From 4e7c3a9166c60776f198af27d1ae0f425d0fa110 Mon Sep 17 00:00:00 2001 From: Jackson West Date: Fri, 27 Oct 2023 09:20:13 -0500 Subject: [PATCH] adds govulncheck to builder base --- builder-base/Dockerfile | 15 +++++++++ builder-base/scripts/install_go_vuln_check.sh | 31 +++++++++++++++++++ builder-base/versions.yaml | 1 + 3 files changed, 47 insertions(+) create mode 100755 builder-base/scripts/install_go_vuln_check.sh diff --git a/builder-base/Dockerfile b/builder-base/Dockerfile index 9ec123642..1bf97702c 100644 --- a/builder-base/Dockerfile +++ b/builder-base/Dockerfile @@ -456,6 +456,20 @@ RUN --mount=type=cache,target=/root/.cache/go-build,sharing=locked \ --mount=type=secret,id=netrc,target=/root/.netrc \ /install_go_licenses.sh +FROM ${BUILDER_IMAGE} as go-vuln-check +ARG TARGETARCH +ARG GOPROXY +ARG GO_VULN_CHECK_VERSION +ENV GO_VULN_CHECK_VERSION=$GO_VULN_CHECK_VERSION +WORKDIR /workdir +ENV GOPATH /go +ENV PATH="/go/bin/:$PATH" +COPY --link --from=golang-1.21 /golang-1.21 / +COPY ./scripts/common_vars.sh \ + ./scripts/install_go_vuln_check.sh / +RUN --mount=type=cache,target=/root/.cache/go-build,sharing=locked \ + --mount=type=secret,id=netrc,target=/root/.netrc \ + /install_go_vuln_check.sh FROM ${BASE_IMAGE} as minimal-copy-stage @@ -489,6 +503,7 @@ COPY --link --from=golang-1.20 /golang-1.20 / COPY --link --from=go-licenses-1.20 /go-licenses-1.20 / COPY --link --from=golang-1.21 /golang-1.21 / COPY --link --from=go-licenses-1.21 /go-licenses-1.21 / +COPY --link --from=go-vuln-check /go-vuln-check / # add the default golang verison last so its /usr/bin/go # takes precendent COPY --link --from=golang-1.18 /golang-1.18 / diff --git a/builder-base/scripts/install_go_vuln_check.sh b/builder-base/scripts/install_go_vuln_check.sh new file mode 100755 index 000000000..6fc5a72cd --- /dev/null +++ b/builder-base/scripts/install_go_vuln_check.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +# Copyright Amazon.com Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +set -o pipefail + +SCRIPT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" + +NEWROOT=/go-vuln-check + +source $SCRIPT_ROOT/common_vars.sh + +function install_go_vuln_check() { + GO111MODULE=on GOBIN=${NEWROOT}/${GOPATH}/${GOLANG_MAJOR_VERSION}/bin go install golang.org/x/vuln/cmd/govulncheck@$GO_VULN_CHECK_VERSION + + rm -rf ${GOPATH} +} + +[ ${SKIP_INSTALL:-false} != false ] || install_go_vuln_check diff --git a/builder-base/versions.yaml b/builder-base/versions.yaml index 84aa50b78..7f9cac2bd 100644 --- a/builder-base/versions.yaml +++ b/builder-base/versions.yaml @@ -11,6 +11,7 @@ GOLANG_VERSION_120: 1.20.10-11 GOLANG_VERSION_121: 1.21.3-4 GO_LICENSES_VERSION: v1.6.0 GOVC_VERSION: 0.25.0 +GO_VULN_CHECK_VERSION: v1.0.1 GOSS_VERSION: 3.1.4 HELM_VERSION: 3.8.1 HUGO_VERSION: 0.85.0