Check for CVEs in Oracle InstantClient during build (#124)

Check OSV and NIST NVD to see if Oracle InstantClient has had any CVEs reported. (As of 2023, none ever have been, so the check is our best guess as to what name they will be published under.) Initially was going to add `security-scanner` to scan the binary as well, but it looks like it does not support Cgo binaries. Also updated Go to 1.20.4.
hashicorp · May 16, 2023 · 69b7b59 · 69b7b59
1 parent 81f080d
commit 69b7b59
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -14,6 +14,18 @@ env:
   PKG_NAME: "vault-plugin-database-oracle"
 
 jobs:
+  cve-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check OSV
+        id: osv-check
+        run: |
+          test $(curl -XPOST https://api.osv.dev/v1/query -d '{"package":{"name":"oracle-instantclient19.18-basic"}, "version": "19.18"}') = "{}"
+      - name: Check NIST NVD
+        id: nvd-check
+        run: |
+          test $(curl -sSL 'https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:a:oracle:instant_client:19.18:*' | jq .totalResults) -eq 0
+
   get-product-version:
     runs-on: ubuntu-latest
     outputs:

diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.20.2
+1.20.4
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@ RUN yum update -y && yum install -y  \
 		zip \
 		git
 
-ENV GOLANG_VERSION 1.20.2
+ENV GOLANG_VERSION 1.20.4
 
 RUN set -eux; \
 	url="https://golang.org/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz"; \

diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ EXTERNAL_TOOLS=\
 
 default: dev
 
-# bin generates the releaseable binaries for vault-plugin-database-oracl0e
+# bin generates the releaseable binaries for vault-plugin-database-oracle
 bin: fmtcheck generate
 	@CGO_ENABLED=1 BUILD_TAGS='$(BUILD_TAGS)' XC_ARCH="amd64" XC_OS="linux" XC_OSARCH="linux/amd64" sh -c "'$(CURDIR)/scripts/build.sh'"