-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.github: add govuln check #14625
.github: add govuln check #14625
Conversation
@ahrtr @serathius PTAL when you have time. |
case "${TARGET}" in | ||
linux-amd64-govuln-check) | ||
go install golang.org/x/vuln/cmd/govulncheck@latest | ||
govulncheck ./... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that the workflow will always success? Should we check the exit code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The exit code is 3,
# echo $?
3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The exit code is 0 when go version is 1.19.2. It seems that we'd better upgrade go version to 1.19.2.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ahrtr, so generally the library responds with exit code 3, if there's vulnerability present. Updated the PR.
Output
➜ act -W .github/workflows/govuln.yaml
WARN ⚠ You are using Apple M1 chip and you have not specified container architecture, you might encounter issues while running act. If so, try running it with '--container-architecture linux/amd64'. ⚠
[Go Vulnerability Checker/test] 🚀 Start image=catthehacker/ubuntu:act-latest
[Go Vulnerability Checker/test] 🐳 docker pull image=catthehacker/ubuntu:act-latest platform= username= forcePull=false
[Go Vulnerability Checker/test] 🐳 docker create image=catthehacker/ubuntu:act-latest platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Go Vulnerability Checker/test] 🐳 docker run image=catthehacker/ubuntu:act-latest platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Go Vulnerability Checker/test] ☁ git clone 'https://github.com/actions/setup-go' # ref=v2
[Go Vulnerability Checker/test] 🧪 Matrix: map[target:linux-amd64-govuln-check]
[Go Vulnerability Checker/test] ⭐ Run Main actions/checkout@v2
[Go Vulnerability Checker/test] 🐳 docker cp src=/Users/vivekpatani/junkyard/etcd/etcd-upstream/. dst=/Users/vivekpatani/junkyard/etcd/etcd-upstream
[Go Vulnerability Checker/test] ✅ Success - Main actions/checkout@v2
[Go Vulnerability Checker/test] ⭐ Run Main actions/setup-go@v2
[Go Vulnerability Checker/test] 🐳 docker cp src=/Users/vivekpatani/.cache/act/actions-setup-go@v2/ dst=/var/run/act/actions/actions-setup-go@v2/
[Go Vulnerability Checker/test] 🐳 docker exec cmd=[node /var/run/act/actions/actions-setup-go@v2/dist/index.js] user= workdir=
| Setup go stable version spec 1.19.2
[Go Vulnerability Checker/test] 💬 ::debug::isExplicit: 1.19.2
[Go Vulnerability Checker/test] 💬 ::debug::explicit? true
[Go Vulnerability Checker/test] 💬 ::debug::checking cache: /opt/hostedtoolcache/go/1.19.2/x64
[Go Vulnerability Checker/test] 💬 ::debug::not found
| Attempting to download 1.19.2...
| matching 1.19.2...
[Go Vulnerability Checker/test] 💬 ::debug::check 1.19.2 satisfies 1.19.2
[Go Vulnerability Checker/test] 💬 ::debug::x64===x64 && darwin===linux
[Go Vulnerability Checker/test] 💬 ::debug::x64===x64 && linux===linux
[Go Vulnerability Checker/test] 💬 ::debug::matched 1.19.2
| Acquiring 1.19.2 from https://github.com/actions/go-versions/releases/download/1.19.2-3202506930/go-1.19.2-linux-x64.tar.gz
[Go Vulnerability Checker/test] 💬 ::debug::Downloading https://github.com/actions/go-versions/releases/download/1.19.2-3202506930/go-1.19.2-linux-x64.tar.gz
[Go Vulnerability Checker/test] 💬 ::debug::Destination /tmp/6002dd97-bb88-4134-9f02-70eb173867d5
[Go Vulnerability Checker/test] 💬 ::debug::download complete
| Extracting Go...
[Go Vulnerability Checker/test] 💬 ::debug::Checking tar --version
[Go Vulnerability Checker/test] 💬 ::debug::tar (GNU tar) 1.30%0ACopyright (C) 2017 Free Software Foundation, Inc.%0ALicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.%0AThis is free software: you are free to change and redistribute it.%0AThere is NO WARRANTY, to the extent permitted by law.%0A%0AWritten by John Gilmore and Jay Fenlason.
| [command]/usr/bin/tar xz --warning=no-unknown-keyword -C /tmp/099afe1c-6c34-41ae-bf2d-8f2357ecb268 -f /tmp/6002dd97-bb88-4134-9f02-70eb173867d5
| Successfully extracted go to /tmp/099afe1c-6c34-41ae-bf2d-8f2357ecb268
| Adding to the cache ...
[Go Vulnerability Checker/test] 💬 ::debug::Caching tool go 1.19.2 x64
[Go Vulnerability Checker/test] 💬 ::debug::source dir: /tmp/099afe1c-6c34-41ae-bf2d-8f2357ecb268
[Go Vulnerability Checker/test] 💬 ::debug::destination /opt/hostedtoolcache/go/1.19.2/x64
[Go Vulnerability Checker/test] 💬 ::debug::finished caching tool
| Successfully cached go to /opt/hostedtoolcache/go/1.19.2/x64
| Added go to the path
[Go Vulnerability Checker/test] 💬 ::debug::which go :/opt/hostedtoolcache/go/1.19.2/x64/bin/go:
[Go Vulnerability Checker/test] 💬 ::debug::go env GOPATH :/root/go:
[Go Vulnerability Checker/test] 💬 ::debug::creating /root/go
[Go Vulnerability Checker/test] 💬 ::debug::creating /root/go/bin
[Go Vulnerability Checker/test] 💬 ::debug::add bin true
| Successfully setup go version 1.19.2
[Go Vulnerability Checker/test] ❓ ##[add-matcher]/run/act/actions/actions-setup-go@v2/matchers.json
| go version go1.19.2 linux/amd64
|
[Go Vulnerability Checker/test] ❓ ::group::go env
| GO111MODULE=""
| GOARCH="amd64"
| GOBIN=""
| GOCACHE="/root/.cache/go-build"
| GOENV="/root/.config/go/env"
| GOEXE=""
| GOEXPERIMENT=""
| GOFLAGS=""
| GOHOSTARCH="amd64"
| GOHOSTOS="linux"
| GOINSECURE=""
| GOMODCACHE="/root/go/pkg/mod"
| GONOPROXY=""
| GONOSUMDB=""
| GOOS="linux"
| GOPATH="/root/go"
| GOPRIVATE=""
| GOPROXY="https://proxy.golang.org,direct"
| GOROOT="/opt/hostedtoolcache/go/1.19.2/x64"
| GOSUMDB="sum.golang.org"
| GOTMPDIR=""
| GOTOOLDIR="/opt/hostedtoolcache/go/1.19.2/x64/pkg/tool/linux_amd64"
| GOVCS=""
| GOVERSION="go1.19.2"
| GCCGO="gccgo"
| GOAMD64="v1"
| AR="ar"
| CC="gcc"
| CXX="g++"
| CGO_ENABLED="1"
| GOMOD="/Users/vivekpatani/junkyard/etcd/etcd-upstream/go.mod"
| GOWORK=""
| CGO_CFLAGS="-g -O2"
| CGO_CPPFLAGS=""
| CGO_CXXFLAGS="-g -O2"
| CGO_FFLAGS="-g -O2"
| CGO_LDFLAGS="-g -O2"
| PKG_CONFIG="pkg-config"
| GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2224535693=/tmp/go-build -gno-record-gcc-switches"
|
[Go Vulnerability Checker/test] ❓ ::endgroup::
[Go Vulnerability Checker/test] ✅ Success - Main actions/setup-go@v2
[Go Vulnerability Checker/test] ⭐ Run Main date
[Go Vulnerability Checker/test] 🐳 docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/2] user= workdir=
| Thu Oct 27 00:26:50 UTC 2022
[Go Vulnerability Checker/test] ✅ Success - Main date
[Go Vulnerability Checker/test] ⭐ Run Main echo "${TARGET}"
case "${TARGET}" in
linux-amd64-govuln-check)
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
;;
esac
[Go Vulnerability Checker/test] 🐳 docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/3] user= workdir=
| linux-amd64-govuln-check
| go: downloading golang.org/x/vuln v0.0.0-20221025230227-995372c58a16
| go: downloading golang.org/x/tools v0.1.13-0.20220928184430-f80e98464e27
| go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
| go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
| go: downloading golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f
| govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
|
| Scanning for dependencies with known vulnerabilities...
| No vulnerabilities found.
[Go Vulnerability Checker/test] ✅ Success - Main echo "${TARGET}"
case "${TARGET}" in
linux-amd64-govuln-check)
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
;;
esac
[Go Vulnerability Checker/test] 🏁 Job succeeded
AMD64 has the same output, tested both.
- add job for govuln job - allow to continue on failure, until all issues are addressed - address: etcd-io#14449 Signed-off-by: vivekpatani <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #14625 +/- ##
==========================================
- Coverage 75.65% 75.45% -0.21%
==========================================
Files 457 457
Lines 37271 37271
==========================================
- Hits 28198 28121 -77
- Misses 7321 7380 +59
- Partials 1752 1770 +18
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you @vivekpatani
We need to bump go versions in all other places as well. Please feel free to fix it in a separate PR or I can take care of it as well.
@ahrtr you got it, I'll update |
Wait for that PR to merge before merging this. @ahrtr |
It's OK to merge either PR firstly. cc @serathius @spzala @ptabor do you have any comment or concern on this PR? thx |
cc @mitake for opinion as well. |
fail-fast: false | ||
matrix: | ||
target: | ||
- linux-amd64-govuln-check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you planning to add multiple targets? If not maybe simplify it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was planning to add the same comment, but it isn't a big deal, so I gave up adding the comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vivekpatani feel free to address this comment in a separate PR if you want.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@serathius @ahrtr #14669 - addressed
Signed-off-by: vivekpatani [email protected]
Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.