Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: fix osv vulnerability and license scans and add license overrides #4157

Merged
merged 5 commits into from
Sep 5, 2024
Merged

ci: fix osv vulnerability and license scans and add license overrides #4157

merged 5 commits into from
Sep 5, 2024

Conversation

shahar-h
Copy link
Contributor

@shahar-h shahar-h commented Sep 4, 2024
edited
Loading

What this PR does / why we need it:

@shahar-h shahar-h requested a review from a team as a code owner September 4, 2024 19:36
@codecov Codecov
Copy link

codecov bot commented Sep 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.93%. Comparing base (301eedd) to head (e458c7e).
Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4157      +/-   ##
==========================================
- Coverage   67.94%   67.93%   -0.02%     
==========================================
  Files         187      187              
  Lines       23019    23019              
==========================================
- Hits        15641    15637       -4     
- Misses       6264     6267       +3     
- Partials     1114     1115       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@shahar-h
fix lint issue
ef5da42 
Signed-off-by: Shahar Harari <[email protected]>
@shahar-h
unknown -> unidentified
de921a7 
Signed-off-by: Shahar Harari <[email protected]>
@shahar-h
revert collect.go
f955980 
Signed-off-by: Shahar Harari <[email protected]>
@shahar-h
revert go.mod and go.sum
e458c7e 
Signed-off-by: Shahar Harari <[email protected]>
guydc
guydc approved these changes Sep 4, 2024
View reviewed changes
Copy link
Contributor

@guydc guydc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@guydc
Copy link
Contributor

guydc commented Sep 4, 2024

We can get rid of github.com/hashicorp/go-getter package by replacing the usage of convert.ValidateOutputPath function with a local copy. This is the function: https://github.com/replicatedhq/troubleshoot/blob/main/pkg/convert/output.go#L10-L19

@zirain - WDYT? Do you see other uses for this lib? if not, by replacing it, we can finally start enforcing OSV scans.

@zirain
Copy link
Member

zirain commented Sep 5, 2024

We can get rid of github.com/hashicorp/go-getter package by replacing the usage of convert.ValidateOutputPath function with a local copy. This is the function: https://github.com/replicatedhq/troubleshoot/blob/main/pkg/convert/output.go#L10-L19

@zirain - WDYT? Do you see other uses for this lib? if not, by replacing it, we can finally start enforcing OSV scans.

it's fine to replace.

zirain
zirain reviewed Sep 5, 2024
View reviewed changes
osv-scanner.toml
Comment on lines +116 to +122
[[PackageOverrides]]
name = "github.com/grafana/tempo"
version = "1.5.0"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package is only used in e2e tests so we can ignore its license"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we change change it to zipkin or other backend.
does loki has same problem?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Loki has the same AGPL-3.0 license.

@shahar-h
Copy link
Contributor Author

shahar-h commented Sep 5, 2024

/retest

@shahar-h
Copy link
Contributor Author

shahar-h commented Sep 5, 2024

We can get rid of github.com/hashicorp/go-getter package by replacing the usage of convert.ValidateOutputPath function with a local copy. This is the function: https://github.com/replicatedhq/troubleshoot/blob/main/pkg/convert/output.go#L10-L19

@zirain - WDYT? Do you see other uses for this lib? if not, by replacing it, we can finally start enforcing OSV scans.

it's fine to replace.

I'll open a separate PR for this.

@zirain zirain merged commit 5998980 into envoyproxy:main Sep 5, 2024
23 checks passed
@zirain zirain mentioned this pull request Sep 5, 2024
Merged
@shahar-h shahar-h deleted the fix-osv branch September 5, 2024 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zirain zirain zirain approved these changes

@guydc guydc guydc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shahar-h @guydc @zirain