feat(ci): add gosec and fix issues

.github/release-drafter.yml

@@ -3,6 +3,7 @@ tag-template: "$RESOLVED_VERSION"
 categories:
   - title: "🚀 Features"
     labels:
+      - "feat"
       - "feature"
       - "enhancement"
   - title: "🐛 Bug Fixes"

.github/workflows/go.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: 1.21
 
       - name: Build
         run: go build -v ./...

.github/workflows/gosec.yml

@@ -0,0 +1,22 @@
+name: Run Gosec
+
+on:
+  push:
+    tags:
+      - "*"
+    branches:
+      - "*"
+  pull_request:
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...

.github/workflows/reviewdog.yml

@@ -1,4 +1,4 @@
-name: reviewdog
+name: Reviewdog
 on:
   push:
     tags:

README.md

@@ -18,19 +18,6 @@ Each distribution is different and will still require different build
 instructions, but a consistent build process and format can be used for all
 builds.
 
-## Initialize
-
-It is recommended to build the OCI images locally instead of pulling each image
-from the Docker Hub. A script is located in the docker directory to assist with
-this. Always run the `clean.sh` script to clear any existing yap images.
-Building the images can take several hours.
-
-```sh
-cd ~/go/src/github.com/M0Rf30/yap/docker
-sh clean.sh
-sh build.sh
-```
-
 ## Format
 
 ```sh
@@ -134,17 +121,17 @@ The directives above are sorted from lowest to the highest priority.
 | `fedora`         | all Fedora releases       |
 | `oracle`         | all Oracle Linux releases |
 | `ubuntu`         | all Ubuntu releases       |
-| `amazon-1`       | Amazon Linux 1            |
-| `amazon-2`       | Amazon Linux 2            |
-| `debian-jessie`  | Debian Jessie             |
-| `debian-stretch` | Debian Stretch            |
-| `debian-buster`  | Debian Buster             |
-| `fedora-38`      | Fedora 38                 |
-| `rocky-8`        | Rocky Linux 8             |
-| `rocky-9`        | Rocky Linux 9             |
-| `ubuntu-bionic`  | Ubuntu Bionic             |
-| `ubuntu-focal`   | Ubuntu Focal              |
-| `ubuntu-jammy`   | Ubuntu Jammy              |
+| `amazon_1`       | Amazon Linux 1            |
+| `amazon_2`       | Amazon Linux 2            |
+| `debian_jessie`  | Debian Jessie             |
+| `debian_stretch` | Debian Stretch            |
+| `debian_buster`  | Debian Buster             |
+| `fedora_38`      | Fedora 38                 |
+| `rocky_8`        | Rocky Linux 8             |
+| `rocky_9`        | Rocky Linux 9             |
+| `ubuntu_bionic`  | Ubuntu Bionic             |
+| `ubuntu_focal`   | Ubuntu Focal              |
+| `ubuntu_jammy`   | Ubuntu Jammy              |
 
 ## Examples
 

cmd/listTargets.go

@@ -2,14 +2,15 @@ package cmd
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/M0Rf30/yap/constants"
 	"github.com/spf13/cobra"
 )
 
 func ListTargets() {
 	for _, release := range constants.Releases {
-		fmt.Println(release)
+		fmt.Println(strings.ReplaceAll(release, "_", "-"))
 	}
 }
 

project/project.go

@@ -235,17 +235,19 @@ func (mpc *MultipleProject) getMakeDeps() {
 }
 
 func (mpc *MultipleProject) readProject(path string) error {
-	file, err := os.Open(filepath.Join(path, "yap.json"))
+	cleanFilePath := filepath.Clean(filepath.Join(path, "yap.json"))
+
+	filePath, err := os.Open(cleanFilePath)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to open yap.json file within '%s'%s\n",
 			string(constants.ColorBlue),
 			string(constants.ColorYellow),
-			path,
+			cleanFilePath,
 			string(constants.ColorWhite))
 		os.Exit(1)
 	}
 
-	prjContent, err := io.ReadAll(file)
+	prjContent, err := io.ReadAll(filePath)
 	if err != nil {
 		return err
 	}

project/project_test.go

@@ -78,29 +78,29 @@ func TestBuildMultipleProjectFromJSON(t *testing.T) {
 }`), os.FileMode(0755)))
 
 	defer os.Remove(packageRaw)
-	err = os.MkdirAll(filepath.Dir(prj1), os.FileMode(0777))
+	err = os.MkdirAll(filepath.Dir(prj1), os.FileMode(0750))
 
 	if err != nil {
 		t.Error(err)
 	}
 
 	defer os.RemoveAll(filepath.Dir(prj1))
-	err = os.MkdirAll(filepath.Dir(prj2), os.FileMode(0777))
+	err = os.MkdirAll(filepath.Dir(prj2), os.FileMode(0750))
 
 	if err != nil {
 		t.Error(err)
 	}
 
 	defer os.Remove(filepath.Dir(prj2))
 
-	err = os.WriteFile(prj1, []byte(examplePkgbuild), os.FileMode(0755))
+	err = os.WriteFile(prj1, []byte(examplePkgbuild), os.FileMode(0750))
 	if err != nil {
 		t.Error(err)
 	}
 
 	defer os.Remove(prj1)
 
-	err = os.WriteFile(prj2, []byte(examplePkgbuild), os.FileMode(0755))
+	err = os.WriteFile(prj2, []byte(examplePkgbuild), os.FileMode(0750))
 	if err != nil {
 		t.Error(err)
 	}

utils/file.go

@@ -10,6 +10,7 @@ import (
 )
 
 func MkdirAll(path string) error {
+	//#nosec
 	err := os.MkdirAll(path, 0o755)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to mkdir '%s'%s\n",
@@ -94,7 +95,9 @@ func ExistsMakeDir(path string) error {
 }
 
 func Create(path string) (*os.File, error) {
-	file, err := os.Create(path)
+	cleanFilePath := filepath.Clean(path)
+
+	file, err := os.Create(cleanFilePath)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to create '%s'%s\n",
 			string(constants.ColorBlue),
@@ -128,7 +131,9 @@ func CreateWrite(path string, data string) error {
 }
 
 func Open(path string) (*os.File, error) {
-	file, err := os.Open(path)
+	cleanFilePath := filepath.Clean(path)
+
+	file, err := os.Open(cleanFilePath)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to open file '%s'%s\n",
 			string(constants.ColorBlue),

utils/strings.go

@@ -2,9 +2,12 @@ package utils
 
 import (
 	"crypto/rand"
+	"fmt"
 	"math/big"
+	"os"
 	"strings"
 
+	"github.com/M0Rf30/yap/constants"
 	"mvdan.cc/sh/v3/syntax"
 )
 
@@ -36,7 +39,15 @@ func StringifyArray(node *syntax.Assign) []string {
 	out := &strings.Builder{}
 
 	for index := range node.Array.Elems {
-		syntax.NewPrinter().Print(out, node.Array.Elems[index].Value)
+		err := syntax.NewPrinter().Print(out, node.Array.Elems[index].Value)
+		if err != nil {
+			fmt.Printf("%s❌ :: %sunable to parse variable: %s\n",
+				string(constants.ColorBlue),
+				string(constants.ColorYellow), out.String())
+
+			os.Exit(1)
+		}
+
 		out.WriteString(" ")
 		fields = append(fields, out.String())
 	}
@@ -47,7 +58,15 @@ func StringifyArray(node *syntax.Assign) []string {
 // Generates a string from a *syntax.Assign of a variable declaration.
 func StringifyAssign(node *syntax.Assign) string {
 	out := &strings.Builder{}
-	syntax.NewPrinter().Print(out, node.Value)
+	err := syntax.NewPrinter().Print(out, node.Value)
+
+	if err != nil {
+		fmt.Printf("%s❌ :: %sunable to parse variable: %s\n",
+			string(constants.ColorBlue),
+			string(constants.ColorYellow), out.String())
+
+		os.Exit(1)
+	}
 
 	return strings.Trim(out.String(), "\"")
 }
@@ -57,7 +76,15 @@ func StringifyFuncDecl(node *syntax.FuncDecl) []string {
 	var fields []string
 
 	out := &strings.Builder{}
-	syntax.NewPrinter().Print(out, node.Body)
+	err := syntax.NewPrinter().Print(out, node.Body)
+
+	if err != nil {
+		fmt.Printf("%s❌ :: %sunable to parse function: %s\n",
+			string(constants.ColorBlue),
+			string(constants.ColorYellow), out.String())
+
+		os.Exit(1)
+	}
 
 	fields = append(fields, out.String())
 

utils/utils.go

@@ -188,14 +188,17 @@ func Unarchive(archiveReader io.Reader, destination string) error {
 
 			// linux default for new directories is 777 and let the umask handle
 			// if should have other controls
+			//#nosec
 			err = os.MkdirAll(fileDir, 0777)
 		}
 
 		if err != nil {
 			return err
 		}
 
-		newFile, err := os.OpenFile(newPath, os.O_CREATE|os.O_WRONLY, archiveFile.Mode())
+		cleanNewPath := filepath.Clean(newPath)
+
+		newFile, err := os.OpenFile(cleanNewPath, os.O_CREATE|os.O_WRONLY, archiveFile.Mode())
 		if err != nil {
 			return err
 		}