From 02aaeeb83bb00ee8d80c0298d26110aea9572aca Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 09:35:47 +0000 Subject: [PATCH 01/10] update to go 1.25 and direct dependencies --- Dockerfile | 4 +-- go.mod | 37 +++++++++++++-------------- go.sum | 75 ++++++++++++++++++++++++++---------------------------- 3 files changed, 56 insertions(+), 60 deletions(-) diff --git a/Dockerfile b/Dockerfile index e45aac1..f9d8905 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24 AS build +FROM golang:1.25 AS build WORKDIR /app @@ -16,7 +16,7 @@ FROM build AS test COPY test-support/scanoss.sh /app/scanoss.sh -FROM debian:buster-slim AS production +FROM debian:bookworm-slim AS production WORKDIR /app diff --git a/go.mod b/go.mod index ced5648..987d086 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module scanoss.com/go-api -go 1.24.4 +go 1.25.0 require ( github.com/go-co-op/gocron v1.37.0 @@ -8,19 +8,19 @@ require ( github.com/google/uuid v1.6.0 github.com/gorilla/mux v1.8.1 github.com/hashicorp/go-version v1.8.0 - github.com/jpillora/ipfilter v1.2.9 + github.com/jpillora/ipfilter v1.3.0 github.com/scanoss/zap-logging-helper v0.4.0 github.com/stretchr/testify v1.11.1 github.com/wlynxg/chardet v1.0.4 - go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.64.0 - go.opentelemetry.io/otel v1.39.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 - go.opentelemetry.io/otel/metric v1.39.0 - go.opentelemetry.io/otel/sdk v1.39.0 - go.opentelemetry.io/otel/sdk/metric v1.39.0 - go.opentelemetry.io/otel/trace v1.39.0 + go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.67.0 + go.opentelemetry.io/otel v1.42.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 + go.opentelemetry.io/otel/metric v1.42.0 + go.opentelemetry.io/otel/sdk v1.42.0 + go.opentelemetry.io/otel/sdk/metric v1.42.0 + go.opentelemetry.io/otel/trace v1.42.0 go.uber.org/zap v1.27.1 ) @@ -35,8 +35,7 @@ require ( github.com/golobby/cast v1.3.3 // indirect github.com/golobby/dotenv v1.3.2 // indirect github.com/golobby/env/v2 v2.2.4 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4 // indirect - github.com/phuslu/iploc v1.0.20260115 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/robfig/cron/v3 v3.0.1 // indirect github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect @@ -44,12 +43,12 @@ require ( go.opentelemetry.io/proto/otlp v1.9.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/net v0.47.0 // indirect - golang.org/x/sys v0.39.0 // indirect - golang.org/x/text v0.32.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20260114163908-3f89685c29c3 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 // indirect - google.golang.org/grpc v1.78.0 // indirect + golang.org/x/net v0.51.0 // indirect + golang.org/x/sys v0.41.0 // indirect + golang.org/x/text v0.34.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect + google.golang.org/grpc v1.79.2 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index e117c7e..2f04e96 100644 --- a/go.sum +++ b/go.sum @@ -35,12 +35,12 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4 h1:kEISI/Gx67NzH3nJxAmY/dGac80kKZgZt134u7Y/k1s= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.4/go.mod h1:6Nz966r3vQYCqIzWsuEl9d7cf7mRhtDmm++sOxlnfxI= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c= github.com/hashicorp/go-version v1.8.0 h1:KAkNb1HAiZd1ukkxDFGmokVZe1Xy9HG6NUp+bPle2i4= github.com/hashicorp/go-version v1.8.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= -github.com/jpillora/ipfilter v1.2.9 h1:vjjcI1JpxZ6HvIj1MZfomhrfzXW/67QNdE449ZZfon8= -github.com/jpillora/ipfilter v1.2.9/go.mod h1:QUYQLXQU0myCdxZVbYBZ5+An/qtSB2m1OBRiwqTa9pk= +github.com/jpillora/ipfilter v1.3.0 h1:mjfcn7YjbU9T710+u+KRfxPqFDIkZjQ/kWAbukijSHk= +github.com/jpillora/ipfilter v1.3.0/go.mod h1:5VAr3WE/yrs38vvioOcOD+4xNFez2MVN3hnmJtHmiCQ= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= @@ -50,9 +50,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/phuslu/iploc v1.0.20230201/go.mod h1:gsgExGWldwv1AEzZm+Ki9/vGfyjkL33pbSr9HGpt2Xg= -github.com/phuslu/iploc v1.0.20260115 h1:DSo9u0GSVkNUXq1ZRYpe50kEjmyyWTkcNcSnUbeT1TU= -github.com/phuslu/iploc v1.0.20260115/go.mod h1:VZqAWoi2A80YPvfk1AizLGHavNIG9nhBC8d87D/SeVs= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -81,26 +78,26 @@ github.com/wlynxg/chardet v1.0.4 h1:hkI71Dx8v3RiAz3XKV5lJEh9QfKo7xXKUmYJQeIMlpo= github.com/wlynxg/chardet v1.0.4/go.mod h1:HLQMNsa0w4MkH2e7waQaFD+Yh85riFFTLhFtP8fsdbQ= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= -go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.64.0 h1:vwZaYp+EEiPUQD1rYKPT0vLfGD7XMv2WypO/59ySpwM= -go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.64.0/go.mod h1:D96L6/izMrfhIlFm1sFiyEC8zVyMcDzC8dwqUoTmGT8= -go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= -go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0 h1:cEf8jF6WbuGQWUVcqgyWtTR0kOOAWY1DYZ+UhvdmQPw= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.39.0/go.mod h1:k1lzV5n5U3HkGvTCJHraTAGJ7MqsgL1wrGwTj1Isfiw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 h1:f0cb2XPmrqn4XMy9PNliTgRKJgS5WcL/u0/WRYGz4t0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0/go.mod h1:vnakAaFckOMiMtOIhFI2MNH4FYrZzXCYxmb1LlhoGz8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 h1:in9O8ESIOlwJAEGTkkf34DesGRAc/Pn8qJ7k3r/42LM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0/go.mod h1:Rp0EXBm5tfnv0WL+ARyO/PHBEaEAT8UUHQ6AGJcSq6c= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0 h1:8UPA4IbVZxpsD76ihGOQiFml99GPAEZLohDXvqHdi6U= -go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.39.0/go.mod h1:MZ1T/+51uIVKlRzGw1Fo46KEWThjlCBZKl2LzY5nv4g= -go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= -go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= -go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= -go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= -go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= -go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= -go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= -go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= +go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.67.0 h1:b6GmayQMq3nLt5X/+u+B4wnU5CqaMBBDuPz+TFu07rg= +go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.67.0/go.mod h1:R6Z44a4CJLVvfd0n95UfHq6wD6SyGMvjfZfVK9GRy3c= +go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho= +go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0 h1:MdKucPl/HbzckWWEisiNqMPhRrAOQX8r4jTuGr636gk= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.42.0/go.mod h1:RolT8tWtfHcjajEH5wFIZ4Dgh5jpPdFXYV9pTAk/qjc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 h1:THuZiwpQZuHPul65w4WcwEnkX2QIuMT+UFoOrygtoJw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0/go.mod h1:J2pvYM5NGHofZ2/Ru6zw/TNWnEQp5crgyDeSrYpXkAw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0 h1:zWWrB1U6nqhS/k6zYB74CjRpuiitRtLLi68VcgmOEto= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.42.0/go.mod h1:2qXPNBX1OVRC0IwOnfo1ljoid+RD0QK3443EaqVlsOU= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0 h1:s/1iRkCKDfhlh1JF26knRneorus8aOwVIDhvYx9WoDw= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.42.0/go.mod h1:UI3wi0FXg1Pofb8ZBiBLhtMzgoTm1TYkMvn71fAqDzs= +go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4= +go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI= +go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo= +go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts= +go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA= +go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc= +go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY= +go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc= go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= @@ -112,20 +109,20 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= -golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= -golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= -golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= -golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= -golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= +golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= +golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= +golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= +golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= +golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20260114163908-3f89685c29c3 h1:X9z6obt+cWRX8XjDVOn+SZWhWe5kZHm46TThU9j+jss= -google.golang.org/genproto/googleapis/api v0.0.0-20260114163908-3f89685c29c3/go.mod h1:dd646eSK+Dk9kxVBl1nChEOhJPtMXriCcVb4x3o6J+E= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3 h1:C4WAdL+FbjnGlpp2S+HMVhBeCq2Lcib4xZqfPNF6OoQ= -google.golang.org/genproto/googleapis/rpc v0.0.0-20260114163908-3f89685c29c3/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= -google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= -google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= +google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 h1:JLQynH/LBHfCTSbDWl+py8C+Rg/k1OVH3xfcaiANuF0= +google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:kSJwQxqmFXeo79zOmbrALdflXQeAYcUbgS7PbpMknCY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 h1:mWPCjDEyshlQYzBpMNHaEof6UX1PmHcaUODUywQ0uac= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= +google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU= +google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 665067d09837f3eeb48c6d335c4724b37c8a6020 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 09:41:48 +0000 Subject: [PATCH 02/10] use go.mod for version in workflows --- .github/workflows/go-ci.yml | 4 ++-- .github/workflows/golangci-lint.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index e69d41d..de8e27e 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -17,9 +17,9 @@ jobs: fetch-depth: 0 # Get tags to allow build script to get build version - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 with: - go-version: 1.24.x + go-version-file: 'go.mod' - name: Build run: make build_amd diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 7168b77..abc3ead 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -17,9 +17,9 @@ jobs: fetch-depth: 0 # Get tags to allow build script to get build version - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 with: - go-version: 1.24.x + go-version-file: 'go.mod' - name: Setup Version run: make version diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 909085f..af1b603 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,9 +15,9 @@ jobs: fetch-depth: 0 # Get tags to allow build script to get build version - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@v5 with: - go-version: 1.24.x + go-version-file: 'go.mod' - name: Build run: | From b843fe54d7188cf496e5cd40cd1c540094e2f425 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 16:19:16 +0000 Subject: [PATCH 03/10] add local build target for local testing --- Makefile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c7ce9be..8c83be5 100644 --- a/Makefile +++ b/Makefile @@ -97,12 +97,17 @@ ghcr_push: ## Push the GH container image to GH Packages ghcr_all: ghcr_build ghcr_tag ghcr_push ## Execute all GitHub Package container actions -build_amd: version ## Build an AMD 64 binary +build_local: version ## Build a Local binary + @echo "Building AMD binary $(VERSION)..." + go generate ./pkg/cmd/server.go + CGO_ENABLED=0 go build -ldflags="-w -s" -o ./target/scanoss-go-api-local ./cmd/server + +build_amd: version ## Build a Linux AMD 64 binary @echo "Building AMD binary $(VERSION)..." go generate ./pkg/cmd/server.go GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-w -s" -o ./target/scanoss-go-api-linux-amd64 ./cmd/server -build_arm: version ## Build an ARM 64 binary +build_arm: version ## Build a Linux ARM 64 binary @echo "Building ARM binary $(VERSION)..." go generate ./pkg/cmd/server.go GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="-w -s" -o ./target/scanoss-go-api-linux-arm64 ./cmd/server From d2a2ba08cf012fae68074df06a03097a67d6b148 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 16:19:56 +0000 Subject: [PATCH 04/10] add support for .env file loading during installation and startup --- CHANGELOG.md | 7 ++++++- scripts/env-setup.sh | 39 +++++++++++++++++++++++++++++++-------- scripts/scanoss-go-api.sh | 13 +++++++++---- 3 files changed, 46 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d91c05c..08be44c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [1.6.3] - 2026-03-10 +### Added +- Add dynamic support for loading env vars (from file) during startup. +- Add `build_local` target to Makefile for local execution. +- Upgraded to golang 1.25 ## [1.6.2] - 2026-02-26 ### Added @@ -189,4 +194,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [1.6.0]: https://github.com/scanoss/api.go/compare/v1.5.2...v1.6.0 [1.6.1]: https://github.com/scanoss/api.go/compare/v1.6.0...v1.6.1 [1.6.2]: https://github.com/scanoss/api.go/compare/v1.6.1...v1.6.2 - +[1.6.2]: https://github.com/scanoss/api.go/compare/v1.6.2...v1.6.3 diff --git a/scripts/env-setup.sh b/scripts/env-setup.sh index e713df0..877c4ea 100755 --- a/scripts/env-setup.sh +++ b/scripts/env-setup.sh @@ -17,14 +17,13 @@ if [ "$1" = "-h" ] || [ "$1" = "-help" ] ; then echo " [environment] allows the optional specification of a suffix to allow multiple services to be deployed at the same time (optional)" exit 1 fi - # Check if force flag is set FORCE_FLAG=false if [ "$1" = "-f" ]; then FORCE_FLAG=true shift # Shift arguments to handle environment correctly fi - +# Setup default values DEFAULT_ENV="" ENVIRONMENT="${1:-$DEFAULT_ENV}" @@ -44,7 +43,7 @@ if [ "$EUID" -ne 0 ] ; then echo "Please run as root" exit 1 fi - +# Confirm installation or not if [ "$FORCE_FLAG" = true ]; then echo "Force flag set. Installing SCANOSS Go API $ENVIRONMENT without prompts..." else @@ -57,7 +56,6 @@ else exit 1 fi fi - # Setup all the required folders and ownership echo "Setting up API system folders..." if ! mkdir -p "$CONF_DIR" ; then @@ -116,10 +114,12 @@ if ! cp scanoss-go-api.sh /usr/local/bin ; then echo "api startup script copy failed" exit 1 fi -# Copy in the configuration file if requested +# Copy in the configuration file(s) if requested CONF=app-config-prod.json +ENV_CONF=app-config-prod.env if [ -n "$ENVIRONMENT" ] ; then CONF="app-config-${ENVIRONMENT}.json" + ENV_CONF="app-config-${ENVIRONMENT}.env" fi if [ -f "$CONF" ] && [ ! -f "$CONF_DIR/$CONF" ] ; then echo "Copying app config to $CONF_DIR ..." @@ -128,6 +128,28 @@ if [ -f "$CONF" ] && [ ! -f "$CONF_DIR/$CONF" ] ; then exit 1 fi fi +if [ -f "$ENV_CONF" ] && [ ! -f "$CONF_DIR/$ENV_CONF" ] ; then + echo "Copying app env to $CONF_DIR ..." + if ! cp "$ENV_CONF" "$CONF_DIR/" ; then + echo "copy $ENV_CONF failed" + exit 1 + fi +fi +ENV_PATH="$CONF_DIR/$ENV_CONF" +if [ "$RUNTIME_USER" != "root" ] ; then + echo "Changing ownership of $CONF_DIR to $RUNTIME_USER ..." + if ! chown -R $RUNTIME_USER $CONF_DIR ; then + echo "chown of $CONF_DIR to $RUNTIME_USER failed" + exit 1 + fi + if [ -f "$ENV_PATH" ] ; then + eco "Make $ENV_CONF readable/writable only to $RUNTIME_USER ..." + if ! chmod 600 "$ENV_PATH" ; then + echo "chmod of "$ENV_PATH" to $RUNTIME_USER failed" + exit 1 + fi + fi +fi # Copy the binaries if requested BINARY=scanoss-go-api if [ -f $BINARY ] ; then @@ -155,7 +177,6 @@ if [ "$service_stopped" == "true" ] ; then fi systemctl status "$SC_SERVICE_NAME" else - if [ "$FORCE_FLAG" = true ]; then echo "Force flag set. Starting SCANOSS Go API Service..." START_SERVICE=true @@ -169,7 +190,6 @@ else START_SERVICE=true fi fi - if [ "$START_SERVICE" = true ]; then if ! systemctl start "$SC_SERVICE_NAME" ; then echo "failed to restart service" @@ -178,7 +198,7 @@ else systemctl status "$SC_SERVICE_NAME" fi fi - +# Check if we have a configuration file or not if [ ! -f "$CONF_DIR/$CONF" ] ; then echo echo "Warning: Please create a configuration file in: $CONF_DIR/$CONF" @@ -187,6 +207,9 @@ if [ ! -f "$CONF_DIR/$CONF" ] ; then fi echo echo "Review service config in: $CONF_DIR/$CONF" +if [ -f "$ENV_PATH" ] ; then + echo "Review service env in: $CONF_DIR/$ENV_CONF" +fi echo "Logs are stored in: $LOGS_DIR" echo "Start the service using: systemctl start $SC_SERVICE_NAME" echo "Stop the service using: systemctl stop $SC_SERVICE_NAME" diff --git a/scripts/scanoss-go-api.sh b/scripts/scanoss-go-api.sh index 6e65653..03b0035 100755 --- a/scripts/scanoss-go-api.sh +++ b/scripts/scanoss-go-api.sh @@ -11,6 +11,8 @@ DEFAULT_ENV="prod" ENVIRONMENT="${1:-$DEFAULT_ENV}" LOGFILE=/var/log/scanoss/api/scanoss-api-${ENVIRONMENT}.log CONF_FILE=/usr/local/etc/scanoss/api/app-config-${ENVIRONMENT}.json +ENV_FILE=/usr/local/etc/scanoss/api/app-config-${ENVIRONMENT}.env +CMD_ARGS=(--json-config "$CONF_FILE") # Rotate log if [ -f "$LOGFILE" ] ; then echo "rotating logfile..." @@ -20,11 +22,14 @@ if [ -f "$LOGFILE" ] ; then gzip -f "$BACKUP_FILE" fi echo > "$LOGFILE" - +# Add env file if it exists +if [ -f "$ENV_FILE" ] ; then + echo "adding env file" + CMD_ARGS+=(--env-config "$ENV_FILE") +fi # echo "removing old fingerprint & sbom temporary files..." # rm -f /tmp/finger*.wfp /tmp/sbom*.json /tmp/failed-finger*.wfp -#start API echo "starting SCANOSS GO API" - -exec /usr/local/bin/scanoss-go-api --json-config "$CONF_FILE" > "$LOGFILE" 2>&1 +#start API +exec /usr/local/bin/scanoss-go-api "${CMD_ARGS[@]}" > "$LOGFILE" 2>&1 From 9b73842bd7e1a6e9c9baa5218206b3cf916ad9b3 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 17:08:39 +0000 Subject: [PATCH 05/10] upgrade to golangci-lint 2.x --- .github/workflows/golangci-lint.yml | 2 +- .golangci.yml | 117 ++++++++++++-------------- Makefile | 7 +- pkg/cmd/server.go | 30 +++++-- pkg/config/server_config.go | 3 +- pkg/protocol/rest/server.go | 35 ++++---- pkg/service/attribution_service.go | 3 + pkg/service/filecontents_service.go | 1 + pkg/service/kb_details.go | 12 +-- pkg/service/licensedetails_service.go | 1 + pkg/service/scanning_service.go | 11 +-- pkg/service/utils_service.go | 17 ++-- pkg/service/utils_service_test.go | 7 +- 13 files changed, 131 insertions(+), 115 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index abc3ead..aa02a6a 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -25,4 +25,4 @@ jobs: run: make version - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@v9 diff --git a/.golangci.yml b/.golangci.yml index 87c84dd..a2df940 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,56 +1,16 @@ +version: "2" run: timeout: 5m -linters-settings: - cyclop: - max-complexity: 30 - package-average: 10.0 - errcheck: - check-type-assertions: true - exhaustive: - check: - - switch - - map - funlen: - lines: 150 - statements: 80 - gocognit: - min-complexity: 25 - gosec: - excludes: - - G204 - govet: - enable-all: true - disable-all: false - disable: - - fieldalignment - nakedret: - max-func-lines: 10 - lll: - line-length: 180 - revive: - # Increase confidence to reduce false positives - confidence: 0.8 - rules: - - name: exported - severity: error - disabled: false - arguments: - - "checkPrivateReceivers" - - name: package-comments - severity: error - disabled: false - - name: comment-spacings - severity: warning - disabled: false - godot: - scope: toplevel - exclude: - - "^fixme:" - - "^todo:" - - "^NOTE:" - period: true - capital: true +formatters: + enable: + - gci + - goimports + settings: + gci: + sections: + - standard + - default linters: enable: @@ -62,7 +22,6 @@ linters: - goconst - gocritic - godot - - goimports - gosec - lll - loggercheck @@ -74,19 +33,53 @@ linters: - nonamedreturns - predeclared - reassign - - revive - - stylecheck + - staticcheck - unconvert - unparam - usestdlibvars - whitespace -issues: - exclude-dirs: - - tests - exclude-rules: - - path: _test\.go - linters: - - gocognit - - godot - - funlen + settings: + cyclop: + max-complexity: 30 + package-average: 10.0 + errcheck: + check-type-assertions: true + exhaustive: + check: + - switch + - map + funlen: + lines: 150 + statements: 80 + gocognit: + min-complexity: 40 + gosec: + excludes: + - G117 + - G304 + govet: + enable-all: true + disable: + - fieldalignment + settings: + shadow: + strict: true + nakedret: + max-func-lines: 10 + lll: + line-length: 180 + staticcheck: + checks: ["all", "-SA1019"] + + exclusions: + paths: + - tests + rules: + - path: _test\.go + linters: + - gocognit + - govet + - cyclop + - godot + - funlen diff --git a/Makefile b/Makefile index 8c83be5..64458f6 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,8 @@ DOCKER=$(shell which docker) DOCKER_FULLNAME=${REPO}/${IMAGE_NAME} GHCR_FULLNAME=ghcr.io/${REPO}/${IMAGE_NAME} VERSION=$(shell ./version.sh) +# Linter version +LINT_VERSION := v2.10.1 # HELP # This will output the help for each task @@ -58,7 +60,10 @@ lint_local_fix: ## Run local instance of linting across the code base including golangci-lint run --fix ./pkg/... ./cmd/... lint_docker: ## Run docker instance of linting across the code base - ${DOCKER} run --rm -v $(PWD):/app -v ~/.cache/golangci-lint/v1.64.8:/root/.cache -w /app golangci/golangci-lint:v1.64.8 golangci-lint run ./pkg/... ./cmd/... + ${DOCKER} run --rm -v $(PWD):/app -v ~/.cache/golangci-lint/$(LINT_VERSION):/root/.cache -w /app golangci/golangci-lint:$(LINT_VERSION) golangci-lint run ./pkg/... ./cmd/... + +lint_docker_fix: ## Run docker instance of linting across the code base including auto-fixing + ${DOCKER} run --rm -v $(PWD):/app -v ~/.cache/golangci-lint/$(LINT_VERSION):/root/.cache -w /app golangci/golangci-lint:$(LINT_VERSION) golangci-lint run --fix ./pkg/... ./cmd/... run_local: ## Launch the API locally for test @echo "Launching API locally..." diff --git a/pkg/cmd/server.go b/pkg/cmd/server.go index 04057d1..a61f60d 100644 --- a/pkg/cmd/server.go +++ b/pkg/cmd/server.go @@ -23,6 +23,7 @@ import ( "fmt" "io" "net/http" + "net/url" "os" "strings" "time" @@ -193,15 +194,18 @@ func RunServer() error { // testHPSMSetup validates that the sources server is available to enable HPSM. func testHPSMSetup() error { - url := os.Getenv("SCANOSS_FILE_CONTENTS_URL") - if url == "" { + hpsmURL := os.Getenv("SCANOSS_FILE_CONTENTS_URL") + if hpsmURL == "" { return fmt.Errorf("SCANOSS_FILE_CONTENTS_URL is not set") } // Ensure the URL ends with "/" before appending the test MD5 - url = strings.TrimSuffix(url, "/") + "/8109a183e06165144dc8d97b791c130f" + hpsmURL = strings.TrimSuffix(hpsmURL, "/") + "/8109a183e06165144dc8d97b791c130f" + if !isSafeURL(hpsmURL) { + zlog.S.Warnf("Disallowed URL for HPSM: %s", hpsmURL) + } zlog.S.Debug("HPSM test request started") - // Create HTTP GET request - req, err := http.NewRequest(http.MethodGet, url, nil) + //nolint:gosec // Create HTTP GET request + req, err := http.NewRequest(http.MethodGet, hpsmURL, nil) if err != nil { return fmt.Errorf("failed to create HPSM test request: %w", err) } @@ -211,6 +215,7 @@ func testHPSMSetup() error { } // Perform the request with a 10-second timeout client := &http.Client{Timeout: 10 * time.Second} + //nolint:gosec resp, err := client.Do(req) if resp != nil { defer func(Body io.ReadCloser) { @@ -233,3 +238,18 @@ func testHPSMSetup() error { zlog.S.Infof("HPSM setup test successful (HTTP %d)", resp.StatusCode) return nil } + +// isSafeURL checks if the provided URL belongs to the list of allowed hosts and returns true if it is safe, otherwise false. +func isSafeURL(rawURL string) bool { + allowed := []string{"api.scanoss.com", "osskb.org", "localhost"} + u, err := url.Parse(rawURL) + if err != nil { + return false + } + for _, host := range allowed { + if u.Hostname() == host { + return true + } + } + return false +} diff --git a/pkg/config/server_config.go b/pkg/config/server_config.go index ed049c3..b15cdec 100644 --- a/pkg/config/server_config.go +++ b/pkg/config/server_config.go @@ -23,10 +23,9 @@ import ( "os" "strings" - "go.opentelemetry.io/otel/sdk/trace" - "github.com/golobby/config/v3" "github.com/golobby/config/v3/pkg/feeder" + "go.opentelemetry.io/otel/sdk/trace" ) const ( diff --git a/pkg/protocol/rest/server.go b/pkg/protocol/rest/server.go index 13ef107..d917a7a 100644 --- a/pkg/protocol/rest/server.go +++ b/pkg/protocol/rest/server.go @@ -32,21 +32,19 @@ import ( "syscall" "time" - "go.opentelemetry.io/otel/sdk/resource" - semconv "go.opentelemetry.io/otel/semconv/v1.17.0" - - "go.opentelemetry.io/otel" - "go.opentelemetry.io/otel/propagation" - "github.com/gorilla/mux" "github.com/jpillora/ipfilter" zlog "github.com/scanoss/zap-logging-helper/pkg/logger" "go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux" + "go.opentelemetry.io/otel" "go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc" "go.opentelemetry.io/otel/exporters/otlp/otlptrace" "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc" + "go.opentelemetry.io/otel/propagation" sdkmetric "go.opentelemetry.io/otel/sdk/metric" + "go.opentelemetry.io/otel/sdk/resource" sdktrace "go.opentelemetry.io/otel/sdk/trace" + semconv "go.opentelemetry.io/otel/semconv/v1.17.0" myconfig "scanoss.com/go-api/pkg/config" "scanoss.com/go-api/pkg/service" ) @@ -63,14 +61,14 @@ func RunServer(config *myconfig.ServerConfig, version string) error { return err } if config.Telemetry.Enabled { - oltpShutdown, err := initProviders(config, version, config.Telemetry.ExtraMetrics) - if err != nil { - return err + oltpShutdown, err2 := initProviders(config, version, config.Telemetry.ExtraMetrics) + if err2 != nil { + return err2 } defer oltpShutdown() } apiService := service.NewAPIService(config) - if err := apiService.TestEngine(); err != nil { + if err2 := apiService.TestEngine(); err2 != nil { zlog.S.Warnf("Scanning engine test failed. Scan requests are likely to fail.") zlog.S.Warnf("Please make sure that %v is accessible", config.Scanning.ScanBinary) } @@ -139,12 +137,11 @@ func RunServer(config *myconfig.ServerConfig, version string) error { <-c ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) // Set a deadline for gracefully shutting down defer cancel() - if err := srv.Shutdown(ctx); err != nil { - zlog.S.Warnf("error shutting down server %s", err) + if err2 := srv.Shutdown(ctx); err2 != nil { + zlog.S.Warnf("error shutting down server %s", err2) return fmt.Errorf("issue encountered while shutting down service") - } else { - zlog.S.Info("server gracefully stopped") } + zlog.S.Info("server gracefully stopped") return nil } @@ -212,13 +209,11 @@ func loadPrivateKey(config *myconfig.ServerConfig) []byte { if v.Type == "RSA PRIVATE KEY" || v.Type == "PRIVATE KEY" { zlog.S.Debugf("Private Key: %v - %v", v.Type, v.Headers) // pvt, err := openssl.LoadPrivateKeyFromPEMWithPassword(encryptedPEM, passPhrase) - //nolint:staticcheck if x509.IsEncryptedPEMBlock(v) { if len(config.TLS.Password) == 0 { zlog.S.Panicf("Need to configure TLS Password to decrypt encrypted Key file: %v", config.TLS.KeyFile) } zlog.S.Infof("Decrypting key...") - //nolint:staticcheck pkey, err = x509.DecryptPEMBlock(v, []byte(config.TLS.Password)) if err != nil { zlog.S.Panicf("Failed to decrypt Key File (%v): %v", config.TLS.KeyFile, err) @@ -386,12 +381,12 @@ func initProviders(config *myconfig.ServerConfig, version string, extraAttribute return func() { cxt, cancel := context.WithTimeout(ctx, 5*time.Second) defer cancel() - if err := traceExp.Shutdown(cxt); err != nil { - otel.Handle(err) + if err2 := traceExp.Shutdown(cxt); err2 != nil { + otel.Handle(err2) } // pushes any last exports to the receiver - if err := meterProvider.Shutdown(cxt); err != nil { - otel.Handle(err) + if err3 := meterProvider.Shutdown(cxt); err3 != nil { + otel.Handle(err3) } }, nil } diff --git a/pkg/service/attribution_service.go b/pkg/service/attribution_service.go index 50238ef..de8f2d7 100644 --- a/pkg/service/attribution_service.go +++ b/pkg/service/attribution_service.go @@ -82,6 +82,8 @@ func (s APIService) SbomAttribution(w http.ResponseWriter, r *http.Request) { _, err = tempFile.Write(contentsTrimmed) if err != nil { zs.Errorf("Failed to write to temporary SBOM file: %v - %v", tempFile.Name(), err) + closeFile(tempFile, zs) + removeFile(tempFile, zs) http.Error(w, "ERROR engine attribution failed", http.StatusInternalServerError) return } @@ -105,6 +107,7 @@ func (s APIService) SbomAttribution(w http.ResponseWriter, r *http.Request) { zs.Debugf("Executing %v %v", s.config.Scanning.ScanBinary, strings.Join(args, " ")) ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) // put a timeout on the scan execution defer cancel() + //nolint:gosec output, err := exec.CommandContext(ctx, s.config.Scanning.ScanBinary, args...).Output() if err != nil { zs.Errorf("Attribution command (%v %v) failed: %v", s.config.Scanning.ScanBinary, args, err) diff --git a/pkg/service/filecontents_service.go b/pkg/service/filecontents_service.go index ea50807..6039d8a 100644 --- a/pkg/service/filecontents_service.go +++ b/pkg/service/filecontents_service.go @@ -73,6 +73,7 @@ func (s APIService) FileContents(w http.ResponseWriter, r *http.Request) { zs.Debugf("Executing %v %v", s.config.Scanning.ScanBinary, strings.Join(args, " ")) ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) // put a timeout on the scan execution defer cancel() + //nolint:gosec output, err := exec.CommandContext(ctx, s.config.Scanning.ScanBinary, args...).Output() if err != nil { zs.Errorf("Contents command (%v %v) failed: %v", s.config.Scanning.ScanBinary, args, err) diff --git a/pkg/service/kb_details.go b/pkg/service/kb_details.go index 5fc4cdf..423a208 100644 --- a/pkg/service/kb_details.go +++ b/pkg/service/kb_details.go @@ -133,14 +133,14 @@ func (s APIService) loadKBDetails() { var ms matchStructure // Go through the list of file results and extract one set of KB details for _, key := range resDataAny { - data, err := json.Marshal(key) // convert the given interface to JSON - if err != nil { - zs.Warnf("Failed to convert KB version map to json: %v - %v", key, err) + data, err2 := json.Marshal(key) // convert the given interface to JSON + if err2 != nil { + zs.Warnf("Failed to convert KB version map to json: %v - %v", key, err2) return } - err = json.Unmarshal(data, &ms) - if err != nil { - zs.Warnf("Failed to parse KB version from eninge result: %v - %v", data, err) + err2 = json.Unmarshal(data, &ms) + if err2 != nil { + zs.Warnf("Failed to parse KB version from eninge result: %v - %v", data, err2) return } } diff --git a/pkg/service/licensedetails_service.go b/pkg/service/licensedetails_service.go index e4b7a73..d27c56d 100644 --- a/pkg/service/licensedetails_service.go +++ b/pkg/service/licensedetails_service.go @@ -67,6 +67,7 @@ func (s APIService) LicenseDetails(w http.ResponseWriter, r *http.Request) { zs.Debugf("Executing %v %v", s.config.Scanning.ScanBinary, strings.Join(args, " ")) ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) // put a timeout on the scan execution defer cancel() + //nolint:gosec output, err := exec.CommandContext(ctx, s.config.Scanning.ScanBinary, args...).Output() if err != nil { zs.Errorf("License Details command (%v %v) failed: %v", s.config.Scanning.ScanBinary, args, err) diff --git a/pkg/service/scanning_service.go b/pkg/service/scanning_service.go index f35d750..372d5f9 100644 --- a/pkg/service/scanning_service.go +++ b/pkg/service/scanning_service.go @@ -29,11 +29,10 @@ import ( "strings" "time" - "go.opentelemetry.io/otel/attribute" - oteltrace "go.opentelemetry.io/otel/trace" - "github.com/google/uuid" zlog "github.com/scanoss/zap-logging-helper/pkg/logger" + "go.opentelemetry.io/otel/attribute" + oteltrace "go.opentelemetry.io/otel/trace" "go.uber.org/zap" ) @@ -107,8 +106,8 @@ func (s APIService) scanDirect(w http.ResponseWriter, r *http.Request, zs *zap.S http.Error(w, "ERROR invalid SBOM 'type' supplied", http.StatusBadRequest) return 0 } - tempFile, err := s.writeSbomFile(scanConfig.sbomFile, zs) - if err != nil { + tempFile, err2 := s.writeSbomFile(scanConfig.sbomFile, zs) + if err2 != nil { http.Error(w, "ERROR engine scan failed", http.StatusInternalServerError) return 0 } @@ -447,6 +446,7 @@ func (s APIService) scanWfp(wfp, sbomFile string, config ScanningServiceConfig, timeoutErr := fmt.Errorf("scan command timed out after %v seconds", s.config.Scanning.ScanTimeout) ctx, cancel := context.WithTimeoutCause(context.Background(), time.Duration(s.config.Scanning.ScanTimeout)*time.Second, timeoutErr) // put a timeout on the scan execution defer cancel() + //nolint:gosec output, err := exec.CommandContext(ctx, s.config.Scanning.ScanBinary, args...).Output() if err != nil { if cause := context.Cause(ctx); cause != nil { @@ -472,6 +472,7 @@ func (s APIService) TestEngine() error { timeoutErr := fmt.Errorf("engine test command timed out after 10 seconds") ctx, cancel := context.WithTimeoutCause(context.Background(), 10*time.Second, timeoutErr) // put a timeout on the scanoss execution defer cancel() + //nolint:gosec output, err := exec.CommandContext(ctx, s.config.Scanning.ScanBinary, args...).Output() if err != nil { if cause := context.Cause(ctx); cause != nil { diff --git a/pkg/service/utils_service.go b/pkg/service/utils_service.go index 46d69c3..9c07eb7 100644 --- a/pkg/service/utils_service.go +++ b/pkg/service/utils_service.go @@ -27,19 +27,15 @@ import ( "strings" "sync" - "go.opentelemetry.io/otel/codes" - - oteltrace "go.opentelemetry.io/otel/trace" - - "go.opentelemetry.io/otel/metric" - - "go.opentelemetry.io/otel" - "go.uber.org/zap/zapcore" - "github.com/google/uuid" "github.com/gorilla/mux" zlog "github.com/scanoss/zap-logging-helper/pkg/logger" + "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/codes" + "go.opentelemetry.io/otel/metric" + oteltrace "go.opentelemetry.io/otel/trace" "go.uber.org/zap" + "go.uber.org/zap/zapcore" myconfig "scanoss.com/go-api/pkg/config" ) @@ -208,6 +204,7 @@ func MetricsHandler(w http.ResponseWriter, r *http.Request) { // printResponse sends the given response to the HTTP Response Writer. func printResponse(w http.ResponseWriter, resp string, zs *zap.SugaredLogger, silent bool) { + //nolint:gosec _, err := fmt.Fprint(w, resp) if err != nil { zs.Errorf("Failed to write HTTP response: %v", err) @@ -260,6 +257,7 @@ func (s APIService) copyWfpTempFile(filename string, zs *zap.SugaredLogger) stri zs.Errorf("Failed to open file %v: %v", filename, err) return "" } + defer closeFile(source, zs) tempFile, err := os.CreateTemp(s.config.Scanning.WfpLoc, "failed-finger*.wfp") if err != nil { zs.Errorf("Failed to create temporary file: %v", err) @@ -288,6 +286,7 @@ func closeFile(f *os.File, zs *zap.SugaredLogger) { // removeFile removes the given file and warns if anything went wrong. func removeFile(f *os.File, zs *zap.SugaredLogger) { if f != nil { + //nolint:gosec err := os.Remove(f.Name()) if err != nil { zs.Warnf("Problem removing temp file: %v - %v", f.Name(), err) diff --git a/pkg/service/utils_service_test.go b/pkg/service/utils_service_test.go index 108b7b4..db3a863 100644 --- a/pkg/service/utils_service_test.go +++ b/pkg/service/utils_service_test.go @@ -26,14 +26,13 @@ import ( "strings" "testing" - "go.uber.org/zap" - "go.uber.org/zap/zapcore" - "go.uber.org/zap/zaptest/observer" - "github.com/golobby/config/v3" "github.com/gorilla/mux" zlog "github.com/scanoss/zap-logging-helper/pkg/logger" "github.com/stretchr/testify/assert" + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + "go.uber.org/zap/zaptest/observer" myconfig "scanoss.com/go-api/pkg/config" ) From 9633110e05231ea029adb2545f433ca3daf183f7 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 17:17:27 +0000 Subject: [PATCH 06/10] fix duplicate entry --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08be44c..f845500 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -194,4 +194,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [1.6.0]: https://github.com/scanoss/api.go/compare/v1.5.2...v1.6.0 [1.6.1]: https://github.com/scanoss/api.go/compare/v1.6.0...v1.6.1 [1.6.2]: https://github.com/scanoss/api.go/compare/v1.6.1...v1.6.2 -[1.6.2]: https://github.com/scanoss/api.go/compare/v1.6.2...v1.6.3 +[1.6.3]: https://github.com/scanoss/api.go/compare/v1.6.2...v1.6.3 From 48a31c8c172328593c811df9364a8a399fe8bf43 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 17:17:48 +0000 Subject: [PATCH 07/10] update to golangci-lint 2.11.3 --- Makefile | 2 +- pkg/service/utils_service.go | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 64458f6..7dd41df 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ DOCKER_FULLNAME=${REPO}/${IMAGE_NAME} GHCR_FULLNAME=ghcr.io/${REPO}/${IMAGE_NAME} VERSION=$(shell ./version.sh) # Linter version -LINT_VERSION := v2.10.1 +LINT_VERSION := v2.11.3 # HELP # This will output the help for each task diff --git a/pkg/service/utils_service.go b/pkg/service/utils_service.go index 9c07eb7..08c97e3 100644 --- a/pkg/service/utils_service.go +++ b/pkg/service/utils_service.go @@ -286,7 +286,6 @@ func closeFile(f *os.File, zs *zap.SugaredLogger) { // removeFile removes the given file and warns if anything went wrong. func removeFile(f *os.File, zs *zap.SugaredLogger) { if f != nil { - //nolint:gosec err := os.Remove(f.Name()) if err != nil { zs.Warnf("Problem removing temp file: %v - %v", f.Name(), err) From 41d5b391d5fce9280fff93493f11d9e778b7bbb3 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 17:18:03 +0000 Subject: [PATCH 08/10] fix code review issues --- scripts/env-setup.sh | 2 +- scripts/scanoss-go-api.sh | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/env-setup.sh b/scripts/env-setup.sh index 877c4ea..2911470 100755 --- a/scripts/env-setup.sh +++ b/scripts/env-setup.sh @@ -143,7 +143,7 @@ if [ "$RUNTIME_USER" != "root" ] ; then exit 1 fi if [ -f "$ENV_PATH" ] ; then - eco "Make $ENV_CONF readable/writable only to $RUNTIME_USER ..." + echo "Make $ENV_CONF readable/writable only to $RUNTIME_USER ..." if ! chmod 600 "$ENV_PATH" ; then echo "chmod of "$ENV_PATH" to $RUNTIME_USER failed" exit 1 diff --git a/scripts/scanoss-go-api.sh b/scripts/scanoss-go-api.sh index 03b0035..cd28587 100755 --- a/scripts/scanoss-go-api.sh +++ b/scripts/scanoss-go-api.sh @@ -23,7 +23,10 @@ if [ -f "$LOGFILE" ] ; then fi echo > "$LOGFILE" # Add env file if it exists -if [ -f "$ENV_FILE" ] ; then +if [ -e "$ENV_FILE" ] && [ ! -r "$ENV_FILE" ] ; then + echo "env file is not readable: $ENV_FILE" >&2 + exit 1 +elif [ -f "$ENV_FILE" ] ; then echo "adding env file" CMD_ARGS+=(--env-config "$ENV_FILE") fi From fc7f42f1be2bd6d61b5a38ca8260eb5532fa59a2 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 17:26:05 +0000 Subject: [PATCH 09/10] clean temp file after error --- pkg/service/scanning_service.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/service/scanning_service.go b/pkg/service/scanning_service.go index 372d5f9..653a1ac 100644 --- a/pkg/service/scanning_service.go +++ b/pkg/service/scanning_service.go @@ -220,7 +220,9 @@ func (s APIService) writeSbomFile(sbom string, zs *zap.SugaredLogger) (*os.File, _, err = tempFile.WriteString(sbom + "\n") if err != nil { zs.Errorf("Failed to write to temporary SBOM file: %v - %v", tempFile.Name(), err) - return tempFile, err + closeFile(tempFile, zs) + removeFile(tempFile, zs) + return nil, err } closeFile(tempFile, zs) return tempFile, nil From 23cef86b30890418e2eb96980d3036ab13302042 Mon Sep 17 00:00:00 2001 From: eeisegn Date: Tue, 10 Mar 2026 18:37:39 +0000 Subject: [PATCH 10/10] allow match config in prod by default --- config/app-config-prod.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/app-config-prod.json b/config/app-config-prod.json index 3d76c79..de38f89 100644 --- a/config/app-config-prod.json +++ b/config/app-config-prod.json @@ -35,7 +35,7 @@ "LoadKbDetails": true, "RankingAllowed": true, "RankingEnabled": false, - "MatchConfigAllowed": false, + "MatchConfigAllowed": true, "RankingThreshold": 0, "MinSnippetHits": 0, "MinSnippetLines": 0,