Chore repo code maintenance (#59)

* chore(deps): update dependencies. * chore(tools): update tools. * chore(go): allow go 1.17 compilation. * chore(build): rework build info. * feat(sec): mark CVE-2019-5736 as false positive.
elastic · Jul 26, 2021 · 30f0747 · 30f0747
1 parent 6a3ce4e
commit 30f0747
Show file tree

Hide file tree

Showing 20 changed files with 273 additions and 59 deletions.
diff --git a/.nancy-ignore b/.nancy-ignore
@@ -6,3 +6,6 @@ CVE-2020-15115
 # go-jwt issues - can be ignored because not used
 CVE-2020-26160
 # end
+# vault server indirect dependencies - false positive
+CVE-2019-5736
+# end
diff --git a/build/mage/golang/build.go b/build/mage/golang/build.go
@@ -140,13 +140,13 @@ func Build(name, packageName, version string, opts ...BuildOption) func() error
 
 		// Inject version information
 		varsSetByLinker := map[string]string{
-			"github.com/elastic/harp/build/version.Version":          version,
-			"github.com/elastic/harp/build/version.Revision":         git.Revision,
-			"github.com/elastic/harp/build/version.Branch":           git.Branch,
-			"github.com/elastic/harp/build/version.BuildUser":        os.Getenv("USER"),
-			"github.com/elastic/harp/build/version.BuildDate":        time.Now().Format(time.RFC3339),
-			"github.com/elastic/harp/build/version.GoVersion":        runtime.Version(),
-			"github.com/elastic/harp/build/version.CompilationFlags": strCompilationFlags,
+			"github.com/elastic/harp/build/version.Name":      name,
+			"github.com/elastic/harp/build/version.AppName":   packageName,
+			"github.com/elastic/harp/build/version.Version":   version,
+			"github.com/elastic/harp/build/version.Commit":    git.Revision,
+			"github.com/elastic/harp/build/version.Branch":    git.Branch,
+			"github.com/elastic/harp/build/version.BuildDate": time.Now().Format(time.RFC3339),
+			"github.com/elastic/harp/build/version.BuildTags": strCompilationFlags,
 		}
 		var linkerArgs []string
 		for name, value := range varsSetByLinker {
@@ -178,6 +178,6 @@ func Build(name, packageName, version string, opts ...BuildOption) func() error
 			filename = fmt.Sprintf("%s.exe", filename)
 		}
 
-		return sh.RunWith(env, "go", "build", buildMode, "-mod=readonly", "-ldflags", ldflagsValue, "-o", filename, packageName)
+		return sh.RunWith(env, "go", "build", buildMode, "-trimpath", "-mod=readonly", "-ldflags", ldflagsValue, "-o", filename, packageName)
 	}
 }
diff --git a/build/mage/golang/init.go b/build/mage/golang/init.go
@@ -27,6 +27,7 @@ import (
 
 // Keep only last 2 versions
 var goVersions = []string{
+	"~1.17",
 	"~1.16.6",
 }
 

diff --git a/build/mage/golang/is.go b/build/mage/golang/is.go
@@ -22,14 +22,13 @@ import (
 	"runtime"
 
 	semver "github.com/Masterminds/semver/v3"
-	"github.com/elastic/harp/pkg/sdk/log"
 	"go.uber.org/zap"
-)
 
-var (
-	versionSemverRe = regexp.MustCompile("[0-9.]+")
+	"github.com/elastic/harp/pkg/sdk/log"
 )
 
+var versionSemverRe = regexp.MustCompile("[0-9.]+")
+
 // Is return true if current go version is included in given array.
 func Is(constraints ...string) bool {
 	// Extract version digit from go runtime version.

diff --git a/build/version/command.go b/build/version/command.go
@@ -26,24 +26,35 @@ import (
 
 // -----------------------------------------------------------------------------
 
-var displayAsJSON bool
+var (
+	displayAsJSON bool
+	withModules   bool
+)
 
 // Command exports Cobra command builder
 func Command() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "version",
 		Short: "Display service version",
 		Run: func(cmd *cobra.Command, args []string) {
+			bi := NewInfo()
 			if displayAsJSON {
-				fmt.Fprintf(os.Stdout, "%s", JSON())
+				fmt.Fprintf(os.Stdout, "%s", bi.JSON())
 			} else {
-				fmt.Fprintf(os.Stdout, "%s", Full())
+				fmt.Fprintf(os.Stdout, "%s", bi.String())
+				if withModules {
+					fmt.Fprintln(os.Stdout, "\nDependencies:")
+					for _, dep := range bi.BuildDeps {
+						fmt.Fprintf(os.Stdout, "- %s\n", dep)
+					}
+				}
 			}
 		},
 	}
 
 	// Register parameters
 	cmd.Flags().BoolVar(&displayAsJSON, "json", false, "Display build info as json")
+	cmd.Flags().BoolVar(&withModules, "with-modules", false, "Display builtin go modules")
 
 	// Return command
 	return cmd

diff --git a/build/version/version.go b/build/version/version.go
@@ -20,40 +20,63 @@ package version
 import (
 	"encoding/json"
 	"fmt"
+	"runtime"
+	"runtime/debug"
 
 	"github.com/dchest/uniuri"
 )
 
 // Build information. Populated at build-time.
 var (
-	Version          = "unknown"
-	Revision         = "unknown"
-	Branch           = "unknown"
-	BuildUser        = "unknown"
-	BuildDate        = "unknown"
-	GoVersion        = "unknown"
-	CompilationFlags = "unknown"
+	Name      = "unknown"
+	AppName   = "unknown"
+	Version   = "unknown"
+	Commit    = "unknown"
+	Branch    = "unknown"
+	BuildDate = "unknown"
+	GoVersion = "unknown"
+	BuildTags = "unknown"
 )
 
+// NewInfo returns a build information object.
+func NewInfo() Info {
+	sdkVersion := getSDKVersion()
+	return Info{
+		Name:           Name,
+		ComponentName:  AppName,
+		Version:        Version,
+		GitBranch:      Branch,
+		GitCommit:      Commit,
+		BuildTags:      BuildTags,
+		BuildDate:      BuildDate,
+		GoVersion:      fmt.Sprintf("go version %s %s/%s", runtime.Version(), runtime.GOOS, runtime.GOARCH),
+		BuildDeps:      depsFromBuildInfo(),
+		HarpSdkVersion: sdkVersion,
+	}
+}
+
 // Map provides the iterable version information.
-var Map = map[string]string{
-	"version":           Version,
-	"revision":          Revision,
-	"branch":            Branch,
-	"build_user":        BuildUser,
-	"build_date":        BuildDate,
-	"go_version":        GoVersion,
-	"compilation_flags": CompilationFlags,
+type Info struct {
+	Name           string     `json:"name"`
+	ComponentName  string     `json:"component_name"`
+	Version        string     `json:"version"`
+	GitBranch      string     `json:"branch"`
+	GitCommit      string     `json:"commit"`
+	BuildTags      string     `json:"build_tags"`
+	GoVersion      string     `json:"go"`
+	BuildDeps      []buildDep `json:"build_deps"`
+	BuildDate      string     `json:"build_date"`
+	HarpSdkVersion string     `json:"harp_sdk_version,omitempty"`
 }
 
 // Full returns full composed version string
-func Full() string {
-	return fmt.Sprintf("%s [%s:%s] (Go: %s, Flags: %s, User: %s, Date: %s)", Version, Branch, Revision, GoVersion, CompilationFlags, BuildUser, BuildDate)
+func (i *Info) String() string {
+	return fmt.Sprintf("%s [%s:%s] (Go: %s, Flags: %s, Date: %s)", i.Version, i.GitBranch, i.GitCommit, i.GoVersion, i.BuildTags, BuildDate)
 }
 
 // JSON returns json representation of build info
-func JSON() string {
-	payload, err := json.Marshal(Map)
+func (i *Info) JSON() string {
+	payload, err := json.Marshal(i)
 	if err != nil {
 		panic(err)
 	}
@@ -65,3 +88,50 @@ func JSON() string {
 func ID() string {
 	return uniuri.NewLen(64)
 }
+
+// -----------------------------------------------------------------------------
+
+func getSDKVersion() string {
+	// Extract build info
+	deps, ok := debug.ReadBuildInfo()
+	if !ok {
+		return "unable to read deps"
+	}
+
+	// Look for harp dependency version
+	var sdkVersion string
+	for _, dep := range deps.Deps {
+		if dep.Path == "github.com/elastic/harp" {
+			sdkVersion = dep.Version
+		}
+	}
+
+	return sdkVersion
+}
+
+func depsFromBuildInfo() (deps []buildDep) {
+	buildInfo, ok := debug.ReadBuildInfo()
+	if !ok {
+		return nil
+	}
+
+	for _, dep := range buildInfo.Deps {
+		deps = append(deps, buildDep{dep})
+	}
+
+	return
+}
+
+type buildDep struct {
+	*debug.Module
+}
+
+func (d buildDep) String() string {
+	if d.Replace != nil {
+		return fmt.Sprintf("%s@%s => %s@%s %s", d.Path, d.Version, d.Replace.Path, d.Replace.Version, d.Replace.Sum)
+	}
+
+	return fmt.Sprintf("%s@%s %s", d.Path, d.Version, d.Sum)
+}
+
+func (d buildDep) MarshalJSON() ([]byte, error) { return json.Marshal(d.String()) }
diff --git a/go.mod b/go.mod
@@ -36,8 +36,8 @@ require (
 	github.com/gosimple/slug v1.9.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/hcl v1.0.0
-	github.com/hashicorp/hcl/v2 v2.10.0
-	github.com/hashicorp/vault/api v1.1.0
+	github.com/hashicorp/hcl/v2 v2.10.1
+	github.com/hashicorp/vault/api v1.1.1
 	github.com/iancoleman/strcase v0.2.0
 	github.com/imdario/mergo v0.3.12
 	github.com/jmespath/go-jmespath v0.4.0
@@ -63,8 +63,8 @@ require (
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c
-	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
-	google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a
+	golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1
+	google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f
 	google.golang.org/grpc v1.39.0
 	google.golang.org/protobuf v1.27.1
 	gopkg.in/square/go-jose.v2 v2.6.0