fix: gmpctl hardening#1938
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances the gmpctl tool by automating Go version detection from Dockerfiles, resolving OpenTelemetry schema version conflicts, adding automated pull request creation via the GitHub CLI, and introducing a thread-safe cache for NVD API severity lookups. Feedback on these changes focuses on improving robustness and performance, such as handling non-interactive environments gracefully in TTY detection, utilizing filepath.WalkDir and find -prune for more efficient directory traversal, capturing standard error in command execution, using idiomatic string comparisons, and falling back to CVSS V3.0 metrics when V3.1 is missing.
| # This is faster than running requiring bingo and running bingo get. | ||
| cp "${dir}/.bingo/variables.env" "${dir}/.bingo/variables.env.bak" | ||
| echo "#!/bin/bash" >"${dir}/.bingo/variables.env" # Clean the file. | ||
| # NOTE: Only needed before 0.19. |
bwplotka
force-pushed
the
fix-git-command-injection-20260520
branch
from
9324726 to
1fac05b
Compare
bwplotka
force-pushed
the
fix-git-command-injection-20260520
branch
from
1fac05b to
bbc8811
Compare
Best effort fixes thanks to Gemini security scanning. Includes: - Only set GPG_TTY if a valid TTY was successfully detected. - Optimize directory walks with filepath.WalkDir in cmd_vulnfix.go. - Forward stderr for temp schema run in cmd_vulnfix.go. - Use idiomatic string comparison for branch == "main". - Use find -prune to efficiently skip large directories in lib.sh. - Add CVSSMetricV30 fallback to NVD API severity parsing in nvdapi.go. - Fix TestReplaceOtelImports to run git init in temp dir. - Allow main vulnfix. - Dependency, tagging, cache, and semconv sync fixes. - Format documentation.
bwplotka
force-pushed
the
fix-git-command-injection-20260520
branch
from
bbc8811 to
ca69faf
Compare
bwplotka
force-pushed
the
fix-git-command-injection-20260520
branch
3 times, most recently
from
ed1e0eb to
d284b00
Compare
| } | ||
| // Update go version in go.mod to what toolchain is set to if it was updated by accident | ||
| // otherwise it won't work with our toolchain. | ||
| if _, err := runCommand(&cmdOpts{Dir: dir, Envs: opts}, "go", "mod", "edit", "-go=1.25.0"); err != nil { |
There was a problem hiding this comment.
This is incompatible with GOTOOLCHAIN=local, which is applied to ensure we're actually building with the toolchain from the build image.
Also, we do not want to lock in to a specific patch version. For 1.25, latest is 1.25.11, and we do not want to introduce new vulnerabilities from the toolchain because we're locked into .0.
There was a problem hiding this comment.
Unfortunately that also means it depends what Go version you have installed etc.
| // We are hardcoding toolchain everywhere for now, until we have deps that require higher version. | ||
| // This makes it simpler to maintain dependencies across old versions, forks and tools (e.g. code gen). | ||
| // This follows what e.g. Prometheus is doing https://github.com/prometheus/prometheus/pull/18938#issue-4676291443 | ||
| fmt.Sprintf("GOTOOLCHAIN=go1.25.0"), |
There was a problem hiding this comment.
GOTOOLCHAIN feels like the wrong tool to prevent dependency updates.
Signed-off-by: bwplotka <bwplotka@google.com>
bwplotka
force-pushed
the
fix-git-command-injection-20260520
branch
from
d284b00 to
652ed09
Compare
|
Newer version of the same, without toolchain #1971 |
2 participants
A few fixes.
Includes:
mainbranch vulnfix.