Skip to content

Fix Go lookup code scanning alerts #34

Fix Go lookup code scanning alerts

Fix Go lookup code scanning alerts #34

name: Static Analysis
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: "29 03 * * 2"
workflow_dispatch:
permissions:
actions: read
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
c-static:
name: C Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Install C analysis tools
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends clang-tidy cppcheck flawfinder
- name: Configure compile database
run: cmake -S . -B build-static -DCMAKE_BUILD_TYPE=Debug -DCMAKE_EXPORT_COMPILE_COMMANDS=ON
- name: Build C targets
run: cmake --build build-static --parallel --target netipc_protocol netipc_uds netipc_shm netipc_service
- name: Run clang-tidy on C library sources
run: |
mapfile -t c_files < <(
find src/libnetdata/netipc/src/protocol src/libnetdata/netipc/src/transport/posix -type f -name '*.c' | sort
printf '%s\n' src/libnetdata/netipc/src/service/netipc_service.c
)
if [ "${#c_files[@]}" -eq 0 ]; then
echo "No C source files found" >&2
exit 1
fi
clang-tidy -p build-static "${c_files[@]}"
- name: Run cppcheck
run: |
cppcheck \
--enable=warning,performance,portability \
--error-exitcode=1 \
--force \
--inline-suppr \
--std=c11 \
--suppress=missingIncludeSystem \
--suppress=unmatchedSuppression \
-Isrc/libnetdata/netipc/include \
src/libnetdata/netipc
- name: Run flawfinder
run: flawfinder --minlevel=5 --error-level=5 src/libnetdata/netipc tests
rust-static:
name: Rust Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Install Rust components
run: rustup component add rustfmt clippy
- name: Check Rust formatting
run: cargo fmt --manifest-path src/crates/netipc/Cargo.toml --all --check
- name: Build Rust test targets
run: cargo test --manifest-path src/crates/netipc/Cargo.toml --all-targets --all-features --no-run
- name: Run Clippy correctness gates
run: |
cargo clippy \
--manifest-path src/crates/netipc/Cargo.toml \
--all-targets \
--all-features \
-- \
-D clippy::correctness \
-D clippy::suspicious
- name: Install Rust advisory tools
run: |
cargo install cargo-audit --locked
cargo install cargo-deny --locked
- name: Audit Rust dependencies
working-directory: src/crates/netipc
run: |
cargo audit
cargo deny check advisories bans sources
go-static:
name: Go Static Analysis (${{ matrix.module }})
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
module:
- src/go
- tests/fixtures/go
- bench/drivers/go
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: ${{ matrix.module }}/go.mod
cache: false
- name: Install Go analysis tools
run: |
go install honnef.co/go/tools/cmd/staticcheck@latest
go install github.com/securego/gosec/v2/cmd/gosec@latest
go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run Go tests and vet
working-directory: ${{ matrix.module }}
run: |
go test ./...
go vet ./...
- name: Run Staticcheck
working-directory: ${{ matrix.module }}
run: '"$(go env GOPATH)/bin/staticcheck" ./...'
- name: Run Govulncheck
working-directory: ${{ matrix.module }}
run: '"$(go env GOPATH)/bin/govulncheck" ./...'
- name: Run gosec
id: gosec
working-directory: ${{ matrix.module }}
run: |
set +e
"$(go env GOPATH)/bin/gosec" \
-quiet \
-fmt sarif \
-out gosec.sarif \
-exclude=G404 \
./...
status=$?
echo "status=$status" >> "$GITHUB_OUTPUT"
exit 0
- name: Ensure gosec SARIF exists
if: always()
working-directory: ${{ matrix.module }}
run: |
if [ -s gosec.sarif ]; then
exit 0
fi
cat > gosec.sarif <<'EOF'
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Golang security checks by gosec",
"informationUri": "https://github.com/securego/gosec",
"rules": []
}
},
"results": []
}
]
}
EOF
- name: Upload gosec SARIF
if: always() && hashFiles(format('{0}/gosec.sarif', matrix.module)) != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
with:
sarif_file: ${{ matrix.module }}/gosec.sarif
category: gosec/${{ matrix.module }}
- name: Report gosec status
if: always() && steps.gosec.outputs.status != '0'
env:
GOSEC_STATUS: ${{ steps.gosec.outputs.status }}
run: |
echo "gosec reported findings with status ${GOSEC_STATUS}; SARIF was uploaded when token permissions allowed it." >&2
exit 1
workflow-static:
name: Workflow and Shell Static Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: src/go/go.mod
cache: false
- name: Install workflow and shell analyzers
run: |
go install github.com/rhysd/actionlint/cmd/actionlint@latest
sudo apt-get update
sudo apt-get install -y --no-install-recommends shellcheck
- name: Run actionlint
run: '"$(go env GOPATH)/bin/actionlint"'
- name: Run ShellCheck error gate
run: shellcheck --severity=error diff-netdata-vendor.sh vendor-to-netdata.sh tests/*.sh .agents/sow/audit.sh