Config min version (#1955)

* init

* minVersion set

* sigh

* addressed some comments, fixed double validate bug

.goreleaser.yml

@@ -18,7 +18,7 @@ builds:
     tags:
       - gore2regex
     ldflags:
-      - -s -w -X=github.com/zricethezav/gitleaks/v8/cmd.Version={{.Version}}
+      - -s -w -X=github.com/zricethezav/gitleaks/v8/version.Version={{.Version}}
 archives:
   - builds: [gitleaks]
     format_overrides:

cmd/generate/config/rules/config.tmpl

@@ -13,6 +13,11 @@
 
 title = "{{.Title}}"
 
+# minVersion indicates the minimum Gitleaks version required to use this config.
+# If the running version is older, a warning will be logged and not all
+# config-enabled features are guaranteed to work.
+minVersion = "v8.25.0"
+
 {{ with .Allowlists }}{{ range $i, $allowlist := . }}{{ if or $allowlist.Regexes $allowlist.Paths $allowlist.Commits $allowlist.StopWords }}# TODO: change to [[allowlists]]{{println}}[allowlist]
 {{- with .Description }}{{println}}description = "{{ . }}"{{ end }}
 {{- with .MatchCondition }}{{println}}condition = "{{ .String }}"{{ end }}

cmd/root.go

@@ -19,6 +19,7 @@ import (
 	"github.com/zricethezav/gitleaks/v8/logging"
 	"github.com/zricethezav/gitleaks/v8/regexp"
 	"github.com/zricethezav/gitleaks/v8/report"
+	"github.com/zricethezav/gitleaks/v8/version"
 )
 
 const banner = `
@@ -42,7 +43,7 @@ var (
 	rootCmd = &cobra.Command{
 		Use:     "gitleaks",
 		Short:   "Gitleaks scans code, past or present, for secrets",
-		Version: Version,
+		Version: version.Version,
 	}
 
 	// diagnostics manager is global to ensure it can be started before a scan begins

cmd/version.go

@@ -4,10 +4,9 @@ import (
 	"fmt"
 
 	"github.com/spf13/cobra"
+	"github.com/zricethezav/gitleaks/v8/version"
 )
 
-var Version = "version is set by build process"
-
 func init() {
 	rootCmd.AddCommand(versionCmd)
 }
@@ -19,5 +18,5 @@ var versionCmd = &cobra.Command{
 }
 
 func runVersion(cmd *cobra.Command, args []string) {
-	fmt.Println(Version)
+	fmt.Println(version.Version)
 }

config/config.go

@@ -7,10 +7,12 @@ import (
 	"sort"
 	"strings"
 
+	gv "github.com/hashicorp/go-version"
 	"github.com/spf13/viper"
 
 	"github.com/zricethezav/gitleaks/v8/logging"
 	"github.com/zricethezav/gitleaks/v8/regexp"
+	"github.com/zricethezav/gitleaks/v8/version"
 )
 
 var (
@@ -54,6 +56,10 @@ type ViperConfig struct {
 	AllowList *viperGlobalAllowlist
 
 	Allowlists []*viperGlobalAllowlist
+
+	MinVersion string
+
+	configPath string
 }
 
 type viperRequired struct {
@@ -88,6 +94,7 @@ type Config struct {
 	// used to keep sarif results consistent
 	OrderedRules []string
 	Allowlists   []*Allowlist
+	MinVersion   string
 }
 
 // Extend is a struct that allows users to define how they want their
@@ -194,7 +201,22 @@ func (vc *ViperConfig) Translate() (Config, error) {
 		Rules:        rulesMap,
 		Keywords:     keywords,
 		OrderedRules: orderedRules,
+		MinVersion:   vc.MinVersion,
+	}
+
+	if extendDepth > 0 {
+		// annoying hack to set the current config with the extended path
+		// since if extendDepth > 0 we are operating an extended config.
+		c.Path = vc.configPath
+	} else {
+		// I don't love this
+		c.Path = viper.ConfigFileUsed()
+	}
+
+	if err := validateMinVersion(c.MinVersion, c.Path); err != nil {
+		return Config{}, err
 	}
+
 	// Parse the config allowlists, including the older format for backwards compatibility.
 	if vc.AllowList != nil {
 		// TODO: Remove this in v9.
@@ -258,6 +280,41 @@ func (vc *ViperConfig) Translate() (Config, error) {
 	return c, nil
 }
 
+func validateMinVersion(minVer string, configPath string) error {
+	if minVer == "" {
+		logging.Debug().Str("config path", configPath).
+			Msg("no minVersion specified in config... consider adding minVersion to ensure compatibility.")
+		return nil
+	}
+
+	if version.Version == version.DefaultMsg {
+		logging.Debug().
+			Str("required", minVer).
+			Msg("dev build, skipping config version check.")
+		return nil
+	}
+
+	minSemVer, err := gv.NewSemver(minVer)
+	if err != nil {
+		return fmt.Errorf("invalid minVersion '%s': %w", minVer, err)
+	}
+
+	currentSemVer, err := gv.NewSemver(version.Version)
+	if err != nil {
+		return fmt.Errorf("unable to parse current version: %w", err)
+	}
+
+	if currentSemVer.LessThan(minSemVer) {
+		logging.Warn().
+			Str("required", minVer).
+			Str("current", version.Version).
+			Str("config path", configPath).
+			Msg("config requires a newer Gitleaks version...")
+	}
+
+	return nil
+}
+
 func (vc *ViperConfig) parseAllowlist(a *viperRuleAllowlist) (*Allowlist, error) {
 	var matchCondition AllowlistMatchCondition
 	switch strings.ToUpper(a.Condition) {
@@ -345,11 +402,13 @@ func (c *Config) extendPath(parent *ViperConfig) error {
 	if err := viper.Unmarshal(&extensionViperConfig); err != nil {
 		return fmt.Errorf("failed to load extended config, err: %w", err)
 	}
+
+	extensionViperConfig.configPath = c.Extend.Path
+	logging.Debug().Msgf("extending config with %s", c.Extend.Path)
 	cfg, err := extensionViperConfig.Translate()
 	if err != nil {
 		return fmt.Errorf("failed to load extended config, err: %w", err)
 	}
-	logging.Debug().Msgf("extending config with %s", c.Extend.Path)
 	c.extend(cfg)
 	return nil
 }
@@ -429,4 +488,5 @@ func (c *Config) extend(extensionConfig Config) {
 
 	// sort to keep extended rules in order
 	sort.Strings(c.OrderedRules)
+	return
 }

config/gitleaks.toml

@@ -13,6 +13,11 @@
 
 title = "gitleaks config"
 
+# minVersion indicates the minimum Gitleaks version required to use this config.
+# If the running version is older, a warning will be logged and not all
+# config-enabled features are guaranteed to work.
+minVersion = "v8.25.0"
+
 # TODO: change to [[allowlists]]
 [allowlist]
 description = "global allow lists"

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/gitleaks/go-gitdiff v0.9.1
 	github.com/google/go-cmp v0.6.0
 	github.com/h2non/filetype v1.1.3
+	github.com/hashicorp/go-version v1.7.0
 	github.com/mholt/archives v0.1.2
 	github.com/rs/zerolog v1.33.0
 	github.com/spf13/cobra v1.9.1

go.sum

@@ -105,6 +105,8 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
+github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=

version/version.go

@@ -0,0 +1,5 @@
+package version
+
+// these two gotta be the same
+var DefaultMsg = "version is set by build process"
+var Version = "version is set by build process"