Merge branch 'aws:develop' into develop

Author: seshubaws

.github/workflows/check-binaries.yml

@@ -0,0 +1,82 @@
+name: Check binaries
+
+on: 
+  workflow_dispatch:
+  schedule:
+   - cron: "0 16 * * 1-5"  # min h d Mo DoW / 9am PST M-F
+
+jobs:
+  check-for-vulnerabilities:
+    runs-on: ubuntu-latest
+    outputs:
+      report_contents: ${{ steps.save-output.outputs.report_contents }}
+    steps:
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: main
+      - name: Download latest release
+        uses: robinraju/[email protected]
+        with:
+          latest: true
+          fileName: 'aws-lambda-rie*'
+          out-file-path: "bin"
+      - name: Run check for vulnerabilities
+        id: check-binaries
+        run: |
+          make check-binaries
+      - if: always() && failure()   # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities
+        name: Save content of the vulnerabilities report as GitHub output
+        id: save-output
+        run: |
+          report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)"   # last file generated
+          if [ -z "$report_csv" ]; then
+            echo "No file with vulnerabilities. Probably a failure in previous step."
+          else
+            echo "Vulnerabilities stored in $report_csv"
+          fi
+          final_report="${report_csv}.txt"
+          awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report"   # make the CSV nicer
+          echo "report_contents<<EOF" >> "$GITHUB_OUTPUT"
+          cat "$final_report"         >> "$GITHUB_OUTPUT"
+          echo "EOF"                  >> "$GITHUB_OUTPUT"
+      - if: always() && steps.save-output.outputs.report_contents
+        name: Build new binaries and check vulnerabilities again
+        id: check-new-version
+        run: |
+          mkdir ./bin2
+          mv ./bin/* ./bin2
+          make compile-with-docker-all
+          latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq)
+          echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT"
+          make check-binaries
+      - if: always() && steps.save-output.outputs.report_contents
+        name: Save outputs for the check with the latest build
+        id: save-new-version
+        run: |
+          if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then
+            fixed="No"
+          else
+            fixed="Yes"
+          fi
+          echo "fixed=$fixed" >> "$GITHUB_OUTPUT"
+      - if: always() && steps.save-output.outputs.report_contents
+        name: Create GitHub Issue indicating vulnerabilities
+        id: create-issue
+        uses: dacbd/create-issue-action@main
+        with:
+          token: ${{ github.token }}
+          title: |
+            CVEs found in latest RIE release
+          body: |
+            ###  CVEs found in latest RIE release
+            ```
+            ${{ steps.save-output.outputs.report_contents }}
+            ```
+            
+            #### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?:
+            > **${{ steps.save-new-version.outputs.fixed }}**

.github/workflows/integ-tests.yml

@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - develop
+      - main
 
 jobs:
   go-tests:

Makefile

@@ -10,7 +10,7 @@ DESTINATION_old:= bin/${BINARY_NAME}
 DESTINATION_x86_64 := bin/${BINARY_NAME}-x86_64
 DESTINATION_arm64 := bin/${BINARY_NAME}-arm64
 
-run_in_docker = docker run --env GOPROXY=direct -v $(shell pwd):/LambdaRuntimeLocal -w /LambdaRuntimeLocal golang:1.22 $(1)
+run_in_docker = docker run --env GOPROXY=direct -v $(shell pwd):/LambdaRuntimeLocal -w /LambdaRuntimeLocal golang:1.24 $(1)
 
 compile-with-docker-all:
 	$(call run_in_docker, make compile-lambda-linux-all)
@@ -70,4 +70,7 @@ integ-tests-with-docker-old:
 	make ARCH=old compile-with-docker
 	make prep-python
 	make TEST_ARCH="" TEST_PORT=9052 exec-python-e2e-test
-	
+
+check-binaries: prep-python
+	.venv/bin/pip install cve-bin-tool
+	.venv/bin/python -m cve_bin_tool.cli bin/ -r go -d REDHAT,OSV,GAD,CURL --no-0-cve-report -f csv

README.md

@@ -31,15 +31,16 @@ Lambda’s orchestrator, or security and authentication configurations. You can
 
 ## Installing
 
-Instructions for installing AWS Lambda Runtime Interface Emulator for your platform
+The following commands download the RIE binary for your platform. Note that while you can download the binary on any platform, the RIE can only be executed in a Linux environment (typically within a Docker container).
 
-| Platform | Command to install |
+| Platform (for downloading) | Command to download |
 |---------|---------
 | macOS/Linux x86\_64 | `mkdir -p ~/.aws-lambda-rie && curl -Lo ~/.aws-lambda-rie/aws-lambda-rie https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie && chmod +x ~/.aws-lambda-rie/aws-lambda-rie` |
 | macOS/Linux arm64 | `mkdir -p ~/.aws-lambda-rie && curl -Lo ~/.aws-lambda-rie/aws-lambda-rie https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie-arm64 && chmod +x ~/.aws-lambda-rie/aws-lambda-rie` |
 | Windows x86\_64 | `Invoke-WebRequest -OutFile 'C:\Program Files\aws lambda\aws-lambda-rie' https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie` |
 | Windows arm64 | `Invoke-WebRequest -OutFile 'C:\Program Files\aws lambda\aws-lambda-rie' https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie-arm64` |
 
+After downloading, the RIE binary must be used within a Linux environment, typically as part of a Docker container setup. See the Docker configuration instructions below for proper implementation.
 
 ## Getting started
 

go.mod

@@ -1,10 +1,10 @@
 module go.amzn.com
 
-go 1.22
+go 1.24
 
 require (
 	github.com/aws/aws-lambda-go v1.46.0
-	github.com/go-chi/chi v1.5.5
+	github.com/go-chi/chi/v5 v5.2.2
 	github.com/google/uuid v1.6.0
 	github.com/jessevdk/go-flags v1.5.0
 	github.com/sirupsen/logrus v1.9.3

go.sum

@@ -3,8 +3,8 @@ github.com/aws/aws-lambda-go v1.46.0/go.mod h1:dpMpZgvWx5vuQJfBt0zqBha60q7Dd7Rfg
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
-github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
+github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
+github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc=

lambda/core/directinvoke/directinvoke.go

@@ -11,7 +11,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"go.amzn.com/lambda/core/bandwidthlimiter"
 	"go.amzn.com/lambda/fatalerror"
 	"go.amzn.com/lambda/interop"

lambda/core/directinvoke/directinvoke_test.go

@@ -17,7 +17,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.amzn.com/lambda/fatalerror"

lambda/rapi/handler/agentnext.go

@@ -48,7 +48,7 @@ func (h *agentNextHandler) ServeHTTP(writer http.ResponseWriter, request *http.R
 		}
 	} else {
 		log.Warnf("Unknown agent %s tried to call /next", agentID.String())
-		rendering.RenderForbiddenWithTypeMsg(writer, request, errAgentIdentifierUnknown, "Unknown extension"+agentID.String())
+		rendering.RenderForbiddenWithTypeMsg(writer, request, errAgentIdentifierUnknown, "Unknown extension %s", agentID.String())
 		return
 	}
 

lambda/rapi/handler/agentregister.go

@@ -77,7 +77,7 @@ func (h *agentRegisterHandler) ServeHTTP(writer http.ResponseWriter, request *ht
 
 	registerRequest, err := parseRegister(request)
 	if err != nil {
-		rendering.RenderForbiddenWithTypeMsg(writer, request, errInvalidRequestFormat, err.Error())
+		rendering.RenderForbiddenWithTypeMsg(writer, request, errInvalidRequestFormat, "%s", err.Error())
 		return
 	}