Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: new command "scan-source" #555

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

luhring
Copy link
Member

@luhring luhring commented Jan 15, 2024

Adds a new experimental command to start letting us do source code scans of our distro packages. The goal here is to both:

  1. find vulnerabilities that are otherwise obscured by our build process and thus not detectable in package/image scans
  2. realize false positives via analyses like the call graph analysis in govulncheck that otherwise appear to be true positives in simple binary scans.
wolfictl scan-source [-d path/to/distro/dir] [-v] package
image

For now, this just uses govulncheck, wired in as a library. But in subsequent iterations we can add Grype or other scanners that will help surface findings in raw source code.

To finish this first iteration, there's a handful of tasks left to do:

  • Support fetch pipelines (currently this just supports git-checkout pipelines)
  • Consider using breakpoints or something similar to allow Melange pipeline configurations to specify the optimal scan point (it may be further into the pipeline than just after retrieving the upstream source code, particular if code or dependencies are modified)
  • Tests
  • Docs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant