chore(ci): add govulncheck step to depedency-review

[Jayanth-Parthsarathy]

Change Overview

Pull request type

Please check the type of change your PR introduces:

• 🚧 Work in Progress
• 🌈 Refactoring (no functional changes, no api changes)
• 🐹 Trivial/Minor
• 🐛 Bugfix
• 🌻 Feature
• 🗺️ Documentation
• 🤖 Test

Issues

• fixes Add govulncheck to CI #2725

Changes

• Added latest version of govulncheck github actions
• Runs on the root dir of the project and reports vulerabilites

[Jayanth-Parthsarathy]

Hey @hairyhum. Please have a look at this and let me know if any changes are to be made

[psilva-veeam]

Hi, Thanks for the PR. I realize govulncheck is still comparatively new. One feature that's not included yet is ignoring false-positives [1]. This is for instance necessary for functionality in dependencies that may be vulnerable but isn't used. (Merges may get blocked)

It would be good if in a first step govulncheck would just report and not block pipelines. One option could be to run it with continue-on-error: true. Also I wonder about nightly runs.

By the way, the Github Action https://github.com/golang/govulncheck-action is marked experimental at this point. I'm not sure if that's a serious impediment, on the other hand running the command directly on the build images might create a more realistic scan speaking about vulnerabilities that depend on the Go version in actual use. Also since it has a -json output parameter, missing functionality like ignoring findings could be added as needed.

[1] https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Limitations

[Jayanth-Parthsarathy]

Hi, Thanks for the PR. I realize govulncheck is still comparatively new. One feature that's not included yet is ignoring false-positives [1]. This is for instance necessary for functionality in dependencies that may be vulnerable but isn't used. (Merges may get blocked)

It would be good if in a first step govulncheck would just report and not block pipelines. One option could be to run it with continue-on-error: true. Also I wonder about nightly runs.

By the way, the Github Action https://github.com/golang/govulncheck-action is marked experimental at this point. I'm not sure if that's a serious impediment, on the other hand running the command directly on the build images might create a more realistic scan speaking about vulnerabilities that depend on the Go version in actual use. Also since it has a -json output parameter, missing functionality like ignoring findings could be added as needed.

[1] https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Limitations

Hi @psilva-veeam. Thank you for bringing up the continue-on-error: true feature. It sounds like incorporating this option should address the issue of pipeline blocking due to govulncheck findings. Your insight is much appreciated!

I'll proceed to implement this change in the upcoming commit. Thanks again for your helpful suggestion!

[Jayanth-Parthsarathy]

Hey @psilva-veeam. Do you suggest we use the govulncheck command directly instead of the github-action which is experimental, in our workflow?

[julio-lopez]

The golang/govulncheck-action appears to be used broadly in the GH+Go ecosystem, and it is used in upstream projects such as kopia.

@psilva-veeam @hairyhum @pavannd1 any objection with adding this as part of the CI workflow?

[psilva-veeam]

I see, my from side sounds good to use the golang/govulncheck-action then!