60 lines
1.6 KiB
Bash
Executable File
60 lines
1.6 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# This script checks for vulnerabilities in project dependencies
|
|
|
|
set -e
|
|
|
|
echo "Starting dependency vulnerability scan..."
|
|
|
|
# Initialize exit code
|
|
exit_code=0
|
|
|
|
# Run govulncheck
|
|
echo "Running govulncheck..."
|
|
if command -v govulncheck >/dev/null 2>&1; then
|
|
if ! govulncheck ./...; then
|
|
echo "❌ govulncheck found vulnerabilities"
|
|
exit_code=1
|
|
else
|
|
echo "✅ govulncheck found no vulnerabilities"
|
|
fi
|
|
else
|
|
echo "⚠️ govulncheck not installed, skipping"
|
|
fi
|
|
|
|
# Run nancy (for Sonatype Nexus IQ)
|
|
echo "Running nancy scan..."
|
|
if command -v nancy >/dev/null 2>&1; then
|
|
if ! go list -json -m all | nancy --skip-update-check; then
|
|
echo "❌ nancy found vulnerable dependencies"
|
|
exit_code=1
|
|
else
|
|
echo "✅ nancy found no vulnerabilities"
|
|
fi
|
|
else
|
|
echo "⚠️ nancy not installed, skipping"
|
|
fi
|
|
|
|
# Check for deprecated packages
|
|
echo "Checking for deprecated packages..."
|
|
if go list -json -m all | grep -i deprecated; then
|
|
echo "⚠️ Found deprecated packages in dependencies"
|
|
else
|
|
echo "✅ No deprecated packages found"
|
|
fi
|
|
|
|
# Check for unmaintained packages (packages without recent updates)
|
|
echo "Checking for potentially unmaintained packages..."
|
|
# This is a basic check - in a real scenario, you might want to check
|
|
# the age of the latest commits for each dependency
|
|
go list -m -u all || echo "Dependency update check completed"
|
|
|
|
echo "Dependency vulnerability scan completed."
|
|
|
|
if [ $exit_code -ne 0 ]; then
|
|
echo "❌ Dependency vulnerability scan found issues"
|
|
exit $exit_code
|
|
else
|
|
echo "✅ Dependency vulnerability scan passed"
|
|
exit 0
|
|
fi |