dragonheim/gagent
dragonheim/gagent
1
0
Fork 0
mirror of https://github.com/dragonheim/gagent.git synced 2025-04-25 21:38:58 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: Upgrading Go to 1.17, Alpine to 3.14, and Terraform to 1.0.5. Also adding preliminary vulnerability report.

Browse source
This commit is contained in:
James Wells 2021-08-30 07:29:19 -07:00
parent 610ae5eed4
commit b2e5795aed
Signed by: jwells
GPG key ID: 73196D10B8E65666
6 changed files with 100 additions and 77 deletions
Download patch file Download diff file Expand all files Collapse all files

33
.drone.yml
View file

@ -26,7 +26,7 @@ steps:
alert_type: "info" alert_type: "info"
- name: Validate code base and dependencies - name: Validate code base and dependencies
image: dragonheim/golang:1.16.4 image: dragonheim/golang:1.17.0
volumes: volumes:
- name: dockersock - name: dockersock
path: /var/run/docker.sock path: /var/run/docker.sock
@ -37,36 +37,31 @@ steps:
TRIVY_IGNORE_UNFIXED: true TRIVY_IGNORE_UNFIXED: true
TRIVY_NO_PROGRESS: true TRIVY_NO_PROGRESS: true
commands: commands:
### Populate temporary container with tools / files we will need for building and testing # Populate temporary container with tools / files we will need for building and testing
- apk add --no-cache zeromq-dev zeromq - apk add --no-cache zeromq-dev zeromq
# - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.2
### Format the go code. Go does not care about it, but it helps to ensure everything is formated the same. # Format Golang code. Golang does not really care about formatting, but this standardizes things
- go fmt ./... - go fmt ./...
### Perform a basic lint of the code, we do this after formatting, just in case there are edge cases with the formatting. # Perform basic linting of the Golang code. Ideally this should never be needed, but merges can introduce imcompatabilities.
- go vet ./... - go vet ./...
### Run a security check and warn us about lower level vulnerabilities # Perform code security check of lower level vulnerabilities. This will not break the build, we just want this information, just in case.
- trivy fs --exit-code 0 --severity UNKNOWN,LOW,MEDIUM . - trivy fs --exit-code 0 --severity UNKNOWN,LOW,MEDIUM .
### Re-run the scan, but this time looking for higher level vulnerabilities that we want to block for. # Perform code security check of higher level vulnerabilities. This can break the build.
- trivy fs --skip-update --exit-code 1 --severity CRITICAL,HIGH . # - trivy fs --skip-update --exit-code 1 --severity CRITICAL,HIGH .
### Perform unit tests # Build new container image.
# - @TODO I really don't know how to do unit tests. Will need to figure this out eventually. # - docker buildx build --push --platform linux/amd64 --progress plain -t ${DRONE_REPO}:${DRONE_COMMIT} -f docker/Dockerfile .
### Build test container. # Perform image security check of lower level vulnerabilities. This will not break the build, we just want this information, just in case.
# - docker buildx build --platform linux/arm/v7,linux/amd64,linux/arm64 --progress plain -t ${DRONE_REPO}:${DRONE_COMMIT} -f docker/Dockerfile . # - trivy image --skip-update --exit-code 0 --severity UNKNOWN,LOW,MEDIUM,HIGH ${DRONE_REPO}:${DRONE_COMMIT}
- docker buildx build --platform linux/amd64 --progress plain -t ${DRONE_REPO}:${DRONE_COMMIT} -f docker/Dockerfile .
### Run a security check and warn us about lower level vulnerabilities # Perform image security check of higher level vulnerabilities. This can break the build.
- trivy image --skip-update --exit-code 0 --severity UNKNOWN,LOW,MEDIUM,HIGH ${DRONE_REPO}:${DRONE_COMMIT} # - trivy image --skip-update --exit-code 1 --severity CRITICAL ${DRONE_REPO}:${DRONE_COMMIT}
### Re-run the scan, but this time looking for critical vulnerabilities that we want to block for. # name: Create Test Environment
- trivy image --skip-update --exit-code 1 --severity CRITICAL ${DRONE_REPO}:${DRONE_COMMIT}
# - name: Create Test Environment
# image: dragonheim/terraform:latest # image: dragonheim/terraform:latest
- name: Notify Datadog That We Have Completed - name: Notify Datadog That We Have Completed

30
VULNERABILITIES.md Normal file
View file

@ -0,0 +1,30 @@
### [Source Code Scan](#source)
IGNORED: We are not using the SSH features of golang.org/x/crypto
```
2021-08-30T07:10:13.085-0700 INFO Detected OS: unknown
2021-08-30T07:10:13.085-0700 INFO Number of PL dependency files: 1
2021-08-30T07:10:13.085-0700 INFO Detecting gomod vulnerabilities...
go.sum
======
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652 | HIGH | 0.0.0-20190426145343-a29dc8fdc734 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted |
| | | | | | authentication request can |
| | | | | | lead to nil pointer dereference |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 |
+ +------------------+ + +------------------------------------+---------------------------------------+
| | CVE-2020-9283 | | | v0.0.0-20200220183623-bac4c82f6975 | golang.org/x/crypto: Processing |
| | | | | | of crafted ssh-ed25519 |
| | | | | | public keys allows for panic |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9283 |
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
```
---
### [Image Scan](#image)
NONE

3
docker/Dockerfile
View file

@ -1,4 +1,4 @@
FROM golang:1.16-alpine3.14 as builder FROM golang:1.17-alpine3.14 as builder
WORKDIR /gagent WORKDIR /gagent
COPY . . COPY . .
@ -11,7 +11,6 @@ RUN apk add --no-cache zeromq-dev build-base git
RUN go build -o /gagent/bin/gagent gagent/main.go RUN go build -o /gagent/bin/gagent gagent/main.go
RUN strip /gagent/bin/gagent RUN strip /gagent/bin/gagent
FROM alpine:3.14 FROM alpine:3.14
LABEL Name="G'Agent" LABEL Name="G'Agent"
LABEL Maintainer="jwells@dragonheim.net" LABEL Maintainer="jwells@dragonheim.net"

1
go.sum
View file

@ -49,7 +49,6 @@ github.com/zclconf/go-cty v1.8.3 h1:48gwZXrdSADU2UW9eZKHprxAI7APZGW9XmExpJpSjT0=
github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= github.com/zclconf/go-cty v1.8.3/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734 h1:p/H982KKEjUnLJkM3tt/LemDnOc1GiZL5FCVlORJ5zo=
golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=