Merge pull request #1120 from xnox/go-fips-deps

Go fips deps

.github/workflows/go-tests.yaml

@@ -23,6 +23,11 @@ jobs:
           go-version: '1.21'
           check-latest: true
 
+      - name: Install bubblewrap
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y bubblewrap
+
       - name: Checkout code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 

Makefile

@@ -146,7 +146,9 @@ lint: checkfmt setup-golangci-lint ## Run linters and checks like golangci-lint
 	$(GOLANGCI_LINT_BIN) run --verbose --concurrency 4 --deadline 3m0s  --skip-dirs .modcache ./...
 
 .PHONY: test
-test: ## Run go test
+test: melange ## Run go test
+	# build test package
+	 ./melange build --generate-index=false pkg/sca/testdata/go-fips-bin/go-fips-bin.yaml --arch=`uname -m` --source-dir=pkg/sca/testdata/go-fips-bin/ --out-dir pkg/sca/testdata/go-fips-bin/packages/ --log-level error
 	go test ./... -race
 
 .PHONY: clean

pkg/sca/sca.go

@@ -17,6 +17,7 @@ package sca
 import (
 	"bytes"
 	"context"
+	"debug/buildinfo"
 	"debug/elf"
 	"fmt"
 	"io"
@@ -354,6 +355,27 @@ func generateSharedObjectNameDeps(ctx context.Context, hdl SCAHandle, generated
 			}
 		}
 
+		// check if it is a go binary
+		buildinfo, err := buildinfo.Read(seekableFile)
+		if err != nil {
+			return nil
+		}
+		var cgo, boringcrypto bool
+		for _, setting := range buildinfo.Settings {
+			if setting.Key == "CGO_ENABLED" && setting.Value == "1" {
+				cgo = true
+			}
+			if setting.Key == "GOEXPERIMENT" && setting.Value == "boringcrypto" {
+				boringcrypto = true
+			}
+		}
+		// strong indication of go-fips openssl compiled binary, will dlopen the below at runtime
+		if !hdl.Options().NoDepends && cgo && boringcrypto {
+			generated.Runtime = append(generated.Runtime, "openssl-config-fipshardened")
+			generated.Runtime = append(generated.Runtime, "so:libcrypto.so.3")
+			generated.Runtime = append(generated.Runtime, "so:libssl.so.3")
+		}
+
 		return nil
 	}); err != nil {
 		return err

pkg/sca/sca_test.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 	"time"
 
@@ -147,6 +148,51 @@ func TestExecableSharedObjects(t *testing.T) {
 	}
 }
 
+// test a fips like go binary package for SCA depends
+// Chainguard go-fips toolchain generates binaries like these
+// which at runtime require openssl and fips provider
+func TestGoFipsBinDeps(t *testing.T) {
+	ctx := slogtest.TestContextWithLogger(t)
+
+	var ldso, archdir string
+	switch runtime.GOARCH {
+	case "arm64":
+		ldso = "so:ld-linux-aarch64.so.1"
+		archdir = "aarch64"
+	case "amd64":
+		ldso = "so:ld-linux-x86-64.so.2"
+		archdir = "x86_64"
+	}
+
+	th := handleFromApk(ctx, t, fmt.Sprintf("go-fips-bin/packages/%s/go-fips-bin-v0.0.1-r0.apk", archdir), "go-fips-bin/go-fips-bin.yaml")
+	defer th.exp.Close()
+
+	got := config.Dependencies{}
+	if err := Analyze(ctx, th, &got); err != nil {
+		t.Fatal(err)
+	}
+
+	want := config.Dependencies{
+		Runtime: []string{
+			"openssl-config-fipshardened",
+			ldso,
+			"so:libc.so.6",
+			"so:libcrypto.so.3",
+			"so:libssl.so.3",
+		},
+		Provides: []string{
+			"cmd:go-fips-bin=v0.0.1-r0",
+		},
+	}
+
+	got.Runtime = util.Dedup(got.Runtime)
+	got.Provides = util.Dedup(got.Provides)
+
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("Analyze(): (-want, +got):\n%s", diff)
+	}
+}
+
 func TestVendoredPkgConfig(t *testing.T) {
 	ctx := slogtest.TestContextWithLogger(t)
 	// Generated by:

pkg/sca/testdata/go-fips-bin/go-fips-bin.yaml

@@ -0,0 +1,30 @@
+# SPDX-FileCopyrightText: 2022 Chainguard, Inc
+# SPDX-License-Identifier: Apache-2.0
+#
+# This is a sample configuration file to demonstrate how to build a software
+# project using melange's built-in go/install pipeline.
+#
+# For more information about melange's built-in golang support check out:
+#
+#
+# For an equivalent pipeline that uses go/install to build the same project
+# please see go-install.yaml in this directory.
+package:
+  name: go-fips-bin
+  version: v0.0.1
+  epoch: 0
+  description: "A tiny fips-like go binary"
+
+environment:
+  contents:
+    keyring:
+      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
+    repositories:
+      - https://packages.wolfi.dev/os
+
+pipeline:
+  - uses: go/install
+    with:
+      package: .
+      # This is an approximation to the real go-fips toolchain
+      experiments: boringcrypto

pkg/sca/testdata/go-fips-bin/go.mod

@@ -0,0 +1,3 @@
+module go-fips-bin
+
+go 1.22.1

pkg/sca/testdata/go-fips-bin/main.go

@@ -0,0 +1,5 @@
+package main
+
+import _ "crypto/sha256"
+
+func main() {}