chore(security): Support Go Vulnerability Management (#21139)

See https://go.dev/security/vuln/

Signed-off-by: Bo-Yi.Wu <appleboy.tw@gmail.com>

Signed-off-by: Bo-Yi.Wu <appleboy.tw@gmail.com>

.drone.yml

@@ -39,6 +39,16 @@ steps:
       - make lint-frontend
     depends_on: [deps-frontend]
 
+  - name: security-check
+    image: golang:1.19
+    pull: always
+    commands:
+      - make security-check
+    depends_on: [deps-backend]
+    volumes:
+      - name: deps
+        path: /go
+
   - name: lint-backend
     image: gitea/test_env:linux-amd64  # https://gitea.com/gitea/test-env
     pull: always

Makefile

@@ -35,6 +35,7 @@ MISSPELL_PACKAGE ?= github.com/client9/misspell/cmd/misspell@v0.3.4
 SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.0
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.3.0
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@latest
 
 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
@@ -728,6 +729,10 @@ generate-go: $(TAGS_PREREQ)
 	@echo "Running go generate..."
 	@CC= GOOS= GOARCH= $(GO) generate -tags '$(TAGS)' $(GO_PACKAGES)
 
+.PHONY: security-check
+security-check:
+	govulncheck -v ./...
+
 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
 
@@ -813,6 +818,7 @@ deps-backend:
 	$(GO) install $(SWAGGER_PACKAGE)
 	$(GO) install $(XGO_PACKAGE)
 	$(GO) install $(GO_LICENSES_PACKAGE)
+	$(GO) install $(GOVULNCHECK_PACKAGE)
 
 node_modules: package-lock.json
 	npm install --no-save