Initial commit

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Global
+*   @khulnasoft-devsec

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+  - package-ecosystem: gomod
+    open-pull-requests-limit: 10
+    directory: /
+    schedule:
+      interval: monthly

.github/workflows/cron-gh-releases.yml

@@ -0,0 +1,71 @@
+---
+# Tunnel DB was migrated from GitHub Releases to GitHub Packages Container registry,
+# but we still need to publish it in GitHub Releases for backward compatibility.
+# This workflow is planned to be removed on May 2022.
+name: Tunnel DB - GitHub Releases
+on:
+  schedule:
+    - cron: "30 */6 * * *"
+  workflow_dispatch:
+jobs:
+  build:
+    name: Build DB
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+        id: go
+
+      - name: Install bbolt
+        run: go install go.etcd.io/bbolt/cmd/bbolt@v1.3.5
+
+      # Checkout "github-releases" branch
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          ref: "github-releases"
+
+      - name: Download vuln-list and advisories
+        run: make db-fetch-langs db-fetch-vuln-list-main
+
+      - name: Build the binary
+        run: make build
+      #
+      # Full DB
+      #
+      - name: Build full database
+        run: make db-build
+
+      - name: Compact DB
+        run: make db-compact
+
+      - name: Compress assets
+        run: make db-compress
+
+      #
+      # Light DB
+      #
+      - name: Build light database
+        run: make db-build
+        env:
+          DB_TYPE: tunnel-light
+
+      - name: Compact DB
+        run: make db-compact
+        env:
+          DB_TYPE: tunnel-light
+
+      - name: Compress assets
+        run: make db-compress
+        env:
+          DB_TYPE: tunnel-light
+
+      #
+      # Upload
+      #
+      - name: Upload assets
+        run: ./tunnel-db upload --dir assets
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/cron.yml

@@ -0,0 +1,130 @@
+---
+name: Tunnel DB
+on:
+  schedule:
+    - cron: "0 */6 * * *"
+  workflow_dispatch:
+env:
+  REPO_OWNER: ${{ github.repository_owner }} # used in 'make db-build'
+  GH_USER: khulnasoft-bot
+  VERSION: 2
+jobs:
+  build:
+    name: Build DB
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@v10
+        with:
+          root-reserve-mb: 32768 # vuln-list dirs + language repositories use more than 12GB of storage
+          remove-android: "true"
+          remove-docker-images: "true"
+          remove-dotnet: "true"
+          remove-haskell: "true"
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Install bbolt
+        run: go install go.etcd.io/bbolt/cmd/bbolt@v1.3.5
+
+      - name: Download vuln-list and advisories
+        run: make db-fetch-langs db-fetch-vuln-list
+
+      - name: Build the binary
+        run: make build
+
+      - name: Build database
+        run: make db-build
+
+      - name: Compact DB
+        run: make db-compact
+
+      - name: Compress assets
+        run: make db-compress
+
+      - name: Move DB
+        run: mv assets/db.tar.gz .
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Packages Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ env.GH_USER }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to ECR
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+
+      - name: Install oras
+        run: |
+          curl -LO https://github.com/oras-project/oras/releases/download/v1.2.0/oras_1.2.0_linux_amd64.tar.gz
+          tar -xvf ./oras_1.2.0_linux_amd64.tar.gz
+
+      - name: Upload assets to registries
+        run: |
+          lowercase_repo=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          echo "Starting artifact upload process..."
+
+          # Define an array of registry base URLs and their corresponding repository names
+          declare -A registries=(
+            ["ghcr.io"]="${lowercase_repo}"
+            ["public.ecr.aws"]="${lowercase_repo}"
+            ["docker.io"]="${lowercase_repo}"
+          )
+
+          # Special case for docker.io if the organization is 'khulnasoft'
+          if [[ "${lowercase_repo}" == "khulnasoft/"* ]]; then
+            registries["docker.io"]="khulnasoft/${lowercase_repo#khulnasoft/}"
+            echo "Docker Hub repository adjusted for khulnasoft: ${registries["docker.io"]}"
+          fi
+
+          # Loop through each registry and push the artifact
+          for registry in "${!registries[@]}"; do
+            repo_name=${registries[$registry]}
+            full_registry_url="${registry}/${repo_name}"
+            echo "Processing registry: ${full_registry_url}"
+
+            tags=(latest ${{ env.VERSION }})
+            for tag in "${tags[@]}"; do
+              echo "Pushing artifact with tag: ${tag}"
+
+              if ./oras push --artifact-type application/vnd.khulnasoft.tunnel.config.v1+json \
+                "${full_registry_url}:${tag}" \
+                db.tar.gz:application/vnd.khulnasoft.tunnel.db.layer.v1.tar+gzip; then
+                echo "Successfully pushed to ${full_registry_url}:${tag}"
+              else
+                echo "Failed to push to ${full_registry_url}:${tag}"
+                exit 1
+              fi
+            done
+          done
+            
+          echo "Artifact upload process completed."
+
+      - name: Microsoft Teams Notification
+        ## Until the PR with the fix for the AdaptivCard version is merged yet
+        ## https://github.com/Skitionek/notify-microsoft-teams/pull/96
+        ## Use the khulnasoft fork
+        uses: khulnasoft/notify-microsoft-teams@master
+        if: failure()
+        with:
+          webhook_url: ${{ secrets.TUNNEL_MSTEAMS_WEBHOOK }}
+          needs: ${{ toJson(needs) }}
+          job: ${{ toJson(job) }}
+          steps: ${{ toJson(steps) }}

.github/workflows/go.yml

@@ -0,0 +1,24 @@
+---
+name: Go
+on: [push, pull_request]
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v6.0.1
+        with:
+          args: --verbose
+
+      - name: Test
+        run: |
+          go test -v ./...

.github/workflows/publish.yml

@@ -0,0 +1,65 @@
+---
+name: Publish
+on:
+  schedule:
+    - cron: "0 */12 * * *"
+  workflow_dispatch:
+env:
+  ALIAS_DOCKER: khulnasoft
+  REP: tunnel-db
+jobs:
+  publish:
+    name: Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out Repo
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Get date version
+        id: date_version
+        run: |
+          version=$(date +"%Y%m%d%H" )
+          date_version=v1-$(echo ${version})
+          echo "::set-output name=version::${date_version}"
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildxarch-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildxarch-
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+      - name: Get the version
+        id: docker_meta
+        uses: crazy-max/ghaction-docker-meta@v1
+        with:
+          images: ${{ env.REP }}
+          tag-semver: |
+            {{version}}
+
+      - name: Build and push - Docker
+        id: docker_build
+        uses: docker/build-push-action@v2
+        continue-on-error: true
+        with:
+          context: .
+          platforms: linux/amd64
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          tags: |
+            ${{ env.ALIAS_DOCKER }}/${{ env.REP }}:${{ steps.date_version.outputs.version }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+
+      - name: Image digest
+        run: |
+          echo ${{ steps.docker_build.outputs.digest }}
+          echo ${{ steps.ecr_build.outputs.digest }}

.gitignore

@@ -0,0 +1,25 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+coverage.txt
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+.idea
+.vscode
+
+**/.DS_Store
+
+/assets
+/cache
+/out
+
+# tunnel-db Outputs
+tunnel-db

.golangci.yml

@@ -0,0 +1,40 @@
+run:
+  go: "1.19"
+  timeout: 5m
+  skip-dirs:
+    - cache
+    - assets
+linters:
+  enable:
+    - gofmt
+    - bodyclose
+    - staticcheck
+    - unused
+    - gci
+    - gomodguard
+    - tenv
+    - gosimple
+    - govet
+  disable:
+    - errcheck
+    - ineffassign
+    - structcheck
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/khulnasoft/)
+      - blank
+      - dot
+  gomodguard:
+    blocked:
+      modules:
+        - github.com/hashicorp/go-version:
+            recommendations:
+              - github.com/aquasecurity/go-version
+            reason: "`aquasecurity/go-version` is degisned for our use-cases"
+        - github.com/Masterminds/semver:
+            recommendations:
+              - github.com/aquasecurity/go-version
+            reason: "`aquasecurity/go-version` is degisned for our use-cases"

.yamllint

@@ -0,0 +1,11 @@
+---
+extends: default
+
+rules:
+  line-length: disable
+  truthy: disable
+
+ignore: |
+  /cache/
+  /pkg/
+  !/bin/*.lint-me-anyway.yaml