GODT-1833: Fix gobinsec cache.

.gitlab-ci.yml

@@ -108,7 +108,8 @@ test-integration:
 dependency-updates:
   stage: test
   script:
-    - make updates
+    - "echo 'NOTE: Do not run on go1.15 ( 'if...' can be removed once fully updated to go1.18)'"
+    - if [ 18 -le $(go version | cut -d. -f2 | cut -d " " -f1) ]; then make updates; fi
 
 # Stage: BUILD
 
@@ -246,10 +247,11 @@ check-gobinsec:
   before_script:
     - mkdir build
     - tar -xzf bridge_linux_*.tgz -C build
+    - "echo api-key: \"${GOBINSEC_NVD_API_KEY}\" >> utils/gobinsec_conf.yml"
   script:
     - "[ ! -f ./gobinsec-cache.yml ] && wget bridgeteam.protontech.ch/bridgeteam/gobinsec-cache.yml"
     - cat ./gobinsec-cache.yml
-    - gobinsec -cache -config utils/gobinsec_conf.yml build/proton-bridge
+    - gobinsec -wait -cache -config utils/gobinsec_conf.yml build/proton-bridge
 
 
 

Makefile

@@ -166,7 +166,7 @@ update-qt-docs:
 LINTVER:="v1.39.0"
 LINTSRC:="https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh"
 
-install-dev-dependencies: install-devel-tools install-linter install-go-mod-outdated
+install-dev-dependencies: install-devel-tools install-linter
 
 install-devel-tools: check-has-go
 	go get -v github.com/golang/mock/gomock

internal/api/api.go

@@ -24,6 +24,7 @@ package api
 import (
 	"fmt"
 	"net/http"
+	"time"
 
 	"github.com/ProtonMail/proton-bridge/v2/internal/bridge"
 	"github.com/ProtonMail/proton-bridge/v2/internal/config/settings"
@@ -59,6 +60,7 @@ func (api *apiServer) ListenAndServe() {
 	server := &http.Server{
 		Addr:              addr,
 		Handler:           mux,
+		ReadHeaderTimeout: 5 * time.Second, // fix gosec G112 (vulnerability to [Slowloris](https://www.cloudflare.com/en-gb/learning/ddos/ddos-attack-tools/slowloris/) attack).
 	}
 
 	log.Info("API listening at ", addr)