Merge pull request #867 from coinbase/golang_1_21

Version bumping GoLang & GoSec
coinbase · Sep 29, 2023 · d17fb75 · d17fb75
2 parents e927762 + 0ec9d56
commit d17fb75
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 45 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -78,16 +78,16 @@ RUN cd /home \
 ### Golang
 # required for sift and gosec
 
-ENV GOLANG_VERSION 1.20.2
-ENV GOLANG_DOWNLOAD_SHA256 4eaea32f59cde4dc635fbc42161031d13e1c780b87097f4b4234cfce671f1768
+ENV GOLANG_VERSION 1.21.1
+ENV GOLANG_DOWNLOAD_SHA256 b3075ae1ce5dab85f89bc7905d1632de23ca196bd8336afd93fa97434cfa55ae
 
 ENV GOLANG_TARBALL_FILE go$GOLANG_VERSION.linux-amd64.tar.gz
 ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/${GOLANG_TARBALL_FILE}
 
-ENV GOSEC_VERSION 2.15.0
+ENV GOSEC_VERSION 2.17.0
 ENV GOSEC_TARBALL_FILE gosec_${GOSEC_VERSION}_linux_amd64.tar.gz
 ENV GOSEC_DOWNLOAD_URL https://github.com/securego/gosec/releases/download/v${GOSEC_VERSION}/${GOSEC_TARBALL_FILE}
-ENV GOSEC_DOWNLOAD_SHA256 2312388e9ce0dcfed23893ffd2b719f9de5b1d262c84f4e3c8e2e2cb0d1785d2
+ENV GOSEC_DOWNLOAD_SHA256 e268c49e3382d43a1bd1a24d15f5c0e249841cd2a6befc53b5d7986f07a97d2f
 ENV GO111MODULE on
 
 RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \

diff --git a/Gemfile b/Gemfile
@@ -2,15 +2,15 @@ source 'https://rubygems.org'
 
 ruby '3.2.1'
 
-gem 'activemodel', '~> 6.1.7.3'
-gem 'activesupport', '~> 6.1.7.3'
+gem 'activemodel', '~> 6.1.7.5'
+gem 'activesupport', '~> 6.1.7.5'
 gem 'bugsnag', '~> 6.19.0'
 gem 'bundler', '= 2.4.8'
 gem 'cocoapods', '~> 1.12.0'
 gem 'deepsort', '~> 0.4.5'
 gem 'faraday', '~> 1.3'
 gem 'github-linguist', '~> 7.13.0'
-gem 'nokogiri', '~> 1.13.6'
+gem 'nokogiri', '~> 1.14.3'
 gem 'parser', '~> 3.1.3'
 gem 'rgl', '~> 0.5.9'
 gem 'rubyzip', '~> 2.3.2'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -3,9 +3,9 @@ GEM
   specs:
     CFPropertyList (3.0.6)
       rexml
-    activemodel (6.1.7.3)
-      activesupport (= 6.1.7.3)
-    activesupport (6.1.7.3)
+    activemodel (6.1.7.6)
+      activesupport (= 6.1.7.6)
+    activesupport (6.1.7.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -92,21 +92,21 @@ GEM
       rugged (>= 0.25.1)
     hashdiff (1.0.1)
     httpclient (2.8.3)
-    i18n (1.12.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     json (2.6.3)
     json-schema (3.0.0)
       addressable (>= 2.8)
     method_source (1.0.0)
     mini_mime (1.0.2)
-    mini_portile2 (2.8.0)
-    minitest (5.18.0)
+    mini_portile2 (2.8.4)
+    minitest (5.20.0)
     molinillo (0.8.0)
     multipart-post (2.1.1)
     nanaimo (0.3.0)
     nap (1.1.0)
     netrc (0.11.0)
-    nokogiri (1.13.10)
+    nokogiri (1.14.5)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
     pairing_heap (1.0.0)
@@ -121,7 +121,7 @@ GEM
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
     public_suffix (4.0.7)
-    racc (1.6.1)
+    racc (1.7.1)
     rainbow (3.0.0)
     regexp_parser (1.8.2)
     rexml (3.2.5)
@@ -187,14 +187,14 @@ GEM
       colored2 (~> 3.1)
       nanaimo (~> 0.3.0)
       rexml (~> 3.2.4)
-    zeitwerk (2.6.7)
+    zeitwerk (2.6.12)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  activemodel (~> 6.1.7.3)
-  activesupport (~> 6.1.7.3)
+  activemodel (~> 6.1.7.5)
+  activesupport (~> 6.1.7.5)
   brakeman (= 5.4.1)
   bugsnag (~> 6.19.0)
   bundler (= 2.4.8)
@@ -204,7 +204,7 @@ DEPENDENCIES
   faraday (~> 1.3)
   github-linguist (~> 7.13.0)
   json-schema (~> 3.0)
-  nokogiri (~> 1.13.6)
+  nokogiri (~> 1.14.3)
   parser (~> 3.1.3)
   pry (~> 0.14)
   pry-byebug (~> 3.10)

diff --git a/lib/salus/scanners/base.rb b/lib/salus/scanners/base.rb
@@ -532,19 +532,6 @@ def build_options(prefix:, suffix:, separator:, args:, join_by: ',', config_over
                        join_by: join_by,
                        regex: type_value
                      )
-                     # In new versions of gosec, nosec-tag matches the exact string
-                     # For example, In previous versions;
-                     #  - running the command `gosec -nosec-tag=falsepositive .`
-                     #    would match all occurrences of /* #falsepositive */ in go files
-                     # In current versions:
-                     #  - running the command `gosec -nosec-tag=falsepositive .`
-                     #    would match only match /* falsepositive */ in go files
-                     #  - you would have to modify your string to match #falsepositive
-                     #    running the command `gosec -nosec-tag=#falsepositive .`
-                     #    would match all occurrences of /* #falsepositive */ in go files
-                     # To prevent salus functionality from changing, this line adds a pound
-                     # sign to alternative nosec string
-                     result = "-nosec-tag=##{config_value} " if result.include? "-nosec-tag="
                      result
                    else
                      warning = "Could not interpolate config for #{keyword} "\

diff --git a/salus.yaml b/salus.yaml
@@ -28,3 +28,9 @@ scanner_configs:
       - spec/fixtures/gosec/multifolder_goapp
       - spec/fixtures/gosec/recursive_vulnerable_goapp
       - spec/fixtures/gosec/multi_goapps
+  RubyVersionScanner:
+    warn:
+      min_version: '3.0.0'
+      max_version: '3.1.0'
+    error:
+      min_version: '3.0.0'
diff --git a/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml b/spec/fixtures/npm_audit/success_with_exceptions/salus-sarif.yaml
@@ -20,4 +20,14 @@ scanner_configs:
                 advisory_id: "1091018",
                 changed_by: "joshua.ostrom",
                 notes: "See https://www.npmjs.com/advisories/48. We're not vulnerable to this because this is a regex dos and we have nothing that puts user input into it. The impact is also minimal.",
-              }
+              }
+            - {
+                advisory_id: "1091686",
+                changed_by: "joshua.ostrom",
+                notes: "False positive",
+              }
+            - {
+                advisory_id: "1091710",
+                changed_by: "joshua.ostrom",
+                notes: "False positive",
+              }
diff --git a/spec/lib/salus/scanners/yarn_audit_spec.rb b/spec/lib/salus/scanners/yarn_audit_spec.rb
@@ -71,7 +71,7 @@
 
       expect(scanner.report.to_h.fetch(:passed)).to eq(false)
       vulns = JSON.parse(scanner.report.to_h[:info][:stdout]).sort { |a, b| a["ID"] <=> b["ID"] }
-      expect(vulns.size).to eq(17)
+      expect(vulns.size).to eq(18)
 
       vulns.each do |vul|
         ["Package", "Patched in", "Dependency of", "More info", "Severity", "Title"].each do |attr|
@@ -81,22 +81,24 @@
         expect(vul["ID"]).to be_kind_of(Integer)
       end
 
-      id_vuls = vulns.find { |v| v['ID'] == 1_091_360 }
+      id_vuls = vulns.find { |v| v['ID'] == 1_091_832 }
+
       # vul has 1 dependency of
-      expected_vul = { "Package" => "trim-newlines",
-                       "Patched in" => ">=3.0.1",
-                       "Dependency of" => "gulp-cssmin",
-                       "More info" => "https://www.npmjs.com/advisories/1091360",
+      expected_vul = { "Package" => "lodash",
+                       "Patched in" => ">=4.17.21",
+                       "Dependency of" => "gulp-modify-file",
+                       "More info" => "https://www.npmjs.com/advisories/1091832",
                        "Severity" => "high",
-                       "Title" => "Uncontrolled Resource Consumption in trim-newlines",
-                       "ID" => 1_091_360 }
+                       "Title" => "Command Injection in lodash",
+                       "ID" => 1_091_832 }
+
       expect(id_vuls).to eq(expected_vul)
 
       id_vuls_w_paths = scanner.instance_variable_get(:@vulns_w_paths)
-        .find { |v| v['ID'] == 1_091_360 }
+        .find { |v| v['ID'] == 1_091_832 }
 
-      expected_vul['Path'] = "gulp-cssmin > gulp-util > "\
-        "dateformat > meow > trim-newlines"
+      expected_vul['Path'] = "gulp-modify-file > gulp > "\
+        "vinyl-fs > glob-watcher > gaze > globule > lodash"
       expect(id_vuls_w_paths).to eq(expected_vul)
     end
 

diff --git a/spec/lib/sarif/cargo_audit_sarif_spec.rb b/spec/lib/sarif/cargo_audit_sarif_spec.rb
@@ -34,7 +34,7 @@
                           "title": { "text": "MultiDecoder::read() drops uninitialized memory of"\
                           " arbitrary type on panic in client code" },
                           "severity": { "text": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" },
-                          "cwe": { "text": "[\"CVE-2019-15552\"]" },
+                          "cwe": { "text": "[\"CVE-2019-15552\", \"GHSA-rpcm-whqc-jfw8\"]" },
                           "patched_versions": { "text": "[\">=0.1.25\"]" },
                           "unaffected_versions": { "text": "[\"<0.1.14\"]" } },
           help_url: "https://github.com/sile/libflate/issues/35",

diff --git a/spec/lib/sarif/npm_audit_sarif_spec.rb b/spec/lib/sarif/npm_audit_sarif_spec.rb
@@ -165,6 +165,7 @@
         report = Salus::Report.new(project_name: "Neon Genesis")
         report.add_scan_report(scanner.report, required: false)
         report_object = JSON.parse(report.to_sarif)['runs'][0]
+
         expect(report_object['results'].length).to eq(0)
         expect(report_object['invocations'][0]['executionSuccessful']).to eq(true)
       end