Add Nancy, CodeQL, and Dependabot

smartcontractkit · Nov 9, 2021 · d6ca007 · d6ca007
1 parent ab5bd6d
commit d6ca007
Show file tree

Hide file tree

Showing 6 changed files with 160 additions and 105 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: '/'
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,4 +1,4 @@
-name: Linting
+name: Linting and Static Analysis
 on:
   push:
     tags:
@@ -7,11 +7,47 @@ on:
       - master
       - main
   pull_request:
+  schedule:
+    - cron: '23 19 * * 4'
 jobs:
   golangci:
-    name: lint
+    name: Linting
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - name: Check out Code
+        uses: actions/checkout@v2
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
+
+  vulnerabilities-check:  
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out Code
+      uses: actions/checkout@v2
+    - name: Set up Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.17
+    - name: Write Go List
+      run: go list -json -deps ./... > go.list
+    - name: Nancy
+      uses: sonatype-nexus-community/nancy-github-action@main
+
+  codeQL:
+    name: CodeQL Checks
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: go
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
+
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -56,11 +56,12 @@ jobs:
       - name: Install Ginkgo CLI
         run: |
           go get github.com/onsi/ginkgo/ginkgo@v1.16.5
+          go get github.com/onsi/ginkgo/ginkgo/outline@v1.16.5
           go install github.com/onsi/ginkgo/ginkgo
       - name: Run Tests
         run: |
           export PATH=$PATH:$(go env GOPATH)/bin
-          ginkgo -r --randomizeAllSpecs --randomizeSuites -keepGoing -covermode=count -coverprofile=unit-test-coverage.out -nodes=10 ./client ./config ./environment 
+          make test_unit
       - name: Code Coverage
         uses: codecov/codecov-action@v2
         with:
@@ -73,6 +74,7 @@ jobs:
           name: Unit Test Report
           report_paths: '**/logs/tests-*.xml'
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          check_name: Unit Test Results
       - name: Publish Artifacts
         if: failure()
         uses: actions/upload-artifact@v1
@@ -121,6 +123,7 @@ jobs:
       - name: Install Ginkgo CLI
         run: |
           go get github.com/onsi/ginkgo/ginkgo@v1.16.5
+          go get github.com/onsi/ginkgo/ginkgo/outline@v1.16.5
           go install github.com/onsi/ginkgo/ginkgo
       - name: Run Tests
         run: |
@@ -133,6 +136,7 @@ jobs:
           name: Smoke Test Report
           report_paths: '**/logs/tests-*.xml'
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          check_name: Smoke Test Results
       - name: Publish Artifacts
         if: failure()
         uses: actions/upload-artifact@v1
@@ -184,82 +188,86 @@ jobs:
       - name: Install Ginkgo CLI
         run: |
           go get github.com/onsi/ginkgo/ginkgo@v1.16.5
+          go get github.com/onsi/ginkgo/ginkgo/outline@v1.16.5
           go install github.com/onsi/ginkgo/ginkgo
       - name: Run Tests
         run: |
           export PATH=$PATH:$(go env GOPATH)/bin
-          make test_performance args="-nodes=15"
+          make test_performance args="-nodes=5"
       - name: Publish Test Results
         uses: mikepenz/action-junit-report@v2
         if: always()
         with:
-          name: Performance Test Report
           report_paths: '**/logs/tests-*.xml'
           github_token: ${{ secrets.GITHUB_TOKEN }}
+          check_name: Performance Test Results
       - name: Publish Artifacts
         if: failure()
         uses: actions/upload-artifact@v1
         with:
           name: test-logs
           path: ./logs
 
-  # Chaos tests not stable enough for CI yet
-  # chaos:
-  #   # Only run performance tests on significant PRs / merges to main
-  #   if: startsWith(github.ref, 'v') || contains(github.ref, 'main') || contains(github.ref, 'develop')
-  #   needs: unit
-  #   runs-on: ubuntu-latest
-  #   env:
-  #     CGO_ENABLED: 1
-  #     NETWORK: ethereum_geth_performance
-  #   steps:
-  #     - name: Checkout the repo
-  #       uses: actions/checkout@v2
-  #     - name: Setup Go
-  #       uses: actions/setup-go@v1
-  #       with:
-  #         go-version: 1.17
-  #     - name: Configure AWS Credentials
-  #       uses: aws-actions/configure-aws-credentials@v1
-  #       with:
-  #         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  #         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  #         aws-region: ${{ secrets.AWS_REGION }}
-  #         role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
-  #         role-duration-seconds: 3600
-  #     - name: Set Kubernetes Context
-  #       uses: azure/k8s-set-context@v1
-  #       with:
-  #         method: kubeconfig
-  #         kubeconfig: ${{ secrets.KUBECONFIG }}
-  #     - name: Cache Vendor Packages
-  #       uses: actions/cache@v2
-  #       id: cache-packages
-  #       with:
-  #         path: |
-  #           ~/.cache/go-build
-  #           ~/go/pkg/mod
-  #         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-  #         restore-keys: |
-  #           ${{ runner.os }}-go-
-  #     - name: Download Go Vendor Packages
-  #       if: steps.cache-packages.outputs.cache-hit != 'true'
-  #       run: go mod download
-  #     - name: Install Ginkgo CLI
-  #       run: go install github.com/onsi/ginkgo/ginkgo
-  #     - name: Run Tests
-  #       run: |
-  #         export PATH=$PATH:$(go env GOPATH)/bin
-  #         make test_chaos args="-nodes=15"
-  #     - name: Publish Test Results
-  #       uses: mikepenz/action-junit-report@v2
-  #       if: always()
-  #       with:
-  #         report_paths: '**/logs/tests-*.xml'
-  #         github_token: ${{ secrets.GITHUB_TOKEN }}
-  #     - name: Publish Artifacts
-  #       if: failure()
-  #       uses: actions/upload-artifact@v1
-  #       with:
-  #         name: test-logs
-  #         path: ./logs
+  chaos:
+    # Only run chaos tests on significant PRs / merges to main
+    if: startsWith(github.ref, 'v') || contains(github.ref, 'main') || contains(github.ref, 'develop')
+    needs: unit
+    runs-on: ubuntu-latest
+    env:
+      CGO_ENABLED: 1
+      NETWORK: ethereum_geth_performance
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v2
+      - name: Setup Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.17
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          role-duration-seconds: 3600
+      - name: Set Kubernetes Context
+        uses: azure/k8s-set-context@v1
+        with:
+          method: kubeconfig
+          kubeconfig: ${{ secrets.KUBECONFIG }}
+      - name: Cache Vendor Packages
+        uses: actions/cache@v2
+        id: cache-packages
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Download Go Vendor Packages
+        if: steps.cache-packages.outputs.cache-hit != 'true'
+        run: go mod download
+      - name: Install Ginkgo CLI
+        run: |
+          go get github.com/onsi/ginkgo/ginkgo@v1.16.5
+          go get github.com/onsi/ginkgo/ginkgo/outline@v1.16.5
+          go install github.com/onsi/ginkgo/ginkgo
+      - name: Run Tests
+        run: |
+          export PATH=$PATH:$(go env GOPATH)/bin
+          make test_chaos args="-nodes=15"
+      - name: Publish Test Results
+        uses: mikepenz/action-junit-report@v2
+        if: always()
+        with:
+          name: Chaos Test Report
+          report_paths: '**/logs/tests-*.xml'
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish Artifacts
+        if: failure()
+        uses: actions/upload-artifact@v1
+        with:
+          name: test-logs
+          path: ./logs
diff --git a/Makefile b/Makefile
@@ -13,6 +13,9 @@ go_mod:
 
 install: go_mod golangci
 
+test_unit:
+	ginkgo -r -keepGoing --trace --randomizeAllSpecs --randomizeSuites --progress -covermode=count -coverprofile=unit-test-coverage.out -nodes=10 ./client ./config ./environment 
+
 test_smoke:
 	ginkgo -r -keepGoing --trace --randomizeAllSpecs --randomizeSuites --progress $(args) ./suite/smoke 
 

diff --git a/go.mod b/go.mod
@@ -4,14 +4,14 @@ go 1.17
 
 require (
 	github.com/avast/retry-go v3.0.0+incompatible
-	github.com/aws/aws-sdk-go v1.41.17
-	github.com/ethereum/go-ethereum v1.10.11
+	github.com/aws/aws-sdk-go v1.41.19
+	github.com/ethereum/go-ethereum v1.10.12
 	github.com/ghodss/yaml v1.0.0
 	github.com/google/go-github v17.0.0+incompatible
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/montanaflynn/stats v0.6.6
 	github.com/onsi/ginkgo v1.16.5
-	github.com/onsi/gomega v1.16.0
+	github.com/onsi/gomega v1.17.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
 	github.com/prometheus/common v0.32.1
@@ -26,12 +26,6 @@ require (
 	k8s.io/client-go v0.22.3
 )
 
-require (
-	github.com/gorilla/websocket v1.4.2 // indirect
-	github.com/spf13/cobra v1.2.1 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-)
-
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/BurntSushi/toml v0.4.1 // indirect
@@ -84,6 +78,7 @@ require (
 	// https://github.com/google/gnostic/issues/262
 	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -134,6 +129,7 @@ require (
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spf13/afero v1.6.0 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/cobra v1.2.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/testify v1.7.0 // indirect
@@ -146,15 +142,16 @@ require (
 	github.com/xlab/treeprint v1.1.0 // indirect
 	go.starlark.net v0.0.0-20211013185944-b0039bd2cfe3 // indirect
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
-	golang.org/x/net v0.0.0-20211101193420-4a448f8816b3 // indirect
-	golang.org/x/oauth2 v0.0.0-20211028175245-ba495a64dcb5 // indirect
-	golang.org/x/sys v0.0.0-20211102192858-4dd72447c267 // indirect
+	golang.org/x/net v0.0.0-20211105192438-b53810dc28af // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sys v0.0.0-20211107104306-e0b2ad06fe42 // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211102202547-e9cf271f7f2c // indirect
+	google.golang.org/genproto v0.0.0-20211104193956-4c6863e31247 // indirect
 	google.golang.org/grpc v1.42.0 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/gorp.v1 v1.7.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.63.2 // indirect
@@ -167,12 +164,19 @@ require (
 	k8s.io/cli-runtime v0.22.3 // indirect
 	k8s.io/component-base v0.22.3 // indirect
 	k8s.io/klog/v2 v2.30.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20211029090450-ec1f4c89925a // indirect
+	k8s.io/kube-openapi v0.0.0-20211105084753-ee342a809c29 // indirect
 	k8s.io/kubectl v0.22.3 // indirect
 	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
+	// HELM Requires this old oras version, ticket to update https://github.com/helm/helm/issues/10263
 	oras.land/oras-go v0.4.0 // indirect
 	sigs.k8s.io/kustomize/api v0.10.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.12.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
+
+// To fix CVE: c16fb56d-9de6-4065-9fca-d2b4cfb13020
+// See https://github.com/dgrijalva/jwt-go/issues/463
+// If that happens to get released in a 3.X.X version, we can add a constraint to our go.mod
+// for it. If its in 4.X.X, then we need all our transitive deps to upgrade to it.
+replace github.com/dgrijalva/jwt-go => github.com/form3tech-oss/jwt-go v3.2.1+incompatible