chore(security): Support Go Vulnerability Management (#21139)

See https://go.dev/security/vuln/ Signed-off-by: Bo-Yi.Wu <appleboy.tw@gmail.com> Signed-off-by: Bo-Yi.Wu <appleboy.tw@gmail.com>
2 years ago · 24b5a384d2
parent 77c916f6d9
commit 24b5a384d2
2 changed files with 16 additions and 0 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -39,6 +39,16 @@ steps:
      - make lint-frontend
    depends_on: [deps-frontend]

+  - name: security-check
+    image: golang:1.19
+    pull: always
+    commands:
+      - make security-check
+    depends_on: [deps-backend]
+    volumes:
+      - name: deps
+        path: /go
+
  - name: lint-backend
    image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
    pull: always
--- a/6
+++ b/6
@ -35,6 +35,7 @@ MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.0
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.3.0
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest

 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
@ -728,6 +729,10 @@ generate-go: $(TAGS_PREREQ)
 	@echo "Running go generate..."
 	@CC= GOOS= GOARCH= $(GO) generate -tags '$(TAGS)' $(GO_PACKAGES)

+.PHONY: security-check
+security-check:
+	govulncheck -v ./...
+
 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@

@ -813,6 +818,7 @@ deps-backend:
 	$(GO) install $(SWAGGER_PACKAGE)
 	$(GO) install $(XGO_PACKAGE)
 	$(GO) install $(GO_LICENSES_PACKAGE)
+	$(GO) install $(GOVULNCHECK_PACKAGE)

 node_modules: package-lock.json
 	npm install --no-save