976 - Introduce Security Scans for Go Packages

[BradleyBoutcher]

What does this PR do (include background context, if relevant)?

A new bash script which runs gosec on our packages

We only flag issues of high severity with 'medium' or 'high' confidence by Gosec
Gosec only scans directories modified by checking the Git diff first. If the branch is master, it scans the entire project. This way we save time in our pipeline while developing.
Finally, the reports are exported as xml and parsed using Junit.

What ticket does this PR close?

Connected to #976 and #988

Where should the reviewer start?

bin/build_security_scan

What is the status of the manual tests?

NA

Links to open issues for related automated integration and unit tests

NA

Links to open issues for related documentation (in READMEs, docs, etc)

NA

[hughsaunders]

This looks great, thanks :D

Looking at the pipeline in blueocean, it struck me that the scanners (secretless image, go packages) could be parallelised as neither depends on the result of the other. That also groups them into a higher level security stage.

I noticed in the log that the xml doc is empty (apart from the xml declaration), is that the expected behaviour when there are no issues? Have you introduced a deliberate security issue to check it shows up in the Jenkins Test Results view?

[BradleyBoutcher]

@hughsaunders Thanks for the review! Addressing your comments in order:

• It absolutely can be parallelized, I'll make a few changes and re-submit it.
• So far I've tested locally and made sure that issues are detected and output correctly, but currently there are none in our repository that meet the criteria for an issue. When there's no issues, the log should be empty.
• On a related note, I realized there is an issue. Since we're scanning the git diff, we won't see which files are changed in that commit since technically nothing has been changed locally. I'll have to make a change there for sure.

[izgeri]

Looking forward to getting this integrated :) left a few comments - I think this could be simplified a bit by combining the scripts and the naming could be clearer

It would also be nice to clean up the pipeline stages for the tests in the Jenkinsfile - they're a little inconsistently labeled right now and it looks odd in blue ocean. But that's optional.

[izgeri]

Can the filename be changed to run_gosec or similar? It would be clearer what it's actually doing

[BradleyBoutcher]

Looking at the other bin/ files, it looks like we use the 'check_' format for file names. So for golint, it's check_style. How about for this we use 'check_security'?

[izgeri]

is it your intention that the file becomes a general script to run security checks, so that when we have another we'd like to run we also do it from this file?

I'm still not sure I like check_security - security means a lot of different things to different people, so if we can find a way to be more clear I think that'd be good

[izgeri]

Can this be integrated into the other file? I'm not sure I see the need for two separate files in bin to run this. If I'm missing something, please lmk

[BradleyBoutcher]

Since we wanted to run it within a docker container, I thought it would be easiest to have two separate files. I'm not very familiar with bash, but I assume that's the easiest way to run a large script like this inside a docker run command? Also, I thought it would be useful to have the script be able to run without using a docker container.

[izgeri]

ok, so there are two scripts because one is meant to be run in a docker container (which docker container?) and the other one actually runs the the container?

I feel like there might be some patterns for how to name and organize these that would make their intended use more clear, but I'm not close enough to the code lately to remember exactly what to point you to. @sgnn7 @jonahx do you have any examples of how we've done something like this in other cases? in particular, I'm concerned that if I look at the bin/ dir, it's not going to be obvious which script I should run to do a gosec scan if we have two with similar names. I don't think this is the first time we've had to think about something like this.

[BradleyBoutcher]

Currently I have them named as such:

• check_security: performs the gosec scan with whatever parameters you need
• run_check_security: creates a docker container with secretless mounted as a volume, and runs check_security on the volume
  run_gosec_container may be clearer for the second one, and maybe something like run_gosec for the first?

[sgnn7]

@BradleyBoutcher just some minor nits

[diverdane]

Looks good. Just a couple of minor suggestions.

Comments addressed

[izgeri]

@BradleyBoutcher what do you think about check_golang_security for the one that runs in the pipeline and run_gosec for the local runner? those still sound similar enough, though - each script should have comments at the top of the file or usage instructions that are clear about the purpose of each file

[izgeri]

as a follow-on to this PR, does it make sense to include this as a bash-lib script? cc @hughsaunders

[diverdane]

LGTM