Fix inconsistency when building Go Analyzers

Overview

At the moment, we use two different approaches to build the binary of the analyzers used in SAST and Dependency Scanning:

  1. the binary is built in the go build job, then added to the Docker image during the build stage
  2. the binary is built when building the Docker image; the Dockerfile features a FROM directives to build, and another one to build the final image

With the latter the binary is built twice, which is unnecessary.

We should decide what's the right way of building the analyzer, document it, and remove the discrepancy that currently exist between the analyzers.

If we decide to build the binary when building the image, then the go build job becomes unnecessary and has to be removed.

Approach 1: Analyzer binary is built, then added to the Docker image

The analyzer binary is compiled as part of the go build CI job. analyzer becomes an artifact, and is copied into the docker image when it is built as part of the build CI stage. See shared CI configuration.

The Dockerfile will have a line similar to the following: COPY --chown=root:root analyzer /.

Analyzers:

bandit
brakeman
bundler-audit
eslint
find-sec-bugs-gradle
find-sec-bugs-groovy
find-sec-bugs-sbt
find-sec-bugs
flawfinder
gemnasium-fork
gemnasium-maven
gemnasium-python
gemnasium
go-ast-scanner
nodejs-scan
phpcs-security-audit
retire.js
security-code-scan

Pros:

  • all binaries are built the same way, using the same version of Go, and with the same compilation flags
  • the current CI pipeline is designed for Approach 1, therefore would not need to change.

Approach 2: Analyzer binary is built when building the Docker image

The analyzer binary is compiled as part of the go build CI job and becomes an artifact. The build CI stage never uses the artifact, instead recompiling the Analyzer again.

The Dockerfile will have a lines such as FROM golang:1.11 AS build and COPY --from=build --chown=root:root /go/src/app/analyzer /.

Analyzers:

sobelow (golang:1.11)
spotbugs (golang:1.11)
tslint (golang:1.11)
secrets (golang:1.11)
gosec (golang:1.12)
pmd-apex (golang:1.12)

Pros:

  • the binary is not passed to the build stage as an artifact
  • each project can tweak the way the binary is built
  • The Dockerfile becomes self contained (no magic files being copied across)
Edited by Thomas Woodham