diff --git a/.ci/scripts/vuln-check.sh b/.ci/scripts/vuln-check.sh new file mode 100755 index 00000000..4c4e1d0c --- /dev/null +++ b/.ci/scripts/vuln-check.sh @@ -0,0 +1,52 @@ +#!/bin/bash +set -e + +# Define the file to store the list of vulnerabilities to ignore. +IGNORE_FILE=".vulnignore" + +# Check if the ignored vulnerabilities file exists. If not, create an empty one. +if [ ! -f "$IGNORE_FILE" ]; then + touch "$IGNORE_FILE" + echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE" + echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE" + echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE" + echo "" >> "$IGNORE_FILE" +fi + +# Run govulncheck and capture its output. +VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true) + +# Print the govuln output +echo "=====================================" +echo "Full Output of govulncheck:" +echo "=====================================" +echo "$VULN_OUTPUT" +echo "=====================================" +echo "End of govulncheck Output" +echo "=====================================" + +# Process the ignore file to remove comments and empty lines. +# The 'cut' command gets the vulnerability ID and removes anything after the '#'. +# The 'grep' command filters out empty lines and lines starting with '#'. +CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true) + +# Filter out the ignored vulnerabilities. +UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability') + +# If the list of ignored vulnerabilities is not empty, filter them out. +if [ -n "$CLEAN_IGNORES" ]; then + UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true) +fi + +# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error. +if [ -n "$UNIGNORED_VULNS" ]; then + echo "🚨 Found new, unignored vulnerabilities:" + echo "-------------------------------------" + echo "$UNIGNORED_VULNS" + echo "-------------------------------------" + echo "Exiting with an error. ❌" + exit 1 +else + echo "🎉 No new vulnerabilities found. All clear! ✨" + exit 0 +fi diff --git a/.vulnignore b/.vulnignore new file mode 100644 index 00000000..f95addd3 --- /dev/null +++ b/.vulnignore @@ -0,0 +1,3 @@ +# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line. +# You can also add comments on the same line after the ID. +GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future diff --git a/Makefile b/Makefile index 96271ae7..69e6c809 100644 --- a/Makefile +++ b/Makefile @@ -139,7 +139,7 @@ clean: .PHONY: vulncheck vulncheck: - @go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... + @./.ci/scripts/vuln-check.sh .PHONY: cloudflared cloudflared: