From 2aa665ae381ecb64adf61be6fbe23de0e36586ac Mon Sep 17 00:00:00 2001
From: Jakub <jakub@cuth.sk>
Date: Thu, 19 May 2022 12:08:26 +0200
Subject: [PATCH 1/2] GODT-1562: Update test fingerpring

---
 pkg/pmapi/dialer_pinning_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/pmapi/dialer_pinning_test.go b/pkg/pmapi/dialer_pinning_test.go
index 470c78c..16ed95b 100644
--- a/pkg/pmapi/dialer_pinning_test.go
+++ b/pkg/pmapi/dialer_pinning_test.go
@@ -88,7 +88,7 @@ func TestTLSSignedCertTrustedPublicKey(t *testing.T) {
 
 	_, dialer, _ := createClientWithPinningDialer("")
 	copyTrustedPins(dialer.pinChecker)
-	dialer.pinChecker.trustedPins = append(dialer.pinChecker.trustedPins, `pin-sha256="W8/42Z0ffufwnHIOSndT+eVzBJSC0E8uTIC8O6mEliQ="`)
+	dialer.pinChecker.trustedPins = append(dialer.pinChecker.trustedPins, `pin-sha256="2opdB7b5INED5jS7duIDR7dM8Er99i7trnwKuW3GMCY="`)
 	_, err := dialer.DialTLS("tcp", "rsa4096.badssl.com:443")
 	r.NoError(t, err, "expected dial to succeed because public key is known and cert is signed by CA")
 }

From 098956b81a2942dc036a74f2b902ea2929163afd Mon Sep 17 00:00:00 2001
From: Jakub <jakub@cuth.sk>
Date: Tue, 17 May 2022 13:49:59 +0200
Subject: [PATCH 2/2] GODT-1550: Add gobinsec check after CI build.

---
 .gitlab-ci.yml          | 56 +++++++++++++++++++++++++++--------------
 utils/gobinsec_conf.yml |  5 ++++
 2 files changed, 42 insertions(+), 19 deletions(-)
 create mode 100644 utils/gobinsec_conf.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 32175b4..99ce16d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,3 +1,21 @@
+# Copyright (c) 2022 Proton Technologies AG
+#
+# This file is part of ProtonMail Bridge.
+#
+# ProtonMail Bridge is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ProtonMail Bridge is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+---
 image: gitlab.protontech.ch:4567/go/bridge-internal:latest
 
 before_script:
@@ -120,11 +138,17 @@ build-qml:
   script:
     - make build
     - git diff && git diff-index --quiet HEAD
+    - curl -L https://services.nvd.nist.gov/rest/json/cves/1.0/
+    - gobinsec -verbose -wait -config utils/gobinsec_conf.yml
+      cmd/Desktop-Bridge/deploy/linux/proton-bridge
   artifacts:
     # Note: The latest artifacts for refs are locked against deletion, and kept
     # regardless of the expiry time. Introduced in GitLab 13.0 behind a
     # disabled feature flag, and made the default behavior in GitLab 13.4.
     expire_in: 1 day
+    when: always
+    paths:
+      - bridge_*.tgz
   tags:
     - large
 
@@ -132,20 +156,16 @@ build-linux:
   extends: .build-base
   artifacts:
     name: "bridge-linux-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 build-linux-qa:
-  extends: .build-base
+  extends: build-linux
   only:
     - web
     - branches
-  script:
-    - BUILD_TAGS="build_qa" make build
+  variables:
+    BUILD_TAGS: "build_qa"
   artifacts:
     name: "bridge-linux-qa-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 
 .build-darwin-base:
@@ -159,6 +179,9 @@ build-linux-qa:
     - export GOPATH=~/go
     - export PATH=$GOPATH/bin:$PATH
     - export CGO_CPPFLAGS='-Wno-error -Wno-nullability-completeness -Wno-expansion-to-defined -Wno-builtin-requires-header'
+  script:
+    - make build
+    - git diff && git diff-index --quiet HEAD
   cache: {}
   tags:
     - macOS
@@ -167,20 +190,16 @@ build-darwin:
   extends: .build-darwin-base
   artifacts:
     name: "bridge-darwin-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 build-darwin-qa:
   extends: .build-darwin-base
   only:
     - web
     - branches
-  script:
-    - BUILD_TAGS="build_qa" make build
+  variables:
+    BUILD_TAGS: "build_qa"
   artifacts:
     name: "bridge-darwin-qa-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 
 .build-windows-base:
@@ -194,6 +213,9 @@ build-darwin-qa:
     - export PATH=$GOPATH/bin:$PATH
     - export MSYSTEM=
     - export PATH=$PATH:/c/grrrQt/5.13.2/mingw73_64/bin
+  script:
+    - make build
+    - git diff && git diff-index --quiet HEAD
   tags:
     - windows-bridge
 
@@ -201,20 +223,16 @@ build-windows:
   extends: .build-windows-base
   artifacts:
     name: "bridge-windows-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 build-windows-qa:
   extends: .build-windows-base
   only:
     - web
     - branches
-  script:
-    - BUILD_TAGS="build_qa" make build
+  variables:
+    BUILD_TAGS: "build_qa"
   artifacts:
     name: "bridge-windows-qa-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
 
 # Stage: MIRROR
 
diff --git a/utils/gobinsec_conf.yml b/utils/gobinsec_conf.yml
new file mode 100644
index 0000000..b8dc710
--- /dev/null
+++ b/utils/gobinsec_conf.yml
@@ -0,0 +1,5 @@
+---
+
+ignore:
+  # golang.org/x/net wrong match, we are using 2871e0cb, fixed by 37e1c6af
+  - "CVE-2021-33194"