cleanup: add linting

Signed-off-by: Christian Kotzbauer <[email protected]>

.github/workflows/code-checks.yml

@@ -0,0 +1,41 @@
+name: code-checks
+
+on:
+  pull_request: {}
+  push:
+    branches:
+      - "**"
+
+jobs:
+  gosec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.18.3'
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Gosec Security Scanner
+        run: |
+          make bootstrap-tools
+          make lintsec
+
+  golint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.18.3'
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Golint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.46.2
+          args: --timeout 5m

.gitignore

@@ -6,6 +6,7 @@
 *.so
 *.dylib
 dist
+.tmp
 
 # Test binary, build with `go test -c`
 *.test

Makefile

@@ -1,3 +1,7 @@
+TEMPDIR = ./.tmp
+LINTCMD = $(TEMPDIR)/golangci-lint run --timeout 5m
+GOSECCMD = $(TEMPDIR)/gosec ./...
+
 all: build
 
 build: fmt vet
@@ -17,3 +21,17 @@ vet:
 
 test:
 	go test $(shell go list ./...) -coverprofile cover.out
+
+lint:
+	$(LINTCMD)
+
+lintsec:
+	$(GOSECCMD)
+
+$(TEMPDIR):
+	mkdir -p $(TEMPDIR)
+
+.PHONY: bootstrap-tools
+bootstrap-tools: $(TEMPDIR)
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ v1.46.2
+	curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(TEMPDIR)/ v2.12.0

go.mod

@@ -35,7 +35,6 @@ require (
 	github.com/acobaugh/osrelease v0.1.0 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect
-	github.com/anchore/go-rpmdb v0.0.0-20210914181456-a9c52348da63 // indirect
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 // indirect
 	github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 // indirect
 	github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963 // indirect
@@ -77,8 +76,6 @@ require (
 	github.com/facebookincubator/nvdtools v0.1.4 // indirect
 	github.com/fullstorydev/grpcurl v1.8.2 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.0 // indirect
-	github.com/glebarez/go-sqlite v1.15.1 // indirect
-	github.com/glebarez/sqlite v1.4.1 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect

internal/vuln/daemon/daemon.go

@@ -39,7 +39,11 @@ func Start(cronTime string) {
 	cs.printNextExecution()
 
 	c := cron.New()
-	c.AddFunc(cr, func() { cs.runBackgroundService() })
+	err := c.AddFunc(cr, func() { cs.runBackgroundService() })
+	if err != nil {
+		logrus.WithError(err).Fatal("Could not configure cron")
+	}
+
 	c.Start()
 }
 
@@ -93,8 +97,15 @@ func (c *CronService) runBackgroundService() {
 
 	for _, t := range c.targets {
 		t.Initialize()
-		t.ProcessVulns(allVulns)
-		t.Finalize()
+		err := t.ProcessVulns(allVulns)
+		if err != nil {
+			logrus.WithError(err).Warn("Target could not process vulnerabilities")
+		}
+
+		err = t.Finalize()
+		if err != nil {
+			logrus.WithError(err).Warn("Target could not be finalized")
+		}
 	}
 
 	c.printNextExecution()

internal/vuln/grype/grype.go

@@ -27,7 +27,6 @@ type Grype struct {
 	relatedEntries   map[string]string
 	onlyFixed        bool
 	minSeverity      string
-	grypeConfigFile  string
 }
 
 type grypeConfig struct {
@@ -40,6 +39,7 @@ func New(grypeConfigFile, minSeverity string, onlyFixed, withoutK8s bool) (Grype
 	if grypeConfigFile != "" {
 		_, err := os.Stat(grypeConfigFile)
 		if err == nil {
+			/* #nosec */
 			data, err := os.ReadFile(grypeConfigFile)
 			if err != nil {
 				logrus.WithError(err).Errorf("Count not load grype-config-file at %s", grypeConfigFile)
@@ -87,22 +87,21 @@ func New(grypeConfigFile, minSeverity string, onlyFixed, withoutK8s bool) (Grype
 }
 
 func (s *Grype) ScanItem(item source.ScanItem) ([]Vulnerability, error) {
-	if sbom, ok := item.(source.Sbom); ok {
-		err := os.WriteFile("/tmp/sbom", []byte(sbom.Sbom), 0640)
-		if err != nil {
-			logrus.WithError(err).Error("SBOM could not be saved")
-			return []Vulnerability{}, err
-		}
-	} else if img, ok := item.(source.Image); ok {
-		err := oci.SaveImage("/tmp/image.tar.gz", img.Image)
-		if err != nil {
-			logrus.WithError(fmt.Errorf("failed to save image: %w", err)).Error()
-			return []Vulnerability{}, err
-		}
+	item, err := preprocessScan(item)
+	if err != nil {
+		return []Vulnerability{}, err
 	}
 
 	packages, context, err := pkg.Provide(item.ScanInput(), pkg.ProviderConfig{CatalogingOptions: cataloger.DefaultConfig()})
-	item.Cleanup()
+	if err != nil {
+		logrus.WithError(err).Error("Grype scan failed")
+		return []Vulnerability{}, err
+	}
+
+	err = item.Cleanup()
+	if err != nil {
+		logrus.WithError(err).Warn("File could not be deleted")
+	}
 
 	if err != nil {
 		logrus.WithError(fmt.Errorf("failed to catalog: %w", err)).Error()
@@ -117,6 +116,33 @@ func (s *Grype) ScanItem(item source.ScanItem) ([]Vulnerability, error) {
 	return s.filterVulnerabilities(vulns), nil
 }
 
+func preprocessScan(item source.ScanItem) (source.ScanItem, error) {
+	if sbom, ok := item.(source.Sbom); ok {
+		file, err := os.CreateTemp("", "sbom*")
+		if err != nil {
+			logrus.WithError(err).Error("Error creating temp-file")
+			return nil, err
+		}
+
+		sbom.File = file.Name()
+		_, err = file.WriteString(sbom.Sbom)
+		if err != nil {
+			logrus.WithError(err).Error("SBOM could not be saved")
+			return nil, err
+		}
+
+		return sbom, nil
+	} else if img, ok := item.(source.Image); ok {
+		err := oci.SaveImage("/tmp/image.tar.gz", img.Image)
+		if err != nil {
+			logrus.WithError(fmt.Errorf("failed to save image: %w", err)).Error()
+			return nil, err
+		}
+	}
+
+	return item, nil
+}
+
 func validateDBLoad(loadErr error, status *db.Status) error {
 	if loadErr != nil {
 		return fmt.Errorf("failed to load vulnerability db: %w", loadErr)

internal/vuln/source/source.go

@@ -9,7 +9,7 @@ import (
 type ScanItem interface {
 	ImageId() string
 	ScanInput() string
-	Cleanup()
+	Cleanup() error
 }
 
 type Source interface {
@@ -21,18 +21,19 @@ type Source interface {
 type Sbom struct {
 	Sbom    string
 	ImageID string
+	File    string
 }
 
 func (s Sbom) ImageId() string {
 	return s.ImageID
 }
 
 func (s Sbom) ScanInput() string {
-	return "sbom:/tmp/sbom"
+	return "sbom:" + s.File
 }
 
-func (s Sbom) Cleanup() {
-	os.Remove("/tmp/sbom")
+func (s Sbom) Cleanup() error {
+	return os.Remove(s.File)
 }
 
 type Image struct {
@@ -47,6 +48,6 @@ func (s Image) ScanInput() string {
 	return "docker-archive:/tmp/image.tar.gz"
 }
 
-func (s Image) Cleanup() {
-	os.Remove("/tmp/image.tar.gz")
+func (s Image) Cleanup() error {
+	return os.Remove("/tmp/image.tar.gz")
 }

internal/vuln/target/json/json_target.go

@@ -40,10 +40,11 @@ func (t *JsonTarget) Finalize() error {
 		return err
 	}
 
+	/* #nosec */
 	err = os.MkdirAll(t.reportsDir, 0755)
 	if err != nil {
 		return err
 	}
 
-	return os.WriteFile(t.reportsDir+"/report.json", b, 0644)
+	return os.WriteFile(t.reportsDir+"/report.json", b, 0600)
 }

internal/vuln/util.go

@@ -3,7 +3,6 @@ package vuln
 import (
 	"fmt"
 	"io"
-	"math/rand"
 	"strings"
 
 	"github.com/sirupsen/logrus"
@@ -13,17 +12,32 @@ import (
 )
 
 // BindFlags binds each cobra flag to its associated viper configuration (environment variable)
-func BindFlags(cmd *cobra.Command, args []string) {
+func BindFlags(cmd *cobra.Command, args []string) error {
+	var e error
 	cmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
-		viper.BindEnv(f.Name, flagToEnvVar(f.Name))
-		viper.BindPFlag(f.Name, cmd.PersistentFlags().Lookup(f.Name))
+		err := viper.BindEnv(f.Name, flagToEnvVar(f.Name))
+		if err != nil && e == nil {
+			e = err
+			return
+		}
+
+		err = viper.BindPFlag(f.Name, cmd.PersistentFlags().Lookup(f.Name))
+		if err != nil && e == nil {
+			e = err
+			return
+		}
 
 		// Apply the viper config value to the flag when the flag is not set and viper has a value
 		if !f.Changed && viper.IsSet(f.Name) {
 			val := viper.Get(f.Name)
-			cmd.Flags().Set(f.Name, fmt.Sprintf("%v", val))
+			err := cmd.Flags().Set(f.Name, fmt.Sprintf("%v", val))
+			if err != nil && e == nil {
+				e = err
+			}
 		}
 	})
+
+	return e
 }
 
 // flagToEnvVar converts command flag name to equivalent environment variable name
@@ -50,17 +64,6 @@ func Unescape(s string) string {
 	return s
 }
 
-const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
-
-//  RandStringBytes generates a random string with the given length
-func RandStringBytes(n int) string {
-	b := make([]byte, n)
-	for i := range b {
-		b[i] = letterBytes[rand.Intn(len(letterBytes))]
-	}
-	return string(b)
-}
-
 // Unique removes all duplicate values from the given slice
 func Unique(stringSlice []string) []string {
 	keys := make(map[string]bool)

main.go

@@ -26,9 +26,9 @@ var (
 	daemonCron string
 
 	rootCmd = &cobra.Command{
-		Use:              "vulnerability-operator",
-		Short:            "An operator for scanning SBOMs for vulnerabilities.",
-		PersistentPreRun: vuln.BindFlags,
+		Use:               "vulnerability-operator",
+		Short:             "An operator for scanning SBOMs for vulnerabilities.",
+		PersistentPreRunE: vuln.BindFlags,
 		Run: func(cmd *cobra.Command, args []string) {
 			vuln.SetUpLogs(os.Stdout, verbosity)
 			printVersion()
@@ -85,5 +85,8 @@ func health(w http.ResponseWriter, req *http.Request) {
 }
 
 func main() {
-	rootCmd.Execute()
+	err := rootCmd.Execute()
+	if err != nil {
+		panic(err)
+	}
 }