Exclude finding from govulncheck check (kolide#1886)

RebeccaMahany · Oct 11, 2024 · acc3a3f · acc3a3f
1 parent 100a084
commit acc3a3f
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -51,9 +51,24 @@ jobs:
       - id: govulncheck
         uses: golang/govulncheck-action@v1
         with:
-           go-version-file: './go.mod'
-           check-latest: true
-           go-package: ./...
+          go-version-file: './go.mod'
+          check-latest: true
+          go-package: ./...
+          output-format: json
+          output-file: govulncheck.json
+
+      # Exclude GO-2024-3166 since we do not believe it applies to go-tuf before v2, and additionally
+      # because we do not believe it applies to our usage since we do not use delegates.
+      - name: Evaluate govulncheck results
+        shell: bash
+        run: |
+          findingCount=$(jq -r '.finding | select ( . != null ) | .osv | select ( . != "GO-2024-3166")' govulncheck.json | wc -l)
+          findingCount=$((findingCount + 0))
+          if [[ $findingCount -ne 0 ]]; then
+            printf "govulncheck reports %d findings" "$findingCount"
+            jq -r '.finding | select ( . != null )' govulncheck.json
+            exit 1
+          fi
 
   # This job is here as a github status check -- it allows us to move
   # the merge dependency from being on all the jobs to this single