cmd/govulncheck/integration: add integration test for binary scan
Motivated by https://go-review.git.corp.google.com/c/vuln/+/435123.
Change-Id: Ie18171b894dddc039fdb5959077bc0afa4454cd7
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/437408
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Julie Qiu <julie@golang.org>
diff --git a/cmd/govulncheck/integration/Dockerfile b/cmd/govulncheck/integration/Dockerfile
index 5b65690..f33c843 100644
--- a/cmd/govulncheck/integration/Dockerfile
+++ b/cmd/govulncheck/integration/Dockerfile
@@ -1,10 +1,11 @@
+# golang:1.18 will use go1.18.7 version.
FROM golang:1.18-alpine
# This Dockerfile sets up an image for repeated integration testing.
# This assumes the build context, i.e., CWD is vuln/
# ---- Step 0: Setup shared build tools. ----
-RUN apk update && apk add bash git gcc musl-dev linux-headers
+RUN apk update && apk add bash git gcc musl-dev linux-headers gcompat
# ---- Step 1: Build govulncheck ----
COPY . /go/src/golang.org/x/vuln
@@ -12,4 +13,6 @@
RUN go install golang.org/x/vuln/cmd/govulncheck
# ---- Step 2: Build other test binaries ----
+RUN go install golang.org/dl/go1.18@latest
RUN go install golang.org/x/vuln/cmd/govulncheck/integration/k8s
+RUN go install golang.org/x/vuln/cmd/govulncheck/integration/stackrox-scanner
diff --git a/cmd/govulncheck/integration/integration_run.sh b/cmd/govulncheck/integration/integration_run.sh
index 8ad23e5..59caabb 100755
--- a/cmd/govulncheck/integration/integration_run.sh
+++ b/cmd/govulncheck/integration/integration_run.sh
@@ -3,6 +3,23 @@
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file.
+#!/bin/bash
+
+# List of all projects for which integration test failed, if any.
+failed=()
+
+# Update status of the integration script. The first argument is
+# the exit code for the integration run of a project and the second
+# argument is the project name.
+update_status(){
+ if [ $1 -ne 0 ]; then
+ failed+=($2)
+ fi
+}
+
+# Print go version for debugging purposes. Expected to be go1.18.7.
+go version
+
# Clone kubernetes to a dedicated directory.
dir="$GOPATH/src/kubernetes"
if [ -d $dir ]; then
@@ -16,13 +33,33 @@
pushd $dir
cd pkg
git checkout tags/v1.15.11
-govulncheck --json ./... &> govulncheck.txt
-k8s govulncheck.txt
-exitcode=$?
+govulncheck --json ./... &> k8s.txt
+k8s k8s.txt
+update_status $? "kubernetes(source)"
popd
-if [ ${exitcode} -ne 0 ]; then
- echo "FAIL: got exit code $exitcode, want 0"
+# Clone scanner to a dedicated directory.
+dir="$GOPATH/src/scanner"
+if [ -d $dir ]; then
+ echo "Destination scanner already exists. Using the existing code."
+else
+ git clone https://github.com/stackrox/scanner.git "${dir}"
+fi
+
+pushd $dir
+# We build scanner binary using go.18 as that will generate vulnerabilities;
+# go1.18.7 will not.
+go1.18 download
+# Use scanner at specific commit and tag version for reproducibility.
+git checkout 29b8761da747
+go1.18 build -trimpath -ldflags="-X github.com/stackrox/scanner/pkg/version.Version=2.26-29-g29b8761da7-dirty" -o image/scanner/bin/scanner ./cmd/clair
+govulncheck --json ./image/scanner/bin/scanner &> scan.txt
+stackrox-scanner scan.txt
+update_status $? "stackrox-scanner(binary)"
+popd
+
+if [ ${#failed[@]} -ne 0 ]; then
+ echo "FAIL: integration run failed for the following projects: ${failed[*]}"
exit 1
fi
echo PASS
diff --git a/cmd/govulncheck/integration/stackrox-scanner/scanner.go b/cmd/govulncheck/integration/stackrox-scanner/scanner.go
new file mode 100644
index 0000000..e420e8c
--- /dev/null
+++ b/cmd/govulncheck/integration/stackrox-scanner/scanner.go
@@ -0,0 +1,81 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+ "encoding/json"
+ "log"
+ "os"
+
+ "github.com/google/go-cmp/cmp"
+ "golang.org/x/vuln/vulncheck"
+)
+
+const usage = `test helper for examining the output of running govulncheck on
+stackrox-io/scanner binary (https://quay.io/repository/stackrox-io/scanner).
+
+Example usage: ./stackrox-scanner [path to output file]
+`
+
+func main() {
+ if len(os.Args) != 2 {
+ log.Fatal("Incorrect number of expected command line arguments", usage)
+ }
+ out := os.Args[1]
+
+ outJson, err := os.ReadFile(out)
+ if err != nil {
+ log.Fatal("Failed to read:", out)
+ }
+
+ var r vulncheck.Result
+ if err := json.Unmarshal(outJson, &r); err != nil {
+ log.Fatal("Failed to load json into vulncheck.Result:", err)
+ }
+
+ if len(r.Vulns) != 36 {
+ log.Fatalf("want 36 vulns; got %d", len(r.Vulns))
+ }
+
+ type vuln struct {
+ pkg string
+ symbol string
+ }
+ symbolVulns := make(map[vuln]bool)
+ for _, v := range r.Vulns {
+ symbolVulns[vuln{v.PkgPath, v.Symbol}] = true
+ }
+
+ want := map[vuln]bool{
+ {pkg: "net/http", symbol: "Server.ListenAndServe"}: true,
+ {pkg: "net/http", symbol: "Server.ListenAndServeTLS"}: true,
+ {pkg: "net/http", symbol: "Server.Serve"}: true,
+ {pkg: "net/http", symbol: "Server.ServeTLS"}: true,
+ {pkg: "net/http", symbol: "http2Server.ServeConn"}: true,
+ {pkg: "net/http", symbol: "http2serverConn.goAway"}: true,
+ {pkg: "net/http", symbol: "transferReader.parseTransferEncoding"}: true,
+ {pkg: "path/filepath", symbol: "Glob"}: true,
+ {pkg: "regexp/syntax", symbol: "Parse"}: true,
+ {pkg: "regexp/syntax", symbol: "parse"}: true,
+ {pkg: "regexp/syntax", symbol: "parser.factor"}: true,
+ {pkg: "regexp/syntax", symbol: "parser.push"}: true,
+ {pkg: "regexp/syntax", symbol: "parser.repeat"}: true,
+ {pkg: "archive/tar", symbol: "Reader.Next"}: true,
+ {pkg: "archive/tar", symbol: "Reader.next"}: true,
+ {pkg: "archive/tar", symbol: "parsePAX"}: true,
+ {pkg: "compress/gzip", symbol: "Reader.Read"}: true,
+ {pkg: "crypto/tls", symbol: "serverHandshakeStateTLS13.sendSessionTickets"}: true,
+ {pkg: "encoding/pem", symbol: "Decode"}: true,
+ {pkg: "encoding/xml", symbol: "Decoder.DecodeElement"}: true,
+ {pkg: "encoding/xml", symbol: "Decoder.Skip"}: true,
+ {pkg: "encoding/xml", symbol: "Decoder.unmarshal"}: true,
+ {pkg: "encoding/xml", symbol: "Decoder.unmarshalPath"}: true,
+ {pkg: "net/http", symbol: "Header.Clone"}: true,
+ }
+
+ if diff := cmp.Diff(want, symbolVulns); diff != "" {
+ log.Fatalf("present vulnerable symbols mismatch (-want, +got):\n%s", diff)
+ }
+}