From 9be7b09a514ab2a4645c46083a80676c981c801c Mon Sep 17 00:00:00 2001 From: aaronfern Date: Fri, 10 Jan 2025 18:34:48 +0530 Subject: [PATCH] Introduce gosec for Static Application Security Testing (SAST) --- .gitignore | 4 ++ cluster-autoscaler/Makefile | 12 +++- cluster-autoscaler/hack/sast.sh | 71 +++++++++++++++++++ cluster-autoscaler/hack/tools.mk | 15 ++++ .../hack/tools/install-gosec.sh | 45 ++++++++++++ 5 files changed, 146 insertions(+), 1 deletion(-) create mode 100755 cluster-autoscaler/hack/sast.sh create mode 100644 cluster-autoscaler/hack/tools.mk create mode 100755 cluster-autoscaler/hack/tools/install-gosec.sh diff --git a/.gitignore b/.gitignore index 275501aa5960..3fa63e23acf4 100644 --- a/.gitignore +++ b/.gitignore @@ -34,3 +34,7 @@ Session.vim # Binary files bin/ +cluster-autoscaler/hack/tools/bin + +# gosec +gosec-report.sarif diff --git a/cluster-autoscaler/Makefile b/cluster-autoscaler/Makefile index 34e4d729cd63..cdf5e5a1f899 100644 --- a/cluster-autoscaler/Makefile +++ b/cluster-autoscaler/Makefile @@ -124,6 +124,8 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ## Tool Versions CONTROLLER_TOOLS_VERSION ?= v0.14.0 +include hack/tools.mk + .PHONY: controller-gen controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. $(CONTROLLER_GEN): $(LOCALBIN) @@ -186,4 +188,12 @@ download-kubeconfigs: .PHONY: test-integration test-integration: - ../.ci/local_integration_test \ No newline at end of file + ../.ci/local_integration_test + +.PHONY: sast +sast: $(GOSEC) + @./hack/sast.sh + +.PHONY: sast-report +sast-report: $(GOSEC) + @./hack/sast.sh --gosec-report true \ No newline at end of file diff --git a/cluster-autoscaler/hack/sast.sh b/cluster-autoscaler/hack/sast.sh new file mode 100755 index 000000000000..070f627ccfdd --- /dev/null +++ b/cluster-autoscaler/hack/sast.sh @@ -0,0 +1,71 @@ +#!/usr/bin/env bash +# +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )" +TOOLS_BIN_DIR="${root_dir}/hack/tools/bin" + +gosec_report="false" +gosec_report_parse_flags="" +dir_to_exclude="" + +parse_flags() { + while test $# -gt 1; do + case "$1" in + --gosec-report) + shift; gosec_report="$1" + ;; + *) + echo "Unknown argument: $1" + exit 1 + ;; + esac + shift + done +} + +parse_flags "$@" + +echo "> Running gosec" +${TOOLS_BIN_DIR}/gosec --version +if [[ "$gosec_report" != "false" ]]; then + echo "Exporting report to $root_dir/gosec-report.sarif" + gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout" +fi + +dir_to_exclude="-exclude-dir=cloudprovider/alicloud +-exclude-dir=cloudprovider/aws +-exclude-dir=cloudprovider/azure +-exclude-dir=cloudprovider/baiducloud +-exclude-dir=cloudprovider/bizflycloud +-exclude-dir=cloudprovider/brightbox +-exclude-dir=cloudprovider/cherryservers +-exclude-dir=cloudprovider/civo +-exclude-dir=cloudprovider/cloudstack +-exclude-dir=cloudprovider/clusterapi +-exclude-dir=cloudprovider/digitalocean +-exclude-dir=cloudprovider/equinixmetal +-exclude-dir=cloudprovider/exoscale +-exclude-dir=cloudprovider/gce +-exclude-dir=cloudprovider/hetzner +-exclude-dir=cloudprovider/huaweicloud +-exclude-dir=cloudprovider/ionoscloud +-exclude-dir=cloudprovider/kamatera +-exclude-dir=cloudprovider/kubemark +-exclude-dir=cloudprovider/kwok +-exclude-dir=cloudprovider/linode +-exclude-dir=cloudprovider/magnum +-exclude-dir=cloudprovider/oci +-exclude-dir=cloudprovider/ovhcloud +-exclude-dir=cloudprovider/rancher +-exclude-dir=cloudprovider/scaleway +-exclude-dir=cloudprovider/tencentcloud +-exclude-dir=cloudprovider/volcengine +-exclude-dir=cloudprovider/vultr +" + +${TOOLS_BIN_DIR}/gosec -exclude-generated $dir_to_exclude $gosec_report_parse_flags ./... \ No newline at end of file diff --git a/cluster-autoscaler/hack/tools.mk b/cluster-autoscaler/hack/tools.mk new file mode 100644 index 000000000000..4574fe125b34 --- /dev/null +++ b/cluster-autoscaler/hack/tools.mk @@ -0,0 +1,15 @@ +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +TOOLS_DIR := hack/tools +TOOLS_BIN_DIR := $(TOOLS_DIR)/bin + +# Tool Binaries +GOSEC ?= $(TOOLS_BIN_DIR)/gosec + +# Tool Versions +GOSEC_VERSION ?= v2.21.4 + +$(GOSEC): + @GOSEC_VERSION=$(GOSEC_VERSION) $(TOOLS_DIR)/install-gosec.sh \ No newline at end of file diff --git a/cluster-autoscaler/hack/tools/install-gosec.sh b/cluster-autoscaler/hack/tools/install-gosec.sh new file mode 100755 index 000000000000..289ad405ab92 --- /dev/null +++ b/cluster-autoscaler/hack/tools/install-gosec.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +# +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +echo "> Installing gosec" + +TOOLS_BIN_DIR=${TOOLS_BIN_DIR:-$(dirname $0)/bin} +if [[ ! -d $TOOLS_BIN_DIR ]]; then + mkdir -p $TOOLS_BIN_DIR +fi + +platform=$(uname -s | tr '[:upper:]' '[:lower:]') +version=$GOSEC_VERSION +echo "gosec version:$GOSEC_VERSION" +case $(uname -m) in + aarch64 | arm64) + arch="arm64" + ;; + x86_64) + arch="amd64" + ;; + *) + echo "Unknown architecture" + exit 1 + ;; +esac + +archive_name="gosec_${version#v}_${platform}_${arch}" +file_name="${archive_name}.tar.gz" + +temp_dir="$(mktemp -d)" +function cleanup { + rm -rf "${temp_dir}" +} +trap cleanup EXIT ERR INT TERM +echo "Downloading from: https://github.com/securego/gosec/releases/download/${version}/${file_name}" +curl -L -o ${temp_dir}/${file_name} "https://github.com/securego/gosec/releases/download/${version}/${file_name}" + +tar -xzm -C "${temp_dir}" -f "${temp_dir}/${file_name}" +mv "${temp_dir}/gosec" $TOOLS_BIN_DIR +chmod +x $TOOLS_BIN_DIR/gosec \ No newline at end of file