-
Notifications
You must be signed in to change notification settings - Fork 6
/
Makefile
128 lines (105 loc) · 4.45 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Copyright 2023 The Go Authors. All rights reserved.
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
# Makefile for common tasks.
default:
@echo "usage: make TARGET"
# Copy a gzipped tar of a Go docker image from a bucket.
# This is the image that is used by the sandbox.
# The file must live in the repo directory so that cmd/worker/Dockerfile
# can access it.
# We assume that the file exists in the bucket.
# See the rule below for how to create the image.
go-image.tar.gz:
gsutil cp gs://go-ecosystem/$@ $@
# Use this rule to build a go image for a specific Go version.
# E.g.
# make go-image-1.19.4.tar.gz
# To change the sandbox image permanently, copy it to GCP:
#
# gsutil cp go-image.1.19.4.tar.gz gs://go-ecosystem/go-image.tar.gz
# Then delete the local copy.
go-image-%.tar.gz:
docker export $(shell docker create golang:$*) | gzip > go-image-$*.tar.gz
# Download the Go vulnerability DB to a local directory, so vulndb can access it
# from the sandbox, which has no network connectivity.
#
# Get the last-modified time of the index.json file, which is reported as the
# last-modified time of the DB, and save it to a local file. (The last-modified
# time of the local index.json is not what we want: it is the time that gsutil cp
# wrote the file.)
#
# This directory must live in the repo directory so that cmd/worker/Dockerfile
# can access it.
go-vulndb:
gsutil -m -q cp -r gs://go-vulndb .
gsutil stat gs://go-vulndb/index.json | \
awk '$$1 == "Update" { for (i = 4; i <= NF; i++) printf("%s ", $$i); printf("\n"); }' \
> go-vulndb/LAST_MODIFIED
# Remove comments from a json file.
%.json: %.json.commented
sed '/^[ \t]*#/d' $< > $@
IMAGE := ecosystem-worker-test
# Enable the docker container to authenticate to Google Cloud.
# This assumes the user has run "gcloud auth application-default login".
DOCKER_AUTH_ARGS := -v "$(HOME)/.config/gcloud:/creds" \
--env GOOGLE_APPLICATION_CREDENTIALS=/creds/application_default_credentials.json
DOCKER_RUN_ARGS := --rm --privileged -p 8080:8080 \
--env GO_ECOSYSTEM_BINARY_BUCKET=go-ecosystem \
$(DOCKER_AUTH_ARGS)
DOCKER_ID_FILE := /tmp/ecosystem-docker-container-id
# Build a docker image for testing.
# This target is a local file that marks the time of the last
# docker build. We use a file because make uses only local file timestamps to determine
# whether a target needs to be regenerated.
docker-build: go-image.tar.gz go-vulndb cmd/worker/*.go internal/**/*.go cmd/govulncheck_sandbox/* config.json cmd/worker/Dockerfile
docker build -f cmd/worker/Dockerfile -t $(IMAGE) . \
--build-arg DOCKER_IMAGE=$(IMAGE) \
--build-arg BQ_DATASET=disable
touch $@
# Run the docker image locally, for testing.
# The worker will start and listen at port 8080.
docker-run: docker-build
docker run $(DOCKER_RUN_ARGS) $(IMAGE)
# Run the docker image and enter an interactive shell.
# The worker does not start.
docker-run-shell: docker-build
docker run -it $(DOCKER_RUN_ARGS) $(IMAGE) /bin/bash
# Run the docker image in the background, waiting until the server is ready.
docker-run-bg: docker-build
docker run --detach $(DOCKER_RUN_ARGS) $(IMAGE) > $(DOCKER_ID_FILE)
while ! curl -s --head http://localhost:8080 > /dev/null; do sleep 1; done
test: docker-run-bg govulncheck-test analysis-test
docker container stop `cat $(DOCKER_ID_FILE)`
GOVULNCHECK_TEST_FILE := /tmp/vtest.out
# Test by scanning a small module.
govulncheck-test:
curl -s 'http://localhost:8080/govulncheck/scan/github.com/fossas/[email protected]?importedby=1&serve=true' > $(GOVULNCHECK_TEST_FILE)
@if [[ `grep -c GO-2020-0016 $(GOVULNCHECK_TEST_FILE)` -ge 2 ]]; then \
echo PASS; \
rm $(GOVULNCHECK_TEST_FILE); \
else \
echo FAIL; \
echo "output in $(GOVULNCHECK_TEST_FILE)"; \
docker container stop `cat $(DOCKER_ID_FILE)`; \
exit 1; \
fi
ANALYSIS_TEST_FILE := /tmp/atest.out
analysis-test:
curl -sa 'http://localhost:8080/analysis/scan/github.com/jba/[email protected]?binary=findcall&args=-name+stringsCut&serve=true' > $(ANALYSIS_TEST_FILE)
@if grep -q Diagnostics $(ANALYSIS_TEST_FILE); then \
echo PASS; \
rm $(ANALYSIS_TEST_FILE); \
else \
echo FAIL; \
echo "output in $(ANALYSIS_TEST_FILE)"; \
docker container stop `cat $(DOCKER_ID_FILE)`; \
exit 1; \
fi
clean:
rm -f go-image.tar.gz
rm -rf go-vulndb
rm -f config.json
rm -f govulncheck_sandbox
.PHONY: docker-run docker-run-bg test govulncheck-test analysis-test \
clean build-go-image