diff --git a/.buildkite/code.pipeline.yml b/.buildkite/code.pipeline.yml index c136b4d71af..a263c5bc8d8 100644 --- a/.buildkite/code.pipeline.yml +++ b/.buildkite/code.pipeline.yml @@ -86,20 +86,6 @@ steps: plugins: <<: *docker_plugin - - label: Audit Rust dependencies for vulnerabilities - command: .buildkite/rust/cargo_audit.sh - retry: - <<: *retry_agent_failure - plugins: - <<: *docker_plugin - - - label: Audit Go dependencies for vulnerabilities - command: .buildkite/go/nancy_audit.sh - retry: - <<: *retry_agent_failure - plugins: - <<: *docker_plugin - ############ # Build jobs ############ diff --git a/.buildkite/go/nancy_audit.sh b/.buildkite/go/nancy_audit.sh deleted file mode 100755 index 7d1ca503779..00000000000 --- a/.buildkite/go/nancy_audit.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -############################################################ -# This script checks Go.sum for dependencies with -# reported security vulnerabilities. -# -# Usage: -# nancy_audit.sh -############################################################ - -# Helpful tips on writing build scripts: -# https://buildkite.com/docs/pipelines/writing-build-scripts -set -euxo pipefail - -######################################## -# Check dependencies for vulnerabilities -######################################## -pushd go - go list -json -m all | nancy sleuth -popd diff --git a/.buildkite/rust/cargo_audit.sh b/.buildkite/rust/cargo_audit.sh deleted file mode 100755 index 25a14ada7d8..00000000000 --- a/.buildkite/rust/cargo_audit.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -############################################################ -# This script checks Cargo.lock for dependencies with -# reported security vulnerabilities. -# -# Usage: -# cargo_audit.sh -############################################################ - -# Helpful tips on writing build scripts: -# https://buildkite.com/docs/pipelines/writing-build-scripts -set -euxo pipefail - -######################################## -# Check dependencies for vulnerabilities -######################################## -cargo audit diff --git a/.changelog/3517.internal.md b/.changelog/3517.internal.md new file mode 100644 index 00000000000..69607794d0f --- /dev/null +++ b/.changelog/3517.internal.md @@ -0,0 +1,8 @@ +Make: Add audit targets + +Add a general `audit` target that depends on the following audit targets: + +- `audit-go`: Audit Go dependencies for vulnerabilities, +- `audit-rust`: Audit Rust dependencies for vulnerabilities. + +Add `audit` target to `Makefile` in `go/`. diff --git a/.github/workflows/ci-audit-rust.yml b/.github/workflows/ci-audit-rust.yml new file mode 100644 index 00000000000..dfd8a9096f4 --- /dev/null +++ b/.github/workflows/ci-audit-rust.yml @@ -0,0 +1,48 @@ +# NOTE: This name appears in GitHub's Checks API and in workflow's status badge. +name: ci-audit-rust + +# Trigger the workflow when: +on: + # A push occurs to one of the matched branches. + push: + # XXX: Ideally, on the master branch we would only run this workflow if + # there are changes to the Cargo.toml or Cargo.local files (like for pull + # requests). + # However, this doesn't work when pushing a new 'stable/*' branch. The build + # on a new branch does not trigger unless there are changes compared to + # master on the filtered path. + # If this is ever fixed, or per branch filters are possible, bring back the + # path filter to only run this workflow if there are changes to the + # Cargo.toml or Cargo.local files. + branches: + - master + - stable/* + # Or when a pull request event occurs for a pull request against one of the + # matched branches and at least one modified file matches the configured + # paths. + pull_request: + branches: + - master + - stable/* + paths: + - '**/Cargo.toml' + - '**/Cargo.lock' + # Or every day at 04:00 UTC (for the default/master branch). + schedule: + - cron: "0 4 * * *" + +jobs: + + audit-rust: + # NOTE: This name appears in GitHub's Checks API. + name: audit-rust + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v2 + # NOTE: To run this step locally, make sure you have cargo-audit installed + # and run 'make audit-rust'. + - name: Audit Rust dependencies for vulnerabilities + uses: actions-rs/audit-check@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index bef4d517947..33a3721d398 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -48,6 +48,22 @@ jobs: python -m pip install \ https://github.com/oasislabs/towncrier/archive/oasis-master.tar.gz \ gitlint + - name: Install Nancy + run: | + set -eux + cd $(mktemp --directory /tmp/nancy.XXXXX) + NANCY_TARBALL=nancy-linux.amd64-v${NANCY_VERSION}.tar.gz + ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/${NANCY_TARBALL} \ + --output ${NANCY_TARBALL} + ${CURL_CMD} ${NANCY_URL_PREFIX}/v${NANCY_VERSION}/nancychecksums.txt \ + --output CHECKSUMS + sha256sum --check --ignore-missing CHECKSUMS + tar -xf ${NANCY_TARBALL} + sudo mv nancy /usr/local/bin + env: + NANCY_URL_PREFIX: https://github.com/sonatype-nexus-community/nancy/releases/download/ + NANCY_VERSION: 1.0.1 + CURL_CMD: curl --proto =https --tlsv1.2 -sSL --fail - name: Check for presence of a Change Log fragment (only pull requests) run: | # Fetch the pull request' base branch so towncrier will be able to @@ -81,6 +97,11 @@ jobs: make lint-docs # Always run this step so that all linting errors can be seen at once. if: always() + - name: Audit Go dependencies for vulnerabilities + run: | + make audit-go + # Always run this step so that all linting errors can be seen at once. + if: always() - name: Check go mod tidy # NOTE: go mod tidy doesn't implement a check mode yet. # For more details, see: https://github.com/golang/go/issues/27005. diff --git a/Makefile b/Makefile index 4c96559efd8..c351d99313d 100644 --- a/Makefile +++ b/Makefile @@ -87,6 +87,18 @@ lint-docs: lint: $(lint-targets) +# Audit dependencies for vulnerabilities. +audit-targets := audit-go audit-rust + +audit-go: + @$(MAKE) -C go audit + +audit-rust: + @$(ECHO) "$(CYAN)*** Running cargo audit...$(OFF)" + @cargo audit + +audit: $(audit-targets) + # Test. test-unit-targets := test-unit-rust test-unit-go test-targets := test-unit test-e2e @@ -214,6 +226,7 @@ docker-shell: update-docs \ $(fmt-targets) fmt \ $(lint-targets) lint \ + $(audit-targets) audit \ $(test-unit-targets) $(test-targets) test \ $(clean-targets) clean \ fetch-git \ diff --git a/README.md b/README.md index 9f14da1f72f..fa3ed849062 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![Build status][buildkite-badge]][buildkite-link] [![CI lint status][github-ci-lint-badge]][github-ci-lint-link] +[![CI audit Rust status][github-ci-audit-rust-badge]][github-ci-audit-rust-link] [![CI reproducibility status][github-ci-repr-badge]][github-ci-repr-link] [![Docker status][github-docker-badge]][github-docker-link] [![Release status][github-release-badge]][github-release-link] @@ -19,6 +20,8 @@ work around that and make the second (non-header) row also bold. --> [buildkite-link]: https://buildkite.com/oasisprotocol/oasis-core-ci [github-ci-lint-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-lint/badge.svg [github-ci-lint-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-lint+branch:master +[github-ci-audit-rust-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-audit-rust/badge.svg +[github-ci-audit-rust-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-audit-rust+branch:master [github-ci-repr-badge]: https://github.com/oasisprotocol/oasis-core/workflows/ci-reproducibility/badge.svg [github-ci-repr-link]: https://github.com/oasisprotocol/oasis-core/actions?query=workflow:ci-reproducibility [github-docker-badge]: https://github.com/oasisprotocol/oasis-core/workflows/docker/badge.svg diff --git a/go/Makefile b/go/Makefile index 8cdf045262a..dc24a45ce11 100644 --- a/go/Makefile +++ b/go/Makefile @@ -59,6 +59,11 @@ lint: @$(ECHO) "$(CYAN)*** Running Go linters...$(OFF)" @env -u GOPATH golangci-lint run --timeout 4m +# Audit dependencies for vulnerabilities. +audit: + @$(ECHO) "$(CYAN)*** Running Nancy...$(OFF)" + @$(GO) list -json -m all | nancy sleuth + # Test. test-targets := test-unit test-node @@ -138,7 +143,7 @@ clean: generate $(go-binaries) $(go-plugins) build \ $(test-helpers) build-helpers \ $(test-vectors-targets) \ - fmt lint \ + fmt lint audit \ $(test-targets) test force-test \ $(fuzz-targets) build-fuzz \ clean all