diff --git a/.gitignore b/.gitignore index c9ae4c23..5ab10a8b 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,6 @@ dive.log /example/lakom /.vscode /vendor + +# gosec +gosec-report.sarif diff --git a/Makefile b/Makefile index a018951a..f19eabbf 100644 --- a/Makefile +++ b/Makefile @@ -93,6 +93,7 @@ tidy: @cp $(GARDENER_HACK_DIR)/.ci/* $(REPO_ROOT)/.ci/hack/ @chmod +xw $(REPO_ROOT)/.ci/hack/* @cp $(GARDENER_HACK_DIR)/cherry-pick-pull.sh $(HACK_DIR)/cherry-pick-pull.sh && chmod +xw $(HACK_DIR)/cherry-pick-pull.sh + @cp $(GARDENER_HACK_DIR)/sast.sh $(HACK_DIR)/sast.sh && chmod +xw $(HACK_DIR)/sast.sh # @$(HACK_DIR)/update-github-templates.sh .PHONY: clean @@ -121,6 +122,14 @@ format: $(GOIMPORTSREVISER) @GOIMPORTS_REVISER_OPTIONS="-imports-order std,project,general,company" \ bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg ./test +.PHONY: sast +sast: $(GOSEC) + @$(HACK_DIR)/sast.sh + +.PHONY: sast-report +sast-report: $(GOSEC) + @$(HACK_DIR)/sast.sh --gosec-report true + .PHONY: test test: $(REPORT_COLLECTOR) @SKIP_FETCH_TOOLS=1 bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/... @@ -134,10 +143,10 @@ test-clean: @bash $(GARDENER_HACK_DIR)/test-cover-clean.sh .PHONY: verify -verify: check format test +verify: check format test sast .PHONY: verify-extended -verify-extended: check-generate check format test test-cov test-clean +verify-extended: check-generate check format test test-cov test-clean sast-report .PHONY: update-skaffold-deps update-skaffold-deps: $(YQ) diff --git a/hack/sast.sh b/hack/sast.sh new file mode 100755 index 00000000..9ccfa89e --- /dev/null +++ b/hack/sast.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash +# +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )" + +gosec_report="false" +gosec_report_parse_flags="" + +parse_flags() { + while test $# -gt 1; do + case "$1" in + --gosec-report) + shift; gosec_report="$1" + ;; + *) + echo "Unknown argument: $1" + exit 1 + ;; + esac + shift + done +} + +parse_flags "$@" + +echo "> Running gosec" +gosec --version +if [[ "$gosec_report" != "false" ]]; then + echo "Exporting report to $root_dir/gosec-report.sarif" + gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout" +fi + +# Gardener uses code-generators https://github.com/kubernetes/code-generator and https://github.com/protocolbuffers/protobuf +# which create lots of G103 (CWE-242: Use of unsafe calls should be audited) & G104 (CWE-703: Errors unhandled) errors. +# However, those generators are best-pratice in Kubernetes environment and their results are tested well. +# Thus, generated code is excluded from gosec scan. +# Nested go modules are not supported by gosec (see https://github.com/securego/gosec/issues/501), so the ./hack folder +# is excluded too. It does not contain productive code anyway. +gosec -exclude-generated -exclude-dir=hack $gosec_report_parse_flags ./... \ No newline at end of file