Merge pull request #58 from Conjur-Enterprise/CNJR-10628-pipeline-fixes

CNJR 10628 pipeline fixes

Author: Adrean Boyadzhiev

.trivyignore.yml

@@ -104,3 +104,10 @@ vulnerabilities:
   - id: CVE-2024-34156
     paths:
       - "usr/local/bin/gosu"
+  # CVE-2025-47907 is a vulnerability affecting Go's `database/sql` package.
+  # See: https://nvd.nist.gov/vuln/detail/CVE-2025-47907 and https://pkg.go.dev/vuln/GO-2025-3849
+  # Gosu (https://github.com/tianon/gosu) handles setuid, setgid, setgroups, and exec syscalls,
+  # and does not use the `database/sql` package. See: https://github.com/tianon/gosu/blob/master/SECURITY.md
+  - id: CVE-2025-47907
+    paths:
+      - "usr/local/bin/gosu"

CHANGELOG.md

@@ -10,7 +10,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Nothing should go in this section, please add to the latest unreleased version
   (and update the corresponding date), or add a new version.
 
-## [1.7.29] - 2025-08-08
+## [1.7.29] - 2025-08-26
+
+### Changed
+- Upgrade base docker images from Debian Bullseye to Bookworm.
+- Migrate from MySQL 8.1 to MySQL LTS and enable `mysql_native_password` plugin in the configuration files.
+- Remove deprecated docker compose version declarations
+- Update gosec security scanning configuration to use `securego/gosec:latest` docker image.
 
 ## [1.7.28] - 2025-04-01
 
@@ -759,7 +765,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - The first tagged version.
 
-[Unreleased]: https://github.com/cyberark/secretless-broker/compare/v1.7.28...HEAD
+[Unreleased]: https://github.com/cyberark/secretless-broker/compare/v1.7.29...HEAD
 [0.2.0]: https://github.com/cyberark/secretless-broker/compare/v0.1.0...v0.2.0
 [0.3.0]: https://github.com/cyberark/secretless-broker/compare/v0.2.0...v0.3.0
 [0.4.0]: https://github.com/cyberark/secretless-broker/compare/v0.3.0...v0.4.0
@@ -813,3 +819,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 [1.7.26]: https://github.com/cyberark/secretless-broker/compare/v1.7.25...v1.7.26
 [1.7.27]: https://github.com/cyberark/secretless-broker/compare/v1.7.26...v1.7.27
 [1.7.28]: https://github.com/cyberark/secretless-broker/compare/v1.7.27...v1.7.28
+[1.7.29]: https://github.com/cyberark/secretless-broker/compare/v1.7.28...v1.7.29

Dockerfile.coverage

@@ -1,4 +1,4 @@
-FROM golang:1.24-bookworm as secretless-builder
+FROM golang:1.24-bookworm AS secretless-builder
 LABEL maintainer="CyberArk Software Ltd."
 LABEL builder="secretless-builder"
 
@@ -40,7 +40,7 @@ RUN go test -c -coverpkg="./..." ./cmd/secretless-broker && \
 
 
 # =================== MAIN CONTAINER ===================
-FROM alpine:3.20 as secretless-broker
+FROM alpine:3.20 AS secretless-broker
 LABEL maintainer="CyberArk Software Ltd."
 
 RUN apk add -u --no-cache shadow libc6-compat openssl && \

Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM golang:1.24-bullseye
+FROM golang:1.24-bookworm
 LABEL maintainer="CyberArk Software Ltd."
 
 # On CyberArk dev laptops, golang module dependencies are downloaded with a

Jenkinsfile

@@ -279,11 +279,16 @@ pipeline {
           steps {
             script {
               infraPoolConnect(INFRAPOOL_EXECUTORV2_AGENT_0) { infrapool ->
-                infrapool.agentGet from: "${WORKSPACE}", to: "${WORKSPACE}"
+                infrapool.agentSh "./bin/check_golang_security -s high -c medium -b ${env.BRANCH_NAME}"
+                infrapool.agentStash name: 'gosec-scan-report', includes: 'gosec-scan-result.xml'
               }
-              sh "./bin/check_golang_security -s High -c Medium -b ${env.BRANCH_NAME}"
             }
-            junit(allowEmptyResults: true, testResults: 'gosec.output')
+          }
+          post {
+            always {
+              unstash 'gosec-scan-report'
+              junit(allowEmptyResults: true, testResults: 'gosec-scan-result.xml')
+            }
           }
         }
       }

bin/Dockerfile.website

@@ -1,4 +1,4 @@
-FROM ruby:3-slim-bullseye
+FROM ruby:3-slim-bookworm
 
 RUN apt-get -y update && \
     apt-get -y install build-essential && \

bin/check_golang_security

@@ -23,31 +23,5 @@ while getopts 'b:c:s:' flag; do
 done
 
 
-# gosec => Scans go packages and flags security vulnerabilities
-if [[ ! -v BRANCH_NAME ]]; then
-  # Running locally. Use a docker container.
-  # Exclude test files and the third party go-mssqldb library
-  excluded_directories="/secretless/test,/secretless/third_party/go-mssqldb"
-  docker run --rm \
-      -v "$toplevel_dir/:/secretless/" \
-      secretless-dev \
-      bash -exc "
-        go install github.com/securego/gosec/v2/cmd/gosec@latest
-        git config --global --add safe.directory /secretless
-        ./bin/run_gosec -c ${confidence} -s ${severity} -b ${current_branch} -e ${excluded_directories}
-      "
-else
-  # Running in Jenkins
-  # For some reason the third_party directory is not being excluded properly on main branch builds. It appears in two forms:
-  # /home/jenkins/agent/workspace/secretless-broker-main-full_main/third_party/go-mssqldb
-  # /home/jenkins/agent/workspace/secretless-broker-main-full_main/secretless-broker-main-full_main/third_party/go-mssqldb
-  # To accomodate the second case, we duplicate the name of the working directory to build the full path
-  # Note this still doesn't work even though we exclude both paths.
-  third_party_import_dir="$(pwd)/$(basename "$(pwd)")/third_party/go-mssqldb"
-  excluded_directories="$(pwd)/test,$(pwd)/third_party/go-mssqldb,$third_party_import_dir"
-  echo "Excluding directories: ${excluded_directories}"
-
-  go install github.com/securego/gosec/v2/cmd/gosec@latest
-  git config --global --add safe.directory "${WORKSPACE}"
-  ./bin/run_gosec -c "${confidence}" -s "${severity}" -b "${current_branch}" -e "${excluded_directories}"
-fi
+excluded_directories="test,third_party/go-mssqldb,bin/juxtaposer,cmd/shared"
+./bin/run_gosec -c "${confidence}" -s "${severity}" -b "${current_branch}" -e "${excluded_directories}"

bin/juxtaposer/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine as perftool-builder
+FROM golang:1.24-alpine AS perftool-builder
 
 # On CyberArk dev laptops, golang module dependencies are downloaded with a
 # corporate proxy in the middle. For these connections to succeed we need to

bin/juxtaposer/go.mod

@@ -1,6 +1,6 @@
 module github.com/cyberark/secretless-broker/bin/juxtaposer
 
-go 1.24.1
+go 1.24
 
 require (
 	github.com/denisenkom/go-mssqldb v0.12.3

bin/run_gosec

@@ -52,7 +52,7 @@ excluded_dirs=$(for dir in ${excluded_directories//,/ }; do echo -n "-exclude-di
 modified_directories="./..."
 
 # Get an array of directories containing modified files
-if [[ ${current_branch} != 'main' ]]; then 
+if [[ ${current_branch} != 'main' ]]; then
     echo 'Current branch is not main - running gosec on modified packages for this branch only'
     # Jenkins already fetches the main refs so only run locally
     if [[ ! -v BRANCH_NAME ]]; then
@@ -62,18 +62,20 @@ if [[ ${current_branch} != 'main' ]]; then
 fi
 
 # Remove output file just in case it exists
-rm -f "gosec.output" 
+output_file="gosec-scan-result.xml"
+rm -f $output_file
 
 set +e && set +o pipefail
 
 # Run our scan, flagging only 'high' level issues with 'medium' or higher severity
-
-"$(go env GOPATH)"/bin/gosec -fmt=junit-xml \
-  -out=gosec.output \
-  -severity="${severity}" \
-  -confidence="${confidence}" \
+docker run --rm \
+  -v "$(pwd):/secretless-broker/" \
+  -w "/secretless-broker/" \
+  securego/gosec:latest " -fmt=junit-xml \
+  -out=${output_file} \
+  -stdout \
+  -verbose=text \
+  -severity=${severity} \
+  -confidence=${confidence} \
   ${excluded_dirs} \
-  "${modified_directories[@]}"
-
-# Display output of gosec
-cat gosec.output
+  ${modified_directories}"