluster, infrav1beta2.IBMPowerVSClusterFinalizer)
 		return ctrl.Result{}

diff --git a/hack/ccm/Dockerfile b/hack/ccm/Dockerfile
@@ -18,7 +18,7 @@ ARG TARGETPLATFORM=linux/amd64
 ARG ARCH=amd64
 
 # Build IBM cloud controller manager binary
-FROM golang:1.20.4 AS ccm-builder
+FROM golang:1.20.11 AS ccm-builder
 ARG ARCH
 ARG POWERVS_CLOUD_CONTROLLER_COMMIT
 WORKDIR /build

diff --git a/hack/tools/Makefile b/hack/tools/Makefile
@@ -66,7 +66,7 @@ $(GOTESTSUM): $(BIN_DIR) go.mod go.sum
 
 KUSTOMIZE := $(BIN_DIR)/kustomize
 $(KUSTOMIZE): $(BIN_DIR) go.mod go.sum ## Build a local copy of kustomize.
-	CGO_ENABLED=0 go build -tags=capibmtools -o $@ sigs.k8s.io/kustomize/kustomize/v4
+	CGO_ENABLED=0 go build -tags=capibmtools -o $@ sigs.k8s.io/kustomize/kustomize/v5
 
 MDBOOK_SHARE := $(SHARE_DIR)/mdbook$(MDBOOK_ARCHIVE_EXT)
 $(MDBOOK_SHARE): ../../versions.mk $(SHARE_DIR)
@@ -121,3 +121,11 @@ $(CONVERSION_VERIFIER): $(BIN_DIR) go.mod go.sum ## Build a local copy of conver
 SETUP_ENVTEST := $(BIN_DIR)/setup-envtest
 $(SETUP_ENVTEST): $(BIN_DIR) go.mod go.sum ## Build a local copy of setup-envtest.
 	go build -tags=capibmtools -o $@ sigs.k8s.io/controller-runtime/tools/setup-envtest
+
+GOVULNCHECK := $(BIN_DIR)/govulncheck
+$(GOVULNCHECK): $(BIN_DIR) go.mod go.sum ## Build a local copy of govulncheck.
+	go build -tags=capibmtools -o $@ golang.org/x/vuln/cmd/govulncheck
+
+TRIVY := $(BIN_DIR)/trivy
+$(TRIVY): $(BIN_DIR) go.mod go.sum ## Build a local copy of trivy.
+	go build -tags=capibmtools -o $@ github.com/aquasecurity/trivy/cmd/trivy