Merge pull request #33 from vulncheck-oss/more-nil-checks

🩺 more nil checks
vulncheck-oss · May 15, 2024 · ae00b53 · ae00b53
2 parents fbffdbc + a8c634a
commit ae00b53
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 11 deletions.
diff --git a/pkg/cmd/scan/scan.go b/pkg/cmd/scan/scan.go
@@ -130,14 +130,17 @@ func Command() *cobra.Command {
 				return err
 			}
 
-			if len(*vulns) == 0 {
-				ui.Info(fmt.Sprintf(i18n.C.ScanNoCvesFound, len(purls)))
-			}
-
-			if len(*vulns) > 0 {
-				if err := ui.ScanResults(output.Vulnerabilities); err != nil {
-					return err
+			if vulns != nil {
+				if len(*vulns) == 0 {
+					ui.Info(fmt.Sprintf(i18n.C.ScanNoCvesFound, len(purls)))
+				}
+				if len(*vulns) > 0 {
+					if err := ui.ScanResults(output.Vulnerabilities); err != nil {
+						return err
+					}
 				}
+			} else {
+				ui.Info(fmt.Sprintf(i18n.C.ScanNoCvesFound, len(purls)))
 			}
 
 			elapsedTime := time.Since(startTime)
@@ -173,6 +176,10 @@ func getSbom(dir string) (*sbom.SBOM, error) {
 
 func getPurls(sbm *sbom.SBOM) []string {
 
+	if sbm == nil {
+		return []string{}
+	}
+
 	var purls []string
 
 	for p := range sbm.Artifacts.Packages.Enumerate() {

diff --git a/script/sign b/script/sign
@@ -17,13 +17,13 @@ sign_windows() {
     return 1
   fi
 
-  if [ -z "$CERT_PASSWORD" ]; then
-    echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
+  if [ -z "$KEY_FILE" ]; then
+    echo "error Windows code-signing; no value for KEY_FILE" >&2
     return 1
   fi
 
-  osslsigncode sign -n "VulnCheck CLI" -t http://timestamp.digicert.com \
-    -pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
+  osslsigncode sign -n "VulnCheck CLI" \
+    -certs "$CERT_FILE" -key "$KEY_FILE" \
     -in "$1" -out "$1"~
 
   mv "$1"~ "$1"

diff --git a/script/sign-old b/script/sign-old
@@ -0,0 +1,71 @@
+#!/bin/bash
+# usage: script/sign <file>
+#
+# Signs macOS binaries using codesign, notarizes macOS zip archives using notarytool, and signs
+# Windows EXE and MSI files using osslsigncode.
+#
+set -e
+
+sign_windows() {
+  if [ -z "$CERT_FILE" ]; then
+    echo "skipping Windows code-signing; CERT_FILE not set" >&2
+    return 0
+  fi
+
+  if [ ! -f "$CERT_FILE" ]; then
+    echo "error Windows code-signing; file '$CERT_FILE' not found" >&2
+    return 1
+  fi
+
+  if [ -z "$CERT_PASSWORD" ]; then
+    echo "error Windows code-signing; no value for CERT_PASSWORD" >&2
+    return 1
+  fi
+
+  osslsigncode sign -n "VulnCheck CLI" -t http://timestamp.digicert.com \
+    -pkcs12 "$CERT_FILE" -readpass <(printf "%s" "$CERT_PASSWORD") -h sha256 \
+    -in "$1" -out "$1"~
+
+  mv "$1"~ "$1"
+}
+
+sign_macos() {
+  if [ -z "$APPLE_DEVELOPER_ID" ]; then
+    echo "skipping macOS code-signing; APPLE_DEVELOPER_ID not set" >&2
+    return 0
+  fi
+
+  if [[ $1 == *.zip ]]; then
+    echo "Running notarytool submit for $1"
+    echo "Apple ID: ${APPLE_ID?}"
+    echo "Team ID: ${APPLE_DEVELOPER_ID?}"
+    xcrun notarytool submit "$1" --apple-id "${APPLE_ID?}" --team-id "${APPLE_DEVELOPER_ID?}" --password "${APPLE_ID_PASSWORD?}"
+  else
+    echo "Running codesign for $1"
+    echo "Using Developer ID: ${APPLE_DEVELOPER_ID?}"
+    codesign --timestamp --options=runtime -s "${APPLE_DEVELOPER_ID?}" -v "$1"
+  fi
+
+}
+
+if [ $# -eq 0 ]; then
+  echo "usage: script/sign <file>" >&2
+  exit 1
+fi
+
+platform="$(uname -s)"
+
+for input_file; do
+  case "$input_file" in
+  *.exe | *.msi )
+    sign_windows "$input_file"
+    ;;
+  * )
+    if [ "$platform" = "Darwin" ]; then
+      sign_macos "$input_file"
+    else
+      printf "warning: don't know how to sign %s on %s\n" "$1", "$platform" >&2
+    fi
+    ;;
+  esac
+done