ci: add linting, code coverage and other useful checks (openshift#27)

shibumi · web-flow · commit df0ccdeedb15 · 2022-03-15T22:23:26.000+02:00
chore: introduce hardened binaries and code coverage

Add new different targets for CI pipeline + add .golangci.yml
file for linter configuration.
- fix: potential file inclusion
diff --git a/.codecov.yml b/.codecov.yml
@@ -0,0 +1,26 @@
+codecov:
+  notify:
+    require_ci_to_pass: no
+
+coverage:
+  precision: 2
+  round: down
+  range: "20...100"
+
+  status:
+    project: no
+    patch: no
+    changes: no
+
+parsers:
+  gcov:
+    branch_detection:
+      conditional: yes
+      loop: yes
+      method: no
+      macro: no
+
+comment:
+  layout: "reach,diff,flags,tree"
+  behavior: default
+  require_changes: no
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 /bin
+dist
+*.out
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,27 @@
+run:
+  # Our CI expects a vendor directory, hence we have to use -mod=readonly here as well.
+  modules-download-mode: readonly
+
+issues:
+  # on default, golangci-lint excludes gosec. Hence, we have to
+  # explicitly disable the exclude-use-default: https://github.com/golangci/golangci-lint/issues/1504
+  exclude-use-default: false
+
+# individual linter configs go here
+linters-settings:
+
+# default linters are enabled `golangci-lint help linters`
+linters:
+  disable-all: true
+  enable:
+    - deadcode
+    - errcheck
+    - gosimple
+    - govet
+    - gosec
+    - ineffassign
+    - staticcheck
+    - structcheck
+    - typecheck
+    - unused
+    - varcheck
diff --git a/Makefile b/Makefile
@@ -1,26 +1,38 @@
 # Binaries used in Makefile
 bin/cobra:
-	GOBIN=$(PWD)/bin go install $(shell go list -m -f '{{ .Path}}/cobra@{{ .Version }}' github.com/spf13/cobra)
+	GOBIN=$(PWD)/bin go install -mod=readonly $(shell go list -m -f '{{ .Path}}/cobra@{{ .Version }}' github.com/spf13/cobra)
 
 cadctl/cadctl: cadctl/**/*.go pkg/**/*.go go.mod go.sum
-	GOBIN=$(PWD)/cadctl go install $(PWD)/cadctl
+	GOBIN=$(PWD)/cadctl go install -ldflags="-s -w -extldflags=-zrelro -extldflags=-znow" -buildmode=pie -mod=readonly -trimpath $(PWD)/cadctl
+
+bin/gosec:
+	GOBIN=$(PWD)/bin go install -mod=readonly github.com/securego/gosec/v2/cmd/gosec@v2.10.0
+
+bin/golangci-lint:
+	GOBIN=$(PWD)/bin go install -mod=readonly github.com/golangci/golangci-lint/cmd/golangci-lint@v1.44.2
 
 # Actions
 .DEFAULT_GOAL := all
 .PHONY: all
 all: build test
 
+# build uses the following Go flags:
+# -s -w for stripping the binary (making it smaller)
+# the extended flags are for enabling ELF hardening features. 
+# See also:  https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
+# -mod=readonly and -trimpath are for generating reproducible/verifiable binaries. See also: https://reproducible-builds.org/
+# For more information about -buildmode=pie https://www.redhat.com/en/blog/position-independent-executables-pie
 .PHONY: build
 build:
-	go build ./...
+	go build -ldflags="-s -w -extldflags=-zrelro -extldflags=-znow" -buildmode=pie -mod=readonly -trimpath ./...
 
 .PHONY: test
 test:
-	go test ./...
+	go test -race -mod=readonly ./...
 
 .PHONY: test-with-coverage
 test-with-coverage:
-	go test -cover ./...
+	go test -cover -mod=readonly ./...
 
 .PHONY: cadctl-install-local
 cadctl-install-local: cadctl/cadctl
@@ -37,6 +49,12 @@ cadctl-install-local-force:
 isclean: ## Validate the local checkout is clean. Use ALLOW_DIRTY_CHECKOUT=true to nullify
 	@(test "$(ALLOW_DIRTY_CHECKOUT)" != "false" || test 0 -eq $$(git status --porcelain | wc -l)) || (echo "Local git checkout is not clean, commit changes and try again." >&2 && exit 1)
 
-# not using the 'all' target to make the target independent
-.PHONY: ci-check
-ci-check: build test isclean
+.PHONY: coverage
+coverage: hack/codecov.sh
+
+.PHONY: lint
+lint: bin/golangci-lint
+	GOLANGCI_LINT_CACHE=$(shell mktemp -d) ./bin/golangci-lint run
+
+.PHONY: validate
+validate: build isclean
diff --git a/hack/codecov.sh b/hack/codecov.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+CI_SERVER_URL=https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test
+COVER_PROFILE=${COVER_PROFILE:-coverage.out}
+JOB_TYPE=${JOB_TYPE:-"local"}
+
+# Default concurrency to four threads. By default it's the number of procs,
+# which seems to be 16 in the CI env. Some consumers' coverage jobs were
+# regularly getting OOM-killed; so do this rather than boost the pod resources
+# unreasonably.
+COV_THREAD_COUNT=${COV_THREAD_COUNT:-4}
+make -C "${REPO_ROOT}" go-test TESTOPTS="-coverprofile=${COVER_PROFILE}.tmp -covermode=atomic -coverpkg=./... -p ${COV_THREAD_COUNT}"
+
+# Remove generated files from coverage profile
+grep -v "zz_generated" "${COVER_PROFILE}.tmp" > "${COVER_PROFILE}"
+rm -f "${COVER_PROFILE}.tmp"
+
+# Configure the git refs and job link based on how the job was triggered via prow
+if [[ "${JOB_TYPE}" == "presubmit" ]]; then
+       echo "detected PR code coverage job for #${PULL_NUMBER}"
+       REF_FLAGS="-P ${PULL_NUMBER} -C ${PULL_PULL_SHA}"
+       JOB_LINK="${CI_SERVER_URL}/pr-logs/pull/${REPO_OWNER}_${REPO_NAME}/${PULL_NUMBER}/${JOB_NAME}/${BUILD_ID}"
+elif [[ "${JOB_TYPE}" == "postsubmit" ]]; then
+       echo "detected branch code coverage job for ${PULL_BASE_REF}"
+       REF_FLAGS="-B ${PULL_BASE_REF} -C ${PULL_BASE_SHA}"
+       JOB_LINK="${CI_SERVER_URL}/logs/${JOB_NAME}/${BUILD_ID}"
+elif [[ "${JOB_TYPE}" == "local" ]]; then
+       echo "coverage report available at ${COVER_PROFILE}"
+       exit 0
+else
+       echo "${JOB_TYPE} jobs not supported" >&2
+       exit 1
+fi
+
+# Configure certain internal codecov variables with values from prow.
+export CI_BUILD_URL="${JOB_LINK}"
+export CI_BUILD_ID="${JOB_NAME}"
+export CI_JOB_ID="${BUILD_ID}"
+
+if [[ "${JOB_TYPE}" != "local" ]]; then
+       if [[ -z "${ARTIFACT_DIR:-}" ]] || [[ ! -d "${ARTIFACT_DIR}" ]] || [[ ! -w "${ARTIFACT_DIR}" ]]; then
+              echo '${ARTIFACT_DIR} must be set for non-local jobs, and must point to a writable directory' >&2
+              exit 1
+       fi
+       curl -sS https://codecov.io/bash -o "${ARTIFACT_DIR}/codecov.sh"
+       bash <(cat "${ARTIFACT_DIR}/codecov.sh") -Z -K -f "${COVER_PROFILE}" -r "${REPO_OWNER}/${REPO_NAME}" ${REF_FLAGS}
+else
+       bash <(curl -s https://codecov.io/bash) -Z -K -f "${COVER_PROFILE}" -r "${REPO_OWNER}/${REPO_NAME}" ${REF_FLAGS}
+fi
diff --git a/pkg/pagerduty/pagerduty.go b/pkg/pagerduty/pagerduty.go
@@ -8,6 +8,7 @@ import (
 	"io/fs"
 	"net/http"
 	"os"
+	"path/filepath"
 	"reflect"
 	"time"
 
@@ -203,7 +204,11 @@ type fileReader interface {
 type RealFileReader struct{}
 
 func (_ RealFileReader) ReadFile(name string) ([]byte, error) {
-	return os.ReadFile(name)
+	target, err := os.ReadFile(filepath.Clean(name))
+	if err != nil {
+		return []byte{}, err
+	}
+	return target, nil
 }
 
 type WebhookPayloadToIncidentID struct {
