From 4dafc15f22b8d40df777002d2756d3e28e423091 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?= Date: Mon, 22 Sep 2025 11:47:11 +0100 Subject: [PATCH 1/4] TUN-9855: Create script to ignore vulnerabilities from govuln check --- .ci/scripts/vuln-check.sh | 52 +++++++++++++++++++++++++++++++++++++++ .vulnignore | 3 +++ Makefile | 2 +- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100755 .ci/scripts/vuln-check.sh create mode 100644 .vulnignore diff --git a/.ci/scripts/vuln-check.sh b/.ci/scripts/vuln-check.sh new file mode 100755 index 00000000..4c4e1d0c --- /dev/null +++ b/.ci/scripts/vuln-check.sh @@ -0,0 +1,52 @@ +#!/bin/bash +set -e + +# Define the file to store the list of vulnerabilities to ignore. +IGNORE_FILE=".vulnignore" + +# Check if the ignored vulnerabilities file exists. If not, create an empty one. +if [ ! -f "$IGNORE_FILE" ]; then + touch "$IGNORE_FILE" + echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE" + echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE" + echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE" + echo "" >> "$IGNORE_FILE" +fi + +# Run govulncheck and capture its output. +VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true) + +# Print the govuln output +echo "=====================================" +echo "Full Output of govulncheck:" +echo "=====================================" +echo "$VULN_OUTPUT" +echo "=====================================" +echo "End of govulncheck Output" +echo "=====================================" + +# Process the ignore file to remove comments and empty lines. +# The 'cut' command gets the vulnerability ID and removes anything after the '#'. +# The 'grep' command filters out empty lines and lines starting with '#'. +CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true) + +# Filter out the ignored vulnerabilities. +UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability') + +# If the list of ignored vulnerabilities is not empty, filter them out. +if [ -n "$CLEAN_IGNORES" ]; then + UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true) +fi + +# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error. +if [ -n "$UNIGNORED_VULNS" ]; then + echo "🚨 Found new, unignored vulnerabilities:" + echo "-------------------------------------" + echo "$UNIGNORED_VULNS" + echo "-------------------------------------" + echo "Exiting with an error. ❌" + exit 1 +else + echo "🎉 No new vulnerabilities found. All clear! ✨" + exit 0 +fi diff --git a/.vulnignore b/.vulnignore new file mode 100644 index 00000000..f95addd3 --- /dev/null +++ b/.vulnignore @@ -0,0 +1,3 @@ +# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line. +# You can also add comments on the same line after the ID. +GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future diff --git a/Makefile b/Makefile index 96271ae7..69e6c809 100644 --- a/Makefile +++ b/Makefile @@ -139,7 +139,7 @@ clean: .PHONY: vulncheck vulncheck: - @go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... + @./.ci/scripts/vuln-check.sh .PHONY: cloudflared cloudflared: From 4ac0c1f2d74de5501d67f4183a10117811ee0ab7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?= Date: Fri, 19 Sep 2025 14:45:28 +0100 Subject: [PATCH 2/4] TUN-9852: Remove fmt.Println from cloudflared access command --- token/token.go | 1 - 1 file changed, 1 deletion(-) diff --git a/token/token.go b/token/token.go index 555a7f69..ac1de27e 100644 --- a/token/token.go +++ b/token/token.go @@ -255,7 +255,6 @@ func getToken(appURL *url.URL, appInfo *AppInfo, useHostOnly bool, autoClose boo // getTokensFromEdge will attempt to use the transfer service to retrieve an app and org token, save them to disk, // and return the app token. func getTokensFromEdge(appURL *url.URL, appAUD, appTokenPath, orgTokenPath string, useHostOnly bool, autoClose bool, isFedramp bool, log *zerolog.Logger) (string, error) { - fmt.Println("Get tokens from edge ", autoClose) // If no org token exists or if it couldn't be exchanged for an app token, then run the transfer service flow. // this weird parameter is the resource name (token) and the key/value From 80b1634515bacca565ec8b679559db8fa60eabd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?= Date: Mon, 22 Sep 2025 13:02:11 +0100 Subject: [PATCH 3/4] Release 2025.9.1 --- RELEASE_NOTES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index a7b3e05f..737a262f 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -1,3 +1,7 @@ +2025.9.1 +- 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check +- 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command + 2025.9.0 - 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config - 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI From 71448c1f7f2a5c9cf09f41dbd5eeed2c1255bee5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?= Date: Mon, 22 Sep 2025 15:44:50 +0100 Subject: [PATCH 4/4] TUN-9800: Add pipeline to sync between gitlab and github repos --- .ci/github.gitlab-ci.yml | 17 +++++++++++++++++ .ci/scripts/github-push.sh | 31 +++++++++++++++++++++++++++++++ .gitlab-ci.yml | 7 ++++++- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 .ci/github.gitlab-ci.yml create mode 100755 .ci/scripts/github-push.sh diff --git a/.ci/github.gitlab-ci.yml b/.ci/github.gitlab-ci.yml new file mode 100644 index 00000000..bf63b020 --- /dev/null +++ b/.ci/github.gitlab-ci.yml @@ -0,0 +1,17 @@ +include: + - local: .ci/commons.gitlab-ci.yml + +###################################### +### Sync master branch with Github ### +###################################### +push-github: + stage: sync + rules: + - !reference [.default-rules, run-on-master] + script: + - ./.ci/scripts/github-push.sh + secrets: + CLOUDFLARED_DEPLOY_SSH_KEY: + vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv + file: false + cache: {} diff --git a/.ci/scripts/github-push.sh b/.ci/scripts/github-push.sh new file mode 100755 index 00000000..b9859e12 --- /dev/null +++ b/.ci/scripts/github-push.sh @@ -0,0 +1,31 @@ +#!/bin/bash +set -e -o pipefail + +BRANCH="master" +TMP_PATH="$PWD/tmp" +PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key" +PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub" + +mkdir -p $TMP_PATH + +# Setup Private Key +echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH +chmod 400 $PRIVATE_KEY_PATH + +# Download GitHub Public Key for KnownHostsFile +ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH + +# Setup git ssh command with the right configurations +export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH" + +# Add GitHub as a new remote +git remote add github git@github.com:cloudflare/cloudflared.git || true + +# GitLab doesn't pull branch references, instead it creates a new one on each pipeline. +# Therefore, we need to manually fetch the reference to then push it to GitHub. +git fetch origin $BRANCH:$BRANCH +git push -u github $BRANCH + +if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then + git push -u github "$TAG" +fi diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 09826a2c..c9673553 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -7,7 +7,7 @@ default: VAULT_ID_TOKEN: aud: https://vault.cfdata.org -stages: [pre-build, build, validate, test, package, release] +stages: [sync, pre-build, build, validate, test, package, release] include: ##################################################### @@ -15,6 +15,11 @@ include: ##################################################### - local: .ci/commons.gitlab-ci.yml + ##################################################### + ########### Sync Repository with Github ############# + ##################################################### + - local: .ci/github.gitlab-ci.yml + ##################################################### ############# Build or Fetch CI Image ############### #####################################################