Introduce gosec for Static Application Security Testing (SAST)

gardener · Jan 10, 2025 · 9be7b09 · 9be7b09
1 parent 45e190f
commit 9be7b09
Show file tree

Hide file tree

Showing 5 changed files with 146 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -34,3 +34,7 @@ Session.vim
 
 # Binary files
 bin/
+cluster-autoscaler/hack/tools/bin
+
+# gosec
+gosec-report.sarif
diff --git a/cluster-autoscaler/Makefile b/cluster-autoscaler/Makefile
@@ -124,6 +124,8 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ## Tool Versions
 CONTROLLER_TOOLS_VERSION ?= v0.14.0
 
+include hack/tools.mk
+
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.
 $(CONTROLLER_GEN): $(LOCALBIN)
@@ -186,4 +188,12 @@ download-kubeconfigs:
 
 .PHONY: test-integration
 test-integration:
-	../.ci/local_integration_test
+	../.ci/local_integration_test
+
+.PHONY: sast
+sast: $(GOSEC)
+	@./hack/sast.sh
+
+.PHONY: sast-report
+sast-report: $(GOSEC)
+	@./hack/sast.sh --gosec-report true
diff --git a/cluster-autoscaler/hack/sast.sh b/cluster-autoscaler/hack/sast.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." &> /dev/null && pwd )"
+TOOLS_BIN_DIR="${root_dir}/hack/tools/bin"
+
+gosec_report="false"
+gosec_report_parse_flags=""
+dir_to_exclude=""
+
+parse_flags() {
+  while test $# -gt 1; do
+    case "$1" in
+      --gosec-report)
+        shift; gosec_report="$1"
+        ;;
+      *)
+        echo "Unknown argument: $1"
+        exit 1
+        ;;
+    esac
+    shift
+  done
+}
+
+parse_flags "$@"
+
+echo "> Running gosec"
+${TOOLS_BIN_DIR}/gosec --version
+if [[ "$gosec_report" != "false" ]]; then
+  echo "Exporting report to $root_dir/gosec-report.sarif"
+  gosec_report_parse_flags="-track-suppressions -fmt=sarif -out=gosec-report.sarif -stdout"
+fi
+
+dir_to_exclude="-exclude-dir=cloudprovider/alicloud
+-exclude-dir=cloudprovider/aws
+-exclude-dir=cloudprovider/azure
+-exclude-dir=cloudprovider/baiducloud
+-exclude-dir=cloudprovider/bizflycloud
+-exclude-dir=cloudprovider/brightbox
+-exclude-dir=cloudprovider/cherryservers
+-exclude-dir=cloudprovider/civo
+-exclude-dir=cloudprovider/cloudstack
+-exclude-dir=cloudprovider/clusterapi
+-exclude-dir=cloudprovider/digitalocean
+-exclude-dir=cloudprovider/equinixmetal
+-exclude-dir=cloudprovider/exoscale
+-exclude-dir=cloudprovider/gce
+-exclude-dir=cloudprovider/hetzner
+-exclude-dir=cloudprovider/huaweicloud
+-exclude-dir=cloudprovider/ionoscloud
+-exclude-dir=cloudprovider/kamatera
+-exclude-dir=cloudprovider/kubemark
+-exclude-dir=cloudprovider/kwok
+-exclude-dir=cloudprovider/linode
+-exclude-dir=cloudprovider/magnum
+-exclude-dir=cloudprovider/oci
+-exclude-dir=cloudprovider/ovhcloud
+-exclude-dir=cloudprovider/rancher
+-exclude-dir=cloudprovider/scaleway
+-exclude-dir=cloudprovider/tencentcloud
+-exclude-dir=cloudprovider/volcengine
+-exclude-dir=cloudprovider/vultr
+"
+
+${TOOLS_BIN_DIR}/gosec -exclude-generated $dir_to_exclude $gosec_report_parse_flags ./...
diff --git a/cluster-autoscaler/hack/tools.mk b/cluster-autoscaler/hack/tools.mk
@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+TOOLS_DIR     := hack/tools
+TOOLS_BIN_DIR := $(TOOLS_DIR)/bin
+
+# Tool Binaries
+GOSEC ?= $(TOOLS_BIN_DIR)/gosec
+
+# Tool Versions
+GOSEC_VERSION ?= v2.21.4
+
+$(GOSEC):
+	@GOSEC_VERSION=$(GOSEC_VERSION) $(TOOLS_DIR)/install-gosec.sh
diff --git a/cluster-autoscaler/hack/tools/install-gosec.sh b/cluster-autoscaler/hack/tools/install-gosec.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+echo "> Installing gosec"
+
+TOOLS_BIN_DIR=${TOOLS_BIN_DIR:-$(dirname $0)/bin}
+if [[ ! -d $TOOLS_BIN_DIR ]]; then
+  mkdir -p $TOOLS_BIN_DIR
+fi
+
+platform=$(uname -s | tr '[:upper:]' '[:lower:]')
+version=$GOSEC_VERSION
+echo "gosec version:$GOSEC_VERSION"
+case $(uname -m) in
+  aarch64 | arm64)
+    arch="arm64"
+    ;;
+  x86_64)
+    arch="amd64"
+    ;;
+  *)
+    echo "Unknown architecture"
+    exit 1
+    ;;
+esac
+
+archive_name="gosec_${version#v}_${platform}_${arch}"
+file_name="${archive_name}.tar.gz"
+
+temp_dir="$(mktemp -d)"
+function cleanup {
+  rm -rf "${temp_dir}"
+}
+trap cleanup EXIT ERR INT TERM
+echo "Downloading from: https://github.com/securego/gosec/releases/download/${version}/${file_name}"
+curl -L -o ${temp_dir}/${file_name} "https://github.com/securego/gosec/releases/download/${version}/${file_name}"
+
+tar -xzm -C "${temp_dir}" -f "${temp_dir}/${file_name}"
+mv "${temp_dir}/gosec" $TOOLS_BIN_DIR
+chmod +x $TOOLS_BIN_DIR/gosec