Update Trivy & add docs

.github/workflows/docs.yml

@@ -3,7 +3,7 @@ name: Deploy documentation to github pages
 
 # Define when to run action
 on:
-  # run action on push to devel bhranch
+  # run action on push to devel branch
   push:
     branches: [ devel ]
 
@@ -38,6 +38,7 @@ jobs:
         with:
           node-version: '22' 
           cache: 'npm'
+          cache-dependency-path: website/package-lock.json
 
       - name: Install deps
         run: npm i
@@ -51,8 +52,8 @@ jobs:
       - name: Upload docs
         uses: actions/upload-pages-artifact@v3
         with:
-          path: 'build'
+          path: 'website/build'
 
       - name: Run gh action to deploy to github pages
         id: deployment
-        uses: actions/deploy-pages@v5
+        uses: actions/deploy-pages@v4

.github/workflows/trivy-master.yml

@@ -0,0 +1,35 @@
+on:
+  push:
+    branches:
+      - master
+jobs:
+  supply-chain:
+      runs-on: ubuntu-latest
+      steps:
+        - name: checkout code
+          uses: actions/checkout@v4
+        - name: Scan and Generate SBOM
+          uses: aquasecurity/trivy-action@0.32.0
+          with:
+            format: "cyclonedx"
+            exit-code: "1"
+            hide-progress: true
+            output: "dependencies.cdx.json"
+            ignore-unfixed: true
+            scan-type: "fs"
+            scan-ref: "."
+            severity: "CRITICAL,HIGH"
+            github-pat: ${{ secrets.GITHUB_TOKEN }}
+            skip-dirs: website
+          env:
+            TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        - name: Deliver BOM to Dependency Tracker
+          run: |
+            curl -v -X POST \
+            -H "X-Api-Key: ${{ secrets.DEPTRACK_API_KEY }}" \
+            -H 'Accept: application/json' \
+            -H 'Content-Type: multipart/form-data' \
+            -F "project=${{ secrets.DEPTRACK_PROJECT_ID }}" \
+            -F "bom=@dependencies.cdx.json" \
+            -F "isLatest=true" \
+            https://sms.eoscnode.org/api/v1/bom

.github/workflows/trivy.yml

@@ -0,0 +1,56 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: trivy
+
+on:
+  push:
+    branches: [ "devel" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "devel" ]
+ # schedule:
+ #   - cron: '44 1 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Scan repository with Trivy
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: fs
+          ignore-unfixed: true
+          format: 'sarif'  
+          limit-severities-for-sarif: true #By default SARIF format enforces output of all vulnerabilities. To override this behavior set this parameter to true
+          severity: 'HIGH,CRITICAL'
+          output: trivy-results.sarif
+          skip-dirs: website 
+        continue-on-error: true  # still upload SARIF even if vulnerabilities exist
+
+      - name: Debug SARIF
+        run: |
+            head -n 20 trivy-results.sarif
+            jq .version trivy-results.sarif   
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+
+

Jenkinsfile

@@ -1,7 +1,7 @@
 pipeline {
     agent {
         docker {
-            image 'argo.registry:5000/epel-7-go1.21'
+            image 'argo.registry:5000/rocky9-go1.25:latest'
             args '-u jenkins:jenkins'
         }
     }
@@ -13,6 +13,8 @@ pipeline {
         PROJECT_DIR="argo-messaging"
         GH_USER = 'newgrnetci'
         GH_EMAIL = '<argo@grnet.gr>'
+        GOCACHE = '/tmp/go-cache'
+        GOMODCACHE = '/tmp/go-mod-cache'
         GOPATH="${WORKSPACE}/go"
         GIT_COMMIT=sh(script: "cd ${WORKSPACE}/$PROJECT_DIR && git log -1 --format=\"%H\"",returnStdout: true).trim()
         GIT_COMMIT_HASH=sh(script: "cd ${WORKSPACE}/$PROJECT_DIR && git log -1 --format=\"%H\" | cut -c1-7",returnStdout: true).trim()
@@ -23,6 +25,7 @@ pipeline {
             steps {
                 echo 'Build...'
                 sh """
+                go version
                 mkdir -p ${WORKSPACE}/go/src/github.com/ARGOeu
                 ln -sf ${WORKSPACE}/${PROJECT_DIR} ${WORKSPACE}/go/src/github.com/ARGOeu/${PROJECT_DIR}
                 rm -rf ${WORKSPACE}/go/src/github.com/ARGOeu/${PROJECT_DIR}/${PROJECT_DIR}
@@ -36,7 +39,18 @@ pipeline {
             steps {
                 sh """
                 cd ${WORKSPACE}/go/src/github.com/ARGOeu/${PROJECT_DIR}
-                /home/jenkins/checksec.py -b ./argo-messaging
+
+                checksec --file=./argo-messaging --format=xml > ./checksec.xml
+
+                set +x
+                # define function that receives field/value and checks them in checksec.xml output
+                checksec_point(){ f=\$1; v=\$2; r=\$(xmllint --xpath "string(//file/@\$f)" checksec.xml); \
+                echo -n "\$f(expected:\$v)=\$r"; [[ "\$r" == "\$v" ]] && \
+                echo -e "\t✓ PASS" || { echo -e "\t𐄂 FAIL"; return 1; }; }
+
+                # for pairs of field/value items check if they exist in the checksec.xml output - break if not
+                for pair in "pie yes" "nx yes" "relro full" "rpath no" "runpath no" "symbols no" "fortify_source yes"; \
+                do set -- \$pair; checksec_point "\$1" "\$2"; done
                 """
             }
         }
@@ -45,8 +59,8 @@ pipeline {
                 echo 'Test & Coverage...'
                 sh """
                 cd ${WORKSPACE}/go/src/github.com/ARGOeu/${PROJECT_DIR}
-                gocov test -p 1 \$(go list ./... | grep -v /vendor/) | gocov-xml > ${WORKSPACE}/coverage.xml
-                go test -p 1 \$(go list ./... | grep -v /vendor/) -v=1 | go-junit-report > ${WORKSPACE}/junit.xml
+                gotestsum --junitfile ${WORKSPACE}/junit.xml -- -p 1 -v -coverprofile=coverage.out ./...
+                gocover-cobertura < coverage.out > ${WORKSPACE}/coverage.xml
                 """
                 junit '**/junit.xml'
                 cobertura coberturaReportFile: '**/coverage.xml'
@@ -58,7 +72,7 @@ pipeline {
                 echo 'Building Rpm...'
                 withCredentials(bindings: [sshUserPrivateKey(credentialsId: 'jenkins-rpm-repo', usernameVariable: 'REPOUSER', \
                                                              keyFileVariable: 'REPOKEY')]) {
-                    sh "/home/jenkins/build-rpm.sh -w ${WORKSPACE} -b ${BRANCH_NAME} -d centos7 -p ${PROJECT_DIR} -s ${REPOKEY}"
+                    sh "/home/jenkins/build-rpm.sh -w ${WORKSPACE} -b ${BRANCH_NAME} -d rocky9 -p ${PROJECT_DIR} -s ${REPOKEY}"
                 }
                 archiveArtifacts artifacts: '**/*.rpm', fingerprint: true
             }
@@ -68,33 +82,6 @@ pipeline {
                 }
             }
         }
-        stage ('Deploy Docs') {
-            when {
-                branch 'devel'
-            }
-            agent {
-                docker {
-                    image 'node:18-buster'
-                }
-            }
-            steps {
-                echo 'Publish argo-messaging docs...'
-                sh '''
-                    cd $WORKSPACE/$PROJECT_DIR
-                    cd website
-                    npm install
-                '''
-                sshagent (credentials: ['jenkins-master']) {
-                    sh '''
-                        cd $WORKSPACE/$PROJECT_DIR/website
-                        mkdir ~/.ssh && ssh-keyscan -H github.com > ~/.ssh/known_hosts
-                        git config --global user.email ${GH_EMAIL}
-                        git config --global user.name ${GH_USER}
-                        GIT_USER=${GH_USER} USE_SSH=true npm run deploy
-                    '''
-                }
-            }
-        } 
     }
     post{
         always {

Makefile

@@ -30,3 +30,6 @@ go-test:
 	go get github.com/AlekSi/gocov-xml && \
 	${GOPATH}/bin/gocov test ${GOFILES_NOVENDOR} | ${GOPATH}/bin/gocov-xml > ${APPDIR}/coverage.xml &&\
 	chown ${hostUID} ${APPDIR}/coverage.xml
+
+clean:
+	@echo "Clean target - nothing to clean"

README.md

@@ -20,10 +20,10 @@ specific topics and receive messages.
 
 #### Build Requirements
 
- - Golang 1.21
+ - Golang 1.25
 
 #### Datastore Requirements
-  - The service has been tested with mongodb from version `6.0.14`.
+  - The service has been tested with mongodb from version `7.0.23`.
 
 #### Broker requirements
 

auth/auth_test.go

@@ -3,7 +3,7 @@ package auth
 import (
 	"context"
 	"errors"
-	"io/ioutil"
+	"io"
 	"testing"
 	"time"
 
@@ -27,7 +27,7 @@ func (suite *AuthTestSuite) SetupTest() {
 		"store_host":"localhost",
 		"store_db":"argo_msg"
 	}`
-	log.SetOutput(ioutil.Discard)
+	log.SetOutput(io.Discard)
 }
 
 func (suite *AuthTestSuite) TestAuth() {

config/config.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"strconv"
 	"time"
 
@@ -14,7 +15,6 @@ import (
 	lSyslog "github.com/sirupsen/logrus/hooks/syslog"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
-	"io/ioutil"
 	"log/syslog"
 	"os"
 	"path/filepath"
@@ -219,7 +219,7 @@ func (cfg *APICfg) LoadCAs() (roots *x509.CertPool) {
 		}
 
 		if ok, _ := filepath.Match(pattern, info.Name()); ok {
-			bytes, err := ioutil.ReadFile(filepath.Join(cfg.CertificateAuthoritiesDir, info.Name()))
+			bytes, err := os.ReadFile(filepath.Join(cfg.CertificateAuthoritiesDir, info.Name()))
 			if err != nil {
 				return err
 			}
@@ -294,7 +294,7 @@ func setLogFacilities(facilities []string) {
 
 	// if the console option has not been specified close the standard logging
 	if !consoleEnabled {
-		log.SetOutput(ioutil.Discard)
+		log.SetOutput(io.Discard)
 	}
 }
 

config/config_test.go

@@ -1,7 +1,7 @@
 package config
 
 import (
-	"io/ioutil"
+	"io"
 	"testing"
 
 	log "github.com/sirupsen/logrus"
@@ -122,6 +122,6 @@ func (suite *ConfigTestSuite) TestAuthOption() {
 }
 
 func TestConfigTestSuite(t *testing.T) {
-	log.SetOutput(ioutil.Discard)
+	log.SetOutput(io.Discard)
 	suite.Run(t, new(ConfigTestSuite))
 }