bug: fix rust injector

Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com>
defenseunicorns · May 15, 2024 · c0b58b2 · c0b58b2
1 parent 057df41
commit c0b58b2
Show file tree

Hide file tree

Showing 154 changed files with 3,972 additions and 2,888 deletions.
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -23,8 +23,8 @@ We use [pre-commit](https://pre-commit.com/) to manage our pre-commit hooks. Thi
 # install hooks
 pre-commit install
 
-# install goimports
-go install golang.org/x/tools/cmd/goimports@latest
+# install golang-ci-lint
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 ```
 
 Now every time you commit, the hooks will run and format your code, linting can be called via `make lint-go`.

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,21 @@
+# Reporting Security Issues
+
+To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+### When Should I Report a Vulnerability?
+
+* You found a vulnerability in the Zarf code.
+* You found a vulnerability in one of the Zarf dependencies that affects the project that has not been patched yet.
+
+### When Should I NOT Report a Vulnerability?
+
+* You found a bug or malfunction in the Zarf code (not security related).
+* You want to add a feature to Zarf.
+
+## Supported Versions
+
+As Zarf has not yet reached v1.0.0, only the current latest minor release is supported.
+
+## Contacting Us
+
+To discuss security related issues, please email the maintainers at zarf-dev-private@googlegroups.com.
diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml
@@ -8,7 +8,11 @@ runs:
 
     - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
 
-    - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin --tag v0.64.2"
+    - name: install grype
+      env:
+        # renovate: datasource=github-tags depName=anchore/grype versioning=semver
+        VERSION: v0.74.6
+      run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin $VERSION"
       shell: bash
 
     - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
diff --git a/.github/actions/k3d/action.yaml b/.github/actions/k3d/action.yaml
@@ -7,5 +7,5 @@ runs:
     - run: "curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash"
       shell: bash
 
-    - run: k3d cluster delete && k3d cluster create --k3s-arg="--disable=traefik@server:0" --image="rancher/k3s:v1.28.4-k3s2"
-      shell: bash
+    - run: k3d cluster delete && k3d cluster create --k3s-arg="--disable=traefik@server:0"
+      shell: bash
diff --git a/.github/codeql.yaml b/.github/codeql.yaml
@@ -2,7 +2,7 @@ paths-ignore:
   - src/pkg/packager/network.go
   - src/pkg/utils/network.go
   - src/pkg/utils/credentials.go
-  - docs-website/**
+  - site/**
   - build/**
 
 query-filters:

diff --git a/.github/workflows/build-rust-injector.yml b/.github/workflows/build-rust-injector.yml
@@ -27,8 +27,9 @@ jobs:
 
       - name: "Build Rust Binary for x86_64 and arm64"
         run: |
+          cd src/injector
           make build-injector-linux
-          cd src/injector/target
+          cd target
           mkdir -p ../dist
           cp x86_64-unknown-linux-musl/release/zarf-injector ../dist/zarf-injector-amd64
           cp aarch64-unknown-linux-musl/release/zarf-injector ../dist/zarf-injector-arm64

diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
@@ -0,0 +1,33 @@
+name: Compare CVEs to main
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "cargo.toml"
+      - "cargo.lock"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      - name: fetch main
+        run: git fetch origin main --depth 1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Check for CVEs in Dependencies
+        run: "hack/check-vulnerabilities.sh"
diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml
@@ -44,8 +44,6 @@ jobs:
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
-        env:
-          CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yaml

diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml
@@ -6,12 +6,6 @@ permissions:
 on:
   schedule:
     - cron: "0 10 * * *"
-  pull_request:
-    paths:
-      - "go.mod"
-      - "go.sum"
-      - "cargo.toml"
-      - "cargo.lock"
 
 jobs:
   validate:

diff --git a/.github/workflows/scan-lint.yml b/.github/workflows/scan-lint.yml
@@ -10,12 +10,5 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Run Revive Action by pulling pre-built image
-        uses: docker://morphy/revive-action:v2.5.7@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8
-        with:
-          config: revive.toml
-          # Exclude patterns, separated by semicolons (optional)
-          exclude: "src/cmd/viper.go"
-          # Path pattern (default: ./...)
-          path: "./src/..."
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -0,0 +1,62 @@
+run:
+  timeout: 5m
+linters:
+  disable-all: true
+  enable:
+    - gosimple
+    - govet
+    - staticcheck
+    - unused
+    - revive
+    - goheader
+    - goimports
+    - nolintlint
+linters-settings:
+  govet:
+    enable-all: true
+    disable:
+      - shadow
+      - fieldalignment
+      - unusedwrite
+  nolintlint:
+    require-specific: true
+  goheader:
+    template: |-
+      SPDX-License-Identifier: Apache-2.0
+      SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+  revive:
+    rules:
+      - name: blank-imports
+      - name: context-as-argument
+      - name: context-keys-type
+      - name: dot-imports
+      - name: error-return
+      - name: error-strings
+      - name: error-naming
+      - name: exported
+      - name: if-return
+      - name: increment-decrement
+      - name: var-naming
+      - name: var-declaration
+      - name: package-comments
+      - name: range
+      - name: receiver-naming
+      - name: time-naming
+      - name: unexported-return
+      - name: indent-error-flow
+      - name: errorf
+      - name: empty-block
+      - name: superfluous-else
+      - name: unused-parameter
+      - name: unreachable-code
+      - name: redefines-builtin-id
+issues:
+  # Revive rules that are disabled by default.
+  include:
+    - EXC0012
+    - EXC0013
+    - EXC0014
+    - EXC0015
+  # Exclude linting code copied from Helm.
+  exclude-dirs:
+    - "src/cmd/tools/helm"
diff --git a/.grype.yaml b/.grype.yaml
@@ -1,20 +1,6 @@
-# Ignore file for false positives from protobuf, see the following for more information:
-#   https://github.com/anchore/grype/issues/558
 ignore:
-  # This vulnerability does not affect Zarf as we do not instantiate a rekor client
-  - vulnerability: GHSA-2h5h-59f5-c5x9
-
-  # This vulnerability does not affect Zarf as we do not instantiate a rekor client
-  - vulnerability: GHSA-frqx-jfcm-6jjr
-
   # From rouille - The Zarf injector does not expose endpoints that use multipart form data
   - vulnerability: GHSA-mc8h-8q98-g5hr
 
-  # From semver - This comes through nodemon which is only used for development
-  - vulnerability: GHSA-c2qf-rxjj-qqgw
-
-  # From k8s.io/apiserver - This is a false positive due to the difference in versioning between the library / binary k8s versioning
-  - vulnerability: GHSA-82hx-w2r5-c2wq
-
   # From helm - This behavior was introduced intentionally, and cannot be removed without breaking backwards compatibility (some users may be relying on these values).
   - vulnerability: GHSA-jw44-4f3j-q396
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -9,10 +9,13 @@ repos:
         args:
           - "--allow-missing-credentials"
       - id: detect-private-key
+        exclude: "src/test/e2e/30_config_file_test.go"
       - id: end-of-file-fixer
+        exclude: site/src/content/docs/commands/.*
       - id: fix-byte-order-marker
       - id: trailing-whitespace
         args: [--markdown-linebreak-ext=md]
+        exclude: site/src/content/docs/commands/.*
   - repo: https://github.com/sirosen/texthooks
     rev: 0.6.4
     hooks:
@@ -27,13 +30,16 @@ repos:
         language: script
       - id: goimports
         name: goimports
-        entry: goimports
-        files: .go$
-        args:
-          - -l
-          - -w
-        language: system
+        entry: golangci-lint run --enable-only goimports --fix
+        types: [go]
+        language: golang
         pass_filenames: true
+      - id: lint
+        name: golangci-lint go lint
+        entry: golangci-lint run
+        types: [go]
+        language: golang
+        pass_filenames: false
   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 0.14.0
     hooks:

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,35 +1,5 @@
-* @defenseunicorns/zarf
+* @defenseunicorns/zarf @dgershman
 
-# Docs & examples
-/adr/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/docs/ @jeff-mccoy  @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/examples/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-*.md @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Core code
-/src/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/go.* @jeff-mccoy  @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-main.go @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Init package
-/packages/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/zarf.yaml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Docs Website
-/docs-website/ @Racer159 @Noxsios @jeff-mccoy @lucasrod16 @AustinAbro321
-
-# Privileged pipeline files
-/.github/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/hack/ @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.gitignore @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.golangci.yml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.goreleaser.yml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/.grype.yaml @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/Dockerfile @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/renovate.json @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-/Makefile @jeff-mccoy @Racer159 @Noxsios @lucasrod16 @AustinAbro321
-
-# Additional privileged files
 /CODEOWNERS @jeff-mccoy @austenbryan
 /cosign.pub @jeff-mccoy @austenbryan
 /LICENSE @jeff-mccoy @austenbryan