adds govulncheck to builder base

aws · Oct 27, 2023 · 4e7c3a9 · 4e7c3a9
1 parent a2fef19
commit 4e7c3a9
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 0 deletions.
diff --git a/builder-base/Dockerfile b/builder-base/Dockerfile
@@ -456,6 +456,20 @@ RUN --mount=type=cache,target=/root/.cache/go-build,sharing=locked \
     --mount=type=secret,id=netrc,target=/root/.netrc \
     /install_go_licenses.sh
 
+FROM ${BUILDER_IMAGE} as go-vuln-check
+ARG TARGETARCH
+ARG GOPROXY
+ARG GO_VULN_CHECK_VERSION
+ENV GO_VULN_CHECK_VERSION=$GO_VULN_CHECK_VERSION
+WORKDIR /workdir
+ENV GOPATH /go
+ENV PATH="/go/bin/:$PATH"
+COPY --link --from=golang-1.21 /golang-1.21 /
+COPY ./scripts/common_vars.sh \
+    ./scripts/install_go_vuln_check.sh /
+RUN --mount=type=cache,target=/root/.cache/go-build,sharing=locked \
+    --mount=type=secret,id=netrc,target=/root/.netrc \
+    /install_go_vuln_check.sh
 
 FROM ${BASE_IMAGE} as minimal-copy-stage
 
@@ -489,6 +503,7 @@ COPY --link --from=golang-1.20 /golang-1.20 /
 COPY --link --from=go-licenses-1.20 /go-licenses-1.20 /
 COPY --link --from=golang-1.21 /golang-1.21 /
 COPY --link --from=go-licenses-1.21 /go-licenses-1.21 /
+COPY --link --from=go-vuln-check /go-vuln-check /
 # add the default golang verison last so its /usr/bin/go
 # takes precendent
 COPY --link --from=golang-1.18 /golang-1.18 /

diff --git a/builder-base/scripts/install_go_vuln_check.sh b/builder-base/scripts/install_go_vuln_check.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+set -o pipefail
+
+SCRIPT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
+
+NEWROOT=/go-vuln-check
+
+source $SCRIPT_ROOT/common_vars.sh
+
+function install_go_vuln_check() {
+    GO111MODULE=on GOBIN=${NEWROOT}/${GOPATH}/${GOLANG_MAJOR_VERSION}/bin go install golang.org/x/vuln/cmd/govulncheck@$GO_VULN_CHECK_VERSION
+
+    rm -rf ${GOPATH}
+}
+
+[ ${SKIP_INSTALL:-false} != false ] || install_go_vuln_check
diff --git a/builder-base/versions.yaml b/builder-base/versions.yaml
@@ -11,6 +11,7 @@ GOLANG_VERSION_120: 1.20.10-11
 GOLANG_VERSION_121: 1.21.3-4
 GO_LICENSES_VERSION: v1.6.0
 GOVC_VERSION: 0.25.0
+GO_VULN_CHECK_VERSION: v1.0.1
 GOSS_VERSION: 3.1.4
 HELM_VERSION: 3.8.1
 HUGO_VERSION: 0.85.0