GODT-1550: Add gobinsec check after CI build.

.gitlab-ci.yml

@@ -1,3 +1,21 @@
+# Copyright (c) 2022 Proton Technologies AG
+#
+# This file is part of ProtonMail Bridge.
+#
+# ProtonMail Bridge is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ProtonMail Bridge is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+---
 image: gitlab.protontech.ch:4567/go/bridge-internal:latest
 
 before_script:
@@ -120,11 +138,17 @@ build-qml:
   script:
     - make build
     - git diff && git diff-index --quiet HEAD
+    - curl -L https://services.nvd.nist.gov/rest/json/cves/1.0/
+    - gobinsec -verbose -wait -config utils/gobinsec_conf.yml
+      cmd/Desktop-Bridge/deploy/linux/proton-bridge
   artifacts:
     # Note: The latest artifacts for refs are locked against deletion, and kept
     # regardless of the expiry time. Introduced in GitLab 13.0 behind a
     # disabled feature flag, and made the default behavior in GitLab 13.4.
     expire_in: 1 day
+    when: always
+    paths:
+      - bridge_*.tgz
   tags:
     - large
 
@@ -132,20 +156,16 @@ build-linux:
   extends: .build-base
   artifacts:
     name: "bridge-linux-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 build-linux-qa:
-  extends: .build-base
+  extends: build-linux
   only:
     - web
     - branches
-  script:
+  variables:
-    - BUILD_TAGS="build_qa" make build
+    BUILD_TAGS: "build_qa"
   artifacts:
     name: "bridge-linux-qa-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 
 .build-darwin-base:
@@ -159,6 +179,9 @@ build-linux-qa:
     - export GOPATH=~/go
     - export PATH=$GOPATH/bin:$PATH
     - export CGO_CPPFLAGS='-Wno-error -Wno-nullability-completeness -Wno-expansion-to-defined -Wno-builtin-requires-header'
+  script:
+    - make build
+    - git diff && git diff-index --quiet HEAD
   cache: {}
   tags:
     - macOS
@@ -167,20 +190,16 @@ build-darwin:
   extends: .build-darwin-base
   artifacts:
     name: "bridge-darwin-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 build-darwin-qa:
   extends: .build-darwin-base
   only:
     - web
     - branches
-  script:
+  variables:
-    - BUILD_TAGS="build_qa" make build
+    BUILD_TAGS: "build_qa"
   artifacts:
     name: "bridge-darwin-qa-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 
 .build-windows-base:
@@ -194,6 +213,9 @@ build-darwin-qa:
     - export PATH=$GOPATH/bin:$PATH
     - export MSYSTEM=
     - export PATH=$PATH:/c/grrrQt/5.13.2/mingw73_64/bin
+  script:
+    - make build
+    - git diff && git diff-index --quiet HEAD
   tags:
     - windows-bridge
 
@@ -201,20 +223,16 @@ build-windows:
   extends: .build-windows-base
   artifacts:
     name: "bridge-windows-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 build-windows-qa:
   extends: .build-windows-base
   only:
     - web
     - branches
-  script:
+  variables:
-    - BUILD_TAGS="build_qa" make build
+    BUILD_TAGS: "build_qa"
   artifacts:
     name: "bridge-windows-qa-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 # Stage: MIRROR
 

utils/gobinsec_conf.yml

@@ -0,0 +1,5 @@
+---
+
+ignore:
+  # golang.org/x/net wrong match, we are using 2871e0cb, fixed by 37e1c6af
+  - "CVE-2021-33194"