feat: add govulncheck to go linters

Add govulncheck to Go linters.

Signed-off-by: Noel Georgi <[email protected]>

Dockerfile

@@ -2,7 +2,7 @@
 
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2022-09-09T08:19:55Z by kres 871f67c-dirty.
+# Generated on 2022-09-27T14:26:26Z by kres 8e6d786-dirty.
 
 ARG TOOLCHAIN
 
@@ -37,6 +37,8 @@ RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCILIN
 ARG GOFUMPT_VERSION
 RUN go install mvdan.cc/gofumpt@${GOFUMPT_VERSION} \
 	&& mv /go/bin/gofumpt /bin/gofumpt
+RUN go install golang.org/x/vuln/cmd/govulncheck@latest \
+	&& mv /go/bin/govulncheck /bin/govulncheck
 ARG GOIMPORTS_VERSION
 RUN go install golang.org/x/tools/cmd/goimports@${GOIMPORTS_VERSION} \
 	&& mv /go/bin/goimports /bin/goimports
@@ -78,6 +80,10 @@ COPY .golangci.yml .
 ENV GOGC 50
 RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/root/.cache/golangci-lint --mount=type=cache,target=/go/pkg golangci-lint run --config .golangci.yml
 
+# runs govulncheck
+FROM base AS lint-govulncheck
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg govulncheck ./...
+
 # runs unit-tests with race detector
 FROM base AS unit-tests-race
 ARG TESTPKGS

Makefile

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2022-09-05T13:50:45Z by kres 2c7f760-dirty.
+# Generated on 2022-09-27T14:21:38Z by kres 8e6d786-dirty.
 
 # common variables
 
@@ -110,6 +110,9 @@ fmt:  ## Formats the source code
 		go install mvdan.cc/gofumpt@$(GOFUMPT_VERSION) && \
 		gofumpt -w ."
 
+lint-govulncheck:  ## Runs govulncheck linter.
+	@$(MAKE) target-$@
+
 lint-goimports:  ## Runs goimports linter.
 	@$(MAKE) target-$@
 
@@ -144,7 +147,7 @@ lint-markdown:  ## Runs markdownlint.
 	@$(MAKE) target-$@
 
 .PHONY: lint
-lint: lint-golangci-lint lint-gofumpt lint-goimports lint-markdown  ## Run all linters for the project.
+lint: lint-golangci-lint lint-gofumpt lint-govulncheck lint-goimports lint-markdown  ## Run all linters for the project.
 
 .PHONY: image-kres
 image-kres:  ## Builds image for kres.

internal/project/auto/golang.go

@@ -147,10 +147,11 @@ func (builder *builder) BuildGolang() error {
 	// linters
 	golangciLint := golang.NewGolangciLint(builder.meta)
 	gofumpt := golang.NewGofumpt(builder.meta)
+	govulncheck := golang.NewGoVulnCheck(builder.meta)
 	goimports := golang.NewGoimports(builder.meta)
 
 	// linters are input to the toolchain as they inject into toolchain build
-	toolchain.AddInput(golangciLint, gofumpt, goimports)
+	toolchain.AddInput(golangciLint, gofumpt, govulncheck, goimports)
 
 	// add protobufs and go generate
 	generate := golang.NewGenerate(builder.meta)
@@ -160,7 +161,7 @@ func (builder *builder) BuildGolang() error {
 
 	toolchain.AddInput(generate, deepcopy)
 
-	builder.lintInputs = append(builder.lintInputs, toolchain, golangciLint, gofumpt, goimports)
+	builder.lintInputs = append(builder.lintInputs, toolchain, golangciLint, gofumpt, govulncheck, goimports)
 
 	// unit-tests
 	unitTests := golang.NewUnitTests(builder.meta)

internal/project/golang/govulncheck.go

@@ -0,0 +1,66 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package golang
+
+import (
+	"fmt"
+	"path/filepath"
+
+	"github.com/siderolabs/kres/internal/dag"
+	"github.com/siderolabs/kres/internal/output/dockerfile"
+	"github.com/siderolabs/kres/internal/output/dockerfile/step"
+	"github.com/siderolabs/kres/internal/output/makefile"
+	"github.com/siderolabs/kres/internal/project/meta"
+)
+
+// GoVulnCheck provides GoVulnCheck linter.
+//
+//nolint:govet
+type GoVulnCheck struct {
+	dag.BaseNode
+
+	meta *meta.Options
+}
+
+// NewGoVulnCheck builds GoVulnCheck node.
+func NewGoVulnCheck(meta *meta.Options) *GoVulnCheck {
+	return &GoVulnCheck{
+		BaseNode: dag.NewBaseNode("lint-govulncheck"),
+
+		meta: meta,
+	}
+}
+
+// CompileMakefile implements makefile.Compiler.
+func (lint *GoVulnCheck) CompileMakefile(output *makefile.Output) error {
+	output.Target("lint-govulncheck").Description("Runs govulncheck linter.").
+		Script("@$(MAKE) target-$@")
+
+	return nil
+}
+
+// ToolchainBuild implements common.ToolchainBuilder hook.
+func (lint *GoVulnCheck) ToolchainBuild(stage *dockerfile.Stage) error {
+	stage.
+		Step(step.Script(fmt.Sprintf(
+			`go install golang.org/x/vuln/cmd/govulncheck@latest \
+	&& mv /go/bin/govulncheck %s/govulncheck`, lint.meta.BinPath)))
+
+	return nil
+}
+
+// CompileDockerfile implements dockerfile.Compiler.
+func (lint *GoVulnCheck) CompileDockerfile(output *dockerfile.Output) error {
+	output.Stage("lint-govulncheck").
+		Description("runs govulncheck").
+		From("base").
+		Step(step.Script(
+			`govulncheck ./...`,
+		).
+			MountCache(filepath.Join(lint.meta.CachePath, "go-build")).
+			MountCache(filepath.Join(lint.meta.GoPath, "pkg")))
+
+	return nil
+}

internal/project/golang/govulncheck_test.go

@@ -0,0 +1,22 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package golang_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/siderolabs/kres/internal/output/dockerfile"
+	"github.com/siderolabs/kres/internal/output/makefile"
+	"github.com/siderolabs/kres/internal/project/common"
+	"github.com/siderolabs/kres/internal/project/golang"
+)
+
+func TestGoVulnCheckInterfaces(t *testing.T) {
+	assert.Implements(t, (*dockerfile.Compiler)(nil), new(golang.GoVulnCheck))
+	assert.Implements(t, (*makefile.Compiler)(nil), new(golang.GoVulnCheck))
+	assert.Implements(t, (*common.ToolchainBuilder)(nil), new(golang.GoVulnCheck))
+}