dragonheim/gagent
dragonheim/gagent
1
0
Fork 0
mirror of https://github.com/dragonheim/gagent.git synced 2025-01-18 03:46:27 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: Upgrading Go to 1.17, Alpine to 3.14, and Terraform to 1.0.5. Also adding preliminary vulnerability report.

Browse source
This commit is contained in:
James Wells 2021-08-30 07:29:19 -07:00
parent 610ae5eed4
commit b2e5795aed
Signed by: jwells
GPG key ID: 73196D10B8E65666
6 changed files with 100 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
.drone.yml
View file

@ -4,80 +4,75 @@ type: docker
name: validation
platform:
arch: amd64
arch: amd64
clone:
depth: 1
depth: 1
volumes:
- name: dockersock
host:
path: /run/docker.sock
- name: dockersock
host:
path: /run/docker.sock
steps:
- name: Notify Datadog That We Are Starting
image: masci/drone-datadog
settings:
api_key:
from_secret: Datadog
events:
- title: "Begin Build: ${DRONE_REPO}"
text: "Build ${DRONE_BUILD_NUMBER}(${DRONE_COMMIT_LINK})"
alert_type: "info"
- name: Notify Datadog That We Are Starting
image: masci/drone-datadog
settings:
api_key:
from_secret: Datadog
events:
- title: "Begin Build: ${DRONE_REPO}"
text: "Build ${DRONE_BUILD_NUMBER}(${DRONE_COMMIT_LINK})"
alert_type: "info"
- name: Validate code base and dependencies
image: dragonheim/golang:1.16.4
volumes:
- name: dockersock
path: /var/run/docker.sock
environment:
TRIVY_QUIET: true
TRIVY_LIGHT: true
TRIVY_FORMAT: table
TRIVY_IGNORE_UNFIXED: true
TRIVY_NO_PROGRESS: true
commands:
### Populate temporary container with tools / files we will need for building and testing
- apk add --no-cache zeromq-dev zeromq
# - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.2
- name: Validate code base and dependencies
image: dragonheim/golang:1.17.0
volumes:
- name: dockersock
path: /var/run/docker.sock
environment:
TRIVY_QUIET: true
TRIVY_LIGHT: true
TRIVY_FORMAT: table
TRIVY_IGNORE_UNFIXED: true
TRIVY_NO_PROGRESS: true
commands:
# Populate temporary container with tools / files we will need for building and testing
- apk add --no-cache zeromq-dev zeromq
### Format the go code. Go does not care about it, but it helps to ensure everything is formated the same.
- go fmt ./...
# Format Golang code. Golang does not really care about formatting, but this standardizes things
- go fmt ./...
### Perform a basic lint of the code, we do this after formatting, just in case there are edge cases with the formatting.
- go vet ./...
# Perform basic linting of the Golang code. Ideally this should never be needed, but merges can introduce imcompatabilities.
- go vet ./...
### Run a security check and warn us about lower level vulnerabilities
- trivy fs --exit-code 0 --severity UNKNOWN,LOW,MEDIUM .
# Perform code security check of lower level vulnerabilities. This will not break the build, we just want this information, just in case.
- trivy fs --exit-code 0 --severity UNKNOWN,LOW,MEDIUM .
### Re-run the scan, but this time looking for higher level vulnerabilities that we want to block for.
- trivy fs --skip-update --exit-code 1 --severity CRITICAL,HIGH .
# Perform code security check of higher level vulnerabilities. This can break the build.
# - trivy fs --skip-update --exit-code 1 --severity CRITICAL,HIGH .
### Perform unit tests
# - @TODO I really don't know how to do unit tests. Will need to figure this out eventually.
# Build new container image.
# - docker buildx build --push --platform linux/amd64 --progress plain -t ${DRONE_REPO}:${DRONE_COMMIT} -f docker/Dockerfile .
### Build test container.
# - docker buildx build --platform linux/arm/v7,linux/amd64,linux/arm64 --progress plain -t ${DRONE_REPO}:${DRONE_COMMIT} -f docker/Dockerfile .
- docker buildx build --platform linux/amd64 --progress plain -t ${DRONE_REPO}:${DRONE_COMMIT} -f docker/Dockerfile .
# Perform image security check of lower level vulnerabilities. This will not break the build, we just want this information, just in case.
# - trivy image --skip-update --exit-code 0 --severity UNKNOWN,LOW,MEDIUM,HIGH ${DRONE_REPO}:${DRONE_COMMIT}
### Run a security check and warn us about lower level vulnerabilities
- trivy image --skip-update --exit-code 0 --severity UNKNOWN,LOW,MEDIUM,HIGH ${DRONE_REPO}:${DRONE_COMMIT}
# Perform image security check of higher level vulnerabilities. This can break the build.
# - trivy image --skip-update --exit-code 1 --severity CRITICAL ${DRONE_REPO}:${DRONE_COMMIT}
### Re-run the scan, but this time looking for critical vulnerabilities that we want to block for.
- trivy image --skip-update --exit-code 1 --severity CRITICAL ${DRONE_REPO}:${DRONE_COMMIT}
# name: Create Test Environment
# image: dragonheim/terraform:latest
# - name: Create Test Environment
# image: dragonheim/terraform:latest
- name: Notify Datadog That We Have Completed
image: masci/drone-datadog
settings:
api_key:
from_secret: Datadog
events:
- title: "Build failure on amd64"
text: "Build ${DRONE_BUILD_NUMBER}"
alert_type: "error"
when:
status:
- failure
- name: Notify Datadog That We Have Completed
image: masci/drone-datadog
settings:
api_key:
from_secret: Datadog
events:
- title: "Build failure on amd64"
text: "Build ${DRONE_BUILD_NUMBER}"
alert_type: "error"
when:
status:
- failure

2
.trivyignore
View file

@ -1,3 +1,3 @@
# No impact in our project
CVE-2020-29652
CVE-2020-9283
CVE-2020-9283

30
VULNERABILITIES.md Normal file
View file

@ -0,0 +1,30 @@
### [Source Code Scan](#source)
IGNORED: We are not using the SSH features of golang.org/x/crypto
```
2021-08-30T07:10:13.085-0700 INFO Detected OS: unknown
2021-08-30T07:10:13.085-0700 INFO Number of PL dependency files: 1
2021-08-30T07:10:13.085-0700 INFO Detecting gomod vulnerabilities...
go.sum
======
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652 | HIGH | 0.0.0-20190426145343-a29dc8fdc734 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted |
| | | | | | authentication request can |
| | | | | | lead to nil pointer dereference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |
+ +------------------+ + +------------------------------------+---------------------------------------+
| | CVE-2020-9283 | | | v0.0.0-20200220183623-bac4c82f6975 | golang.org/x/crypto: Processing |
| | | | | | of crafted ssh-ed25519 |
| | | | | | public keys allows for panic |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9283 |
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
```
---
### [Image Scan](#image)
NONE

3
docker/Dockerfile
View file

@ -1,4 +1,4 @@
FROM golang:1.16-alpine3.14 as builder
FROM golang:1.17-alpine3.14 as builder
WORKDIR /gagent
COPY . .
@ -11,7 +11,6 @@ RUN apk add --no-cache zeromq-dev build-base git
RUN go build -o /gagent/bin/gagent gagent/main.go
RUN strip /gagent/bin/gagent
FROM alpine:3.14
LABEL Name="G'Agent"
LABEL Maintainer="jwells@dragonheim.net"

1
go.sum
View file

@ -49,7 +49,6 @@ github.com/zclconf/go-cty v1.8.3 h1:48gwZXrdSADU2UW9eZKHprxAI7APZGW9XmExpJpSjT0=
github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734 h1:p/H982KKEjUnLJkM3tt/LemDnOc1GiZL5FCVlORJ5zo=
golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=

24
tfenv/main.tf
View file

@ -1,18 +1,18 @@
# main.tf
module "us-east-1" {
source = "./cluster"
region = "us-east-1"
provider_alias = "us-east-1"
providers = {
aws = "aws.us-east-1"
}
source = "./cluster"
region = "us-east-1"
provider_alias = "us-east-1"
providers = {
aws = "aws.us-east-1"
}
}
module "us-west-2" {
source = "./cluster"
region = "us-west-2"
provider_alias = "us-west-2"
providers = {
aws = "aws.us-west-2"
}
source = "./cluster"
region = "us-west-2"
provider_alias = "us-west-2"
providers = {
aws = "aws.us-west-2"
}
}