Skip to content

Commit

Permalink
deps(go): 3.11.x updates to satisfy vuln scanners (#2081)
Browse files Browse the repository at this point in the history
* deps(go): Updates to satisfy vuln scanners

Signed-off-by: Dave Henderson <[email protected]>

* chore: fix flaky IP lookup test

Signed-off-by: Dave Henderson <[email protected]>

* chore: Fixing broken integration test

Signed-off-by: Dave Henderson <[email protected]>

* ci: update image scan to stop failing when pushing sarif

Signed-off-by: Dave Henderson <[email protected]>

---------

Signed-off-by: Dave Henderson <[email protected]>
  • Loading branch information
hairyhenderson authored May 30, 2024
1 parent c133ad0 commit f525a6e
Show file tree
Hide file tree
Showing 7 changed files with 62 additions and 41 deletions.
13 changes: 9 additions & 4 deletions .github/workflows/image-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
DOCKER_BUILDKIT: 1
DOCKER_CLI_EXPERIMENTAL: enabled
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
- name: Quick build (linux/alpine only)
run: |
docker build --target gomplate-alpine -t gomplate .
Expand All @@ -33,12 +33,17 @@ jobs:
image-ref: gomplate
format: sarif
output: trivy-results.sarif
exit-code: 1
# exit-code: 1
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH
# The SARIF format ignores severity and uploads all vulnerabilities for
# later triage. The table-format step above is used to fail the build if
# there are any critical or high vulnerabilities.
# See https://github.com/aquasecurity/trivy-action/issues/95
# severity: 'CRITICAL,HIGH'
trivyignores: .trivyignore
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
if: always() && github.repository == 'hairyhenderson/gomplate'
4 changes: 0 additions & 4 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -1,4 +0,0 @@
# Ignoring CVE-2022-0778 as it's mostly covered by Alpine 3.15.1, except for
# libretls, which isn't used at all. Should be able to remove this when 3.15.2
# is out.
CVE-2022-0778
18 changes: 10 additions & 8 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ module github.com/hairyhenderson/gomplate/v3

go 1.21

toolchain go1.22.3

require (
github.com/Masterminds/goutils v1.1.1
github.com/Shopify/ejson v1.3.3
Expand All @@ -27,12 +29,12 @@ require (
github.com/stretchr/testify v1.8.4
github.com/ugorji/go/codec v1.2.7
github.com/zealic/xignore v0.3.3
go.etcd.io/bbolt v1.3.6
go.etcd.io/bbolt v1.3.10
gocloud.dev v0.25.1-0.20220408200107-09b10f7359f7
golang.org/x/crypto v0.18.0
golang.org/x/sys v0.16.0
golang.org/x/term v0.16.0
golang.org/x/text v0.14.0
golang.org/x/crypto v0.21.0
golang.org/x/sys v0.20.0
golang.org/x/term v0.20.0
golang.org/x/text v0.15.0
gotest.tools/v3 v3.5.1
inet.af/netaddr v0.0.0-20230525184311-b8eac61e914a
k8s.io/client-go v0.24.1
Expand Down Expand Up @@ -133,9 +135,9 @@ require (
go4.org/intern v0.0.0-20230205224052-192e9f60865c // indirect
go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect
golang.org/x/mod v0.12.0 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/oauth2 v0.11.0 // indirect
golang.org/x/sync v0.3.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
golang.org/x/tools v0.13.0 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
Expand All @@ -145,7 +147,7 @@ require (
google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
google.golang.org/grpc v1.59.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
45 changes: 28 additions & 17 deletions go.sum

Large diffs are not rendered by default.

16 changes: 11 additions & 5 deletions internal/tests/integration/datasources_blob_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,14 @@ func setupDatasourcesBlobTest(t *testing.T) *httptest.Server {

func TestDatasources_Blob_S3Datasource(t *testing.T) {
o, e, err := cmd(t,
"-c", "data=s3://ryft-public-sample-data/integration_test_dataset.json?region=us-east-1&type=application/array+json",
"-i", "{{ $d := index .data 0 }}{{ $d.firstName }} {{ $d.lastName }}").
"-c", "data=s3://noaa-bathymetry-pds/csv/2022/03/02/20220302_056e577c7cd8323fdd8a04d3812cf78e_pointData.csv?region=us-east-1&type=text/csv",
"-i", `{{ index (index .data 0) 6 }}: {{ index (index .data 1) 6 }}
{{ index (index .data 0) 5 }}: {{ index (index .data 1) 5 }}`).
withEnv("AWS_ANON", "true").
withEnv("AWS_TIMEOUT", "5000").
run()
assertSuccess(t, o, e, err, "Petra Mcintyre")
assertSuccess(t, o, e, err, `PLATFORM_NAME: Ramform Hyperion
TIME: 2022-03-01T22:00:04.000Z`)

srv := setupDatasourcesBlobTest(t)

Expand Down Expand Up @@ -79,12 +81,16 @@ func TestDatasources_Blob_S3Datasource(t *testing.T) {
}

func TestDatasources_Blob_S3Directory(t *testing.T) {
o, e, err := cmd(t, "-c", "data=s3://ryft-public-sample-data/?region=us-east-1",
// This recently replaced ryft-public-sample-data after access was disabled.
// This bucket came from https://registry.opendata.aws, and is public. The
// content isn't important, just that it's something we can read and parse
// on a _real_ S3 bucket.
o, e, err := cmd(t, "-c", "data=s3://noaa-bathymetry-pds/csv/2022/03/02/?region=us-east-1",
"-i", "{{ index .data 0 }}").
withEnv("AWS_ANON", "true").
withEnv("AWS_TIMEOUT", "15000").
run()
assertSuccess(t, o, e, err, "AWS-x86-AMI-queries.json")
assertSuccess(t, o, e, err, "20220302_056e577c7cd8323fdd8a04d3812cf78e_pointData.csv")

srv := setupDatasourcesBlobTest(t)

Expand Down
3 changes: 2 additions & 1 deletion internal/tests/integration/integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
gcmd "github.com/hairyhenderson/gomplate/v3/internal/cmd"
vaultapi "github.com/hashicorp/vault/api"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gotest.tools/v3/icmd"
)

Expand Down Expand Up @@ -54,7 +55,7 @@ func inOutContains(t *testing.T, i, o string) {
func assertSuccess(t *testing.T, o, e string, err error, expected string) {
t.Helper()

assert.NoError(t, err)
require.NoError(t, err)
assert.Equal(t, "", e)
assert.Equal(t, expected, o)
}
Expand Down
4 changes: 2 additions & 2 deletions net/net_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ func must(r interface{}, err error) interface{} {

func TestLookupIP(t *testing.T) {
assert.Equal(t, "127.0.0.1", must(LookupIP("localhost")))
assert.Equal(t, "93.184.216.34", must(LookupIP("example.com")))
assert.Equal(t, "198.41.0.4", must(LookupIP("a.root-servers.net")))
}

func TestLookupIPs(t *testing.T) {
assert.Equal(t, []string{"127.0.0.1"}, must(LookupIPs("localhost")))
assert.Equal(t, []string{"93.184.216.34"}, must(LookupIPs("example.com")))
assert.ElementsMatch(t, []string{"1.1.1.1", "1.0.0.1"}, must(LookupIPs("one.one.one.one")))
}

func TestLookupTXT(t *testing.T) {
Expand Down

0 comments on commit f525a6e

Please sign in to comment.