Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

.github: add govuln check #14625

Merged
merged 1 commit into from
Oct 28, 2022
Merged

.github: add govuln check #14625

merged 1 commit into from
Oct 28, 2022

Conversation

vivekpatani
Copy link
Contributor

Signed-off-by: vivekpatani [email protected]

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

@vivekpatani
Copy link
Contributor Author

@ahrtr @serathius PTAL when you have time.

.github/workflows/govuln.yaml Outdated Show resolved Hide resolved
case "${TARGET}" in
linux-amd64-govuln-check)
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that the workflow will always success? Should we check the exit code?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The exit code is 3,

# echo $?
3

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The exit code is 0 when go version is 1.19.2. It seems that we'd better upgrade go version to 1.19.2.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ahrtr, so generally the library responds with exit code 3, if there's vulnerability present. Updated the PR.

Output

➜  act -W .github/workflows/govuln.yaml
WARN  ⚠ You are using Apple M1 chip and you have not specified container architecture, you might encounter issues while running act. If so, try running it with '--container-architecture linux/amd64'. ⚠
[Go Vulnerability Checker/test] 🚀  Start image=catthehacker/ubuntu:act-latest
[Go Vulnerability Checker/test]   🐳  docker pull image=catthehacker/ubuntu:act-latest platform= username= forcePull=false
[Go Vulnerability Checker/test]   🐳  docker create image=catthehacker/ubuntu:act-latest platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Go Vulnerability Checker/test]   🐳  docker run image=catthehacker/ubuntu:act-latest platform= entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Go Vulnerability Checker/test]   ☁  git clone 'https://github.com/actions/setup-go' # ref=v2
[Go Vulnerability Checker/test] 🧪  Matrix: map[target:linux-amd64-govuln-check]
[Go Vulnerability Checker/test] ⭐ Run Main actions/checkout@v2
[Go Vulnerability Checker/test]   🐳  docker cp src=/Users/vivekpatani/junkyard/etcd/etcd-upstream/. dst=/Users/vivekpatani/junkyard/etcd/etcd-upstream
[Go Vulnerability Checker/test]   ✅  Success - Main actions/checkout@v2
[Go Vulnerability Checker/test] ⭐ Run Main actions/setup-go@v2
[Go Vulnerability Checker/test]   🐳  docker cp src=/Users/vivekpatani/.cache/act/actions-setup-go@v2/ dst=/var/run/act/actions/actions-setup-go@v2/
[Go Vulnerability Checker/test]   🐳  docker exec cmd=[node /var/run/act/actions/actions-setup-go@v2/dist/index.js] user= workdir=
| Setup go stable version spec 1.19.2
[Go Vulnerability Checker/test]   💬  ::debug::isExplicit: 1.19.2
[Go Vulnerability Checker/test]   💬  ::debug::explicit? true
[Go Vulnerability Checker/test]   💬  ::debug::checking cache: /opt/hostedtoolcache/go/1.19.2/x64
[Go Vulnerability Checker/test]   💬  ::debug::not found
| Attempting to download 1.19.2...
| matching 1.19.2...
[Go Vulnerability Checker/test]   💬  ::debug::check 1.19.2 satisfies 1.19.2
[Go Vulnerability Checker/test]   💬  ::debug::x64===x64 && darwin===linux
[Go Vulnerability Checker/test]   💬  ::debug::x64===x64 && linux===linux
[Go Vulnerability Checker/test]   💬  ::debug::matched 1.19.2
| Acquiring 1.19.2 from https://github.com/actions/go-versions/releases/download/1.19.2-3202506930/go-1.19.2-linux-x64.tar.gz
[Go Vulnerability Checker/test]   💬  ::debug::Downloading https://github.com/actions/go-versions/releases/download/1.19.2-3202506930/go-1.19.2-linux-x64.tar.gz
[Go Vulnerability Checker/test]   💬  ::debug::Destination /tmp/6002dd97-bb88-4134-9f02-70eb173867d5
[Go Vulnerability Checker/test]   💬  ::debug::download complete
| Extracting Go...
[Go Vulnerability Checker/test]   💬  ::debug::Checking tar --version
[Go Vulnerability Checker/test]   💬  ::debug::tar (GNU tar) 1.30%0ACopyright (C) 2017 Free Software Foundation, Inc.%0ALicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.%0AThis is free software: you are free to change and redistribute it.%0AThere is NO WARRANTY, to the extent permitted by law.%0A%0AWritten by John Gilmore and Jay Fenlason.
| [command]/usr/bin/tar xz --warning=no-unknown-keyword -C /tmp/099afe1c-6c34-41ae-bf2d-8f2357ecb268 -f /tmp/6002dd97-bb88-4134-9f02-70eb173867d5
| Successfully extracted go to /tmp/099afe1c-6c34-41ae-bf2d-8f2357ecb268
| Adding to the cache ...
[Go Vulnerability Checker/test]   💬  ::debug::Caching tool go 1.19.2 x64
[Go Vulnerability Checker/test]   💬  ::debug::source dir: /tmp/099afe1c-6c34-41ae-bf2d-8f2357ecb268
[Go Vulnerability Checker/test]   💬  ::debug::destination /opt/hostedtoolcache/go/1.19.2/x64
[Go Vulnerability Checker/test]   💬  ::debug::finished caching tool
| Successfully cached go to /opt/hostedtoolcache/go/1.19.2/x64
| Added go to the path
[Go Vulnerability Checker/test]   💬  ::debug::which go :/opt/hostedtoolcache/go/1.19.2/x64/bin/go:
[Go Vulnerability Checker/test]   💬  ::debug::go env GOPATH :/root/go:
[Go Vulnerability Checker/test]   💬  ::debug::creating /root/go
[Go Vulnerability Checker/test]   💬  ::debug::creating /root/go/bin
[Go Vulnerability Checker/test]   💬  ::debug::add bin true
| Successfully setup go version 1.19.2
[Go Vulnerability Checker/test]   ❓  ##[add-matcher]/run/act/actions/actions-setup-go@v2/matchers.json
| go version go1.19.2 linux/amd64
|
[Go Vulnerability Checker/test]   ❓  ::group::go env
| GO111MODULE=""
| GOARCH="amd64"
| GOBIN=""
| GOCACHE="/root/.cache/go-build"
| GOENV="/root/.config/go/env"
| GOEXE=""
| GOEXPERIMENT=""
| GOFLAGS=""
| GOHOSTARCH="amd64"
| GOHOSTOS="linux"
| GOINSECURE=""
| GOMODCACHE="/root/go/pkg/mod"
| GONOPROXY=""
| GONOSUMDB=""
| GOOS="linux"
| GOPATH="/root/go"
| GOPRIVATE=""
| GOPROXY="https://proxy.golang.org,direct"
| GOROOT="/opt/hostedtoolcache/go/1.19.2/x64"
| GOSUMDB="sum.golang.org"
| GOTMPDIR=""
| GOTOOLDIR="/opt/hostedtoolcache/go/1.19.2/x64/pkg/tool/linux_amd64"
| GOVCS=""
| GOVERSION="go1.19.2"
| GCCGO="gccgo"
| GOAMD64="v1"
| AR="ar"
| CC="gcc"
| CXX="g++"
| CGO_ENABLED="1"
| GOMOD="/Users/vivekpatani/junkyard/etcd/etcd-upstream/go.mod"
| GOWORK=""
| CGO_CFLAGS="-g -O2"
| CGO_CPPFLAGS=""
| CGO_CXXFLAGS="-g -O2"
| CGO_FFLAGS="-g -O2"
| CGO_LDFLAGS="-g -O2"
| PKG_CONFIG="pkg-config"
| GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2224535693=/tmp/go-build -gno-record-gcc-switches"
|
[Go Vulnerability Checker/test]   ❓  ::endgroup::
[Go Vulnerability Checker/test]   ✅  Success - Main actions/setup-go@v2
[Go Vulnerability Checker/test] ⭐ Run Main date
[Go Vulnerability Checker/test]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/2] user= workdir=
| Thu Oct 27 00:26:50 UTC 2022
[Go Vulnerability Checker/test]   ✅  Success - Main date
[Go Vulnerability Checker/test] ⭐ Run Main echo "${TARGET}"
case "${TARGET}" in
  linux-amd64-govuln-check)
    go install golang.org/x/vuln/cmd/govulncheck@latest
    govulncheck ./...
    ;;
esac
[Go Vulnerability Checker/test]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/3] user= workdir=
| linux-amd64-govuln-check
| go: downloading golang.org/x/vuln v0.0.0-20221025230227-995372c58a16
| go: downloading golang.org/x/tools v0.1.13-0.20220928184430-f80e98464e27
| go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
| go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
| go: downloading golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f
| govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
|
| Scanning for dependencies with known vulnerabilities...
| No vulnerabilities found.
[Go Vulnerability Checker/test]   ✅  Success - Main echo "${TARGET}"
case "${TARGET}" in
  linux-amd64-govuln-check)
    go install golang.org/x/vuln/cmd/govulncheck@latest
    govulncheck ./...
    ;;
esac
[Go Vulnerability Checker/test] 🏁  Job succeeded

AMD64 has the same output, tested both.

- add job for govuln job
- allow to continue on failure, until all issues are addressed
- address: etcd-io#14449

Signed-off-by: vivekpatani <[email protected]>
@codecov-commenter
Copy link

Codecov Report

Merging #14625 (5c0d653) into main (9bc4a63) will decrease coverage by 0.20%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main   #14625      +/-   ##
==========================================
- Coverage   75.65%   75.45%   -0.21%     
==========================================
  Files         457      457              
  Lines       37271    37271              
==========================================
- Hits        28198    28121      -77     
- Misses       7321     7380      +59     
- Partials     1752     1770      +18     
Flag Coverage Δ
all 75.45% <ø> (-0.21%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
server/storage/mvcc/watchable_store.go 85.14% <0.00%> (-8.34%) ⬇️
client/pkg/v3/fileutil/purge.go 68.85% <0.00%> (-6.56%) ⬇️
client/v3/concurrency/mutex.go 61.64% <0.00%> (-5.48%) ⬇️
server/lease/lease.go 94.87% <0.00%> (-5.13%) ⬇️
server/storage/mvcc/watcher.go 96.29% <0.00%> (-3.71%) ⬇️
server/etcdserver/api/v3rpc/watch.go 84.76% <0.00%> (-2.86%) ⬇️
pkg/traceutil/trace.go 96.15% <0.00%> (-1.93%) ⬇️
server/etcdserver/api/rafthttp/msgappv2_codec.go 71.30% <0.00%> (-1.74%) ⬇️
pkg/adt/interval_tree.go 85.96% <0.00%> (-1.26%) ⬇️
server/auth/store.go 84.21% <0.00%> (-1.16%) ⬇️
... and 9 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thank you @vivekpatani

We need to bump go versions in all other places as well. Please feel free to fix it in a separate PR or I can take care of it as well.

@vivekpatani
Copy link
Contributor Author

@ahrtr you got it, I'll update builds, tests and go.mod to go1.19.2. Will do it in 24 hours or so.

@vivekpatani
Copy link
Contributor Author

Wait for that PR to merge before merging this. @ahrtr

@ahrtr
Copy link
Member

ahrtr commented Oct 27, 2022

Wait for that PR to merge before merging this. @ahrtr

It's OK to merge either PR firstly.

cc @serathius @spzala @ptabor do you have any comment or concern on this PR? thx

@ahrtr
Copy link
Member

ahrtr commented Oct 27, 2022

cc @mitake for opinion as well.

@vivekpatani
Copy link
Contributor Author

@ahrtr #14639

fail-fast: false
matrix:
target:
- linux-amd64-govuln-check
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you planning to add multiple targets? If not maybe simplify it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was planning to add the same comment, but it isn't a big deal, so I gave up adding the comment.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vivekpatani feel free to address this comment in a separate PR if you want.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@serathius @ahrtr #14669 - addressed

@serathius serathius merged commit ac1b076 into etcd-io:main Oct 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

4 participants