From 3cd28504dec017ef38f1a7abc141a493b9319757 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 8 Aug 2024 14:12:26 +0200
Subject: [PATCH] govulncheck to report known vulnerabilities

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/ci.yml                | 32 +++++++++++++++++++++++++
 docker-bake.hcl                         | 19 +++++++++++++++
 hack/dockerfiles/govulncheck.Dockerfile | 32 +++++++++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 hack/dockerfiles/govulncheck.Dockerfile

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 74dd95494a30f..a4b21e3745abb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -130,3 +130,35 @@ jobs:
         name: Check artifacts
         run: |
           find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
+
+  govulncheck:
+    runs-on: ubuntu-24.04
+    permissions:
+      # required to write sarif report
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.SETUP_BUILDX_VERSION }}
+          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Run
+        uses: docker/bake-action@v5
+        with:
+          targets: govulncheck
+        env:
+          GOVULNCHECK_FORMAT: sarif
+      -
+        name: Upload SARIF report
+        if: ${{ github.event_name != 'pull_request' && github.repository == 'moby/moby' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
diff --git a/docker-bake.hcl b/docker-bake.hcl
index f822ec758b3cf..2232f31eb87c5 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -181,3 +181,22 @@ target "dev" {
   tags = ["docker-dev"]
   output = ["type=docker"]
 }
+
+#
+# govulncheck
+#
+
+variable "GOVULNCHECK_FORMAT" {
+  default = null
+}
+
+target "govulncheck" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/govulncheck.Dockerfile"
+  target = "output"
+  args = {
+    FORMAT = GOVULNCHECK_FORMAT
+  }
+  no-cache-filter = ["run"]
+  output = ["${DESTDIR}"]
+}
diff --git a/hack/dockerfiles/govulncheck.Dockerfile b/hack/dockerfiles/govulncheck.Dockerfile
new file mode 100644
index 0000000000000..22353ed9d9e44
--- /dev/null
+++ b/hack/dockerfiles/govulncheck.Dockerfile
@@ -0,0 +1,32 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION=1.21.13
+ARG GOVULNCHECK_VERSION=v1.1.3
+ARG FORMAT=text
+
+FROM golang:${GO_VERSION}-alpine AS base
+WORKDIR /go/src/github.com/docker/docker
+RUN apk add --no-cache jq moreutils
+ARG GOVULNCHECK_VERSION
+RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=cache,target=/go/pkg/mod \
+    go install golang.org/x/vuln/cmd/govulncheck@$GOVULNCHECK_VERSION
+
+FROM base AS run
+ARG FORMAT
+RUN --mount=type=bind,target=.,rw <<EOT
+  set -ex
+  mkdir /out
+  ln -s vendor.mod go.mod
+  ln -s vendor.sum go.sum
+  govulncheck -format ${FORMAT} ./... | tee /out/govulncheck.out
+  if [ "${FORMAT}" = "sarif" ]; then
+    # Make sure "results" field is defined in SARIF output otherwise GitHub Code Scanning
+    # will fail when uploading report with "Invalid SARIF. Missing 'results' array in run."
+    # Relates to https://github.com/golang/vuln/blob/ffdef74cc44d7eb71931d8d414c478b966812488/internal/sarif/sarif.go#L69
+    jq '(.runs[] | select(.results == null) | .results) |= []' /out/govulncheck.out | tee >(sponge /out/govulncheck.out)
+  fi
+EOT
+
+FROM scratch AS output
+COPY --from=run /out /