resolve CVE-2020-26160 in github.com/dgrijalva/jwt-go via ignore (#227)

* resolve CVE-2020-26160 in github.com/dgrijalva/jwt-go by ignoring - nancy does not use jwt features * Fix for the other docker tests Co-authored-by: Nathan Zender <github@nathanzender.com>
sonatype-nexus-community · Apr 21, 2021 · 7d4742c · 7d4742c
1 parent c3eb545
commit 7d4742c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/.nancy-ignore b/.nancy-ignore
@@ -0,0 +1 @@
+CVE-2020-26160 # No upgrade path for github.com/dgrijalva/jwt-go, and nancy does not use jwt features. See: https://ossindex.sonatype.org/vulnerability/c16fb56d-9de6-4065-9fca-d2b4cfb13020?component-type=golang&component-name=github.com%2Fdgrijalva%2Fjwt-go&utm_source=nancy-client&utm_medium=integration&utm_content=0.0.0-dev
diff --git a/Makefile b/Makefile
@@ -9,6 +9,7 @@ BUILD_VERSION_LOCATION=github.com/sonatype-nexus-community/nancy/buildversion
 GOLANGCI_VERSION=v1.24.0
 GOLANGCI_LINT_DOCKER=golangci/golangci-lint:$(GOLANGCI_VERSION)
 LINT_CMD=golangci-lint cache status --color always && golangci-lint run --timeout 5m --color always -v --max-same-issues 10
+NANCY_IGNORE=$(shell cat .nancy-ignore | cut -d\# -f 1)
 
 ifeq ($(findstring localbuild,$(CIRCLE_SHELL_ENV)),localbuild)
     DOCKER_CMD=sudo docker
@@ -62,9 +63,14 @@ build-linux:
 docker-alpine-integration-test: build-linux
 	mkdir -p dist
 	$(DOCKER_CMD) build . -f Dockerfile.alpine -t sonatypecommunity/nancy:alpine-integration-test
-	# create file, volume mount to simulate, ci run of the container and things just happening inside the container instead of passing output to the container directly
+	# create deps output since this container does not have golang,
+    # It's simulating the following flow
+    # 1. ci runs using a container that has golang, it then exports the go list -json m all contents
+    # 2. passes it to the next step that is using this container that only has nancy in it
+    # 3. runs nancy using the contents of the exported file with the deps in it. Also assumes that
+    #    in ci its likely you have the codebase (thus .nancy-ignore) in the same location you run nancy sleuth
 	go list -json -m all > dist/deps.out
-	echo "cat /tmp/dist/deps.out | nancy sleuth" > dist/ci.sh
+	echo "cd /tmp && cat /tmp/dist/deps.out | nancy sleuth" > dist/ci.sh
 	chmod +x dist/ci.sh
 	# run the container....using cat with no params keeps it running
 	$(DOCKER_CMD) run --name alpine-integration-test -td sonatypecommunity/nancy:alpine-integration-test cat
@@ -77,6 +83,9 @@ docker-alpine-integration-test: build-linux
 
 docker-goreleaser-integration-test: build-linux
 	$(DOCKER_CMD) build . -f Dockerfile.goreleaser -t sonatypecommunity/nancy:goreleaser-integration-test
-	go list -json -m all | $(DOCKER_CMD) run --rm -i sonatypecommunity/nancy:goreleaser-integration-test sleuth
+	# NANCY_IGNORE is more tomfoolery b/c circleci cant do volume mounts. Use the non-file ignore version but with the contents of
+    # the .nancy-ignore. If you were to do this for real you would likely volume mount to your local and it
+    # would just use whatever file you actually had.
+	go list -json -m all | $(DOCKER_CMD) run --rm -i sonatypecommunity/nancy:goreleaser-integration-test sleuth -e $(NANCY_IGNORE)
 
 docker-integration-tests: docker-alpine-integration-test docker-goreleaser-integration-test