Add govulncheck script to expose go vulnerabilities in a PR #101
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/S
| export WORKDIR=${ARTIFACTS:-$TMPDIR} | ||
| export PATH=$PATH:$GOPATH/bin | ||
| mkdir -p "${WORKDIR}" | ||
| pushd "$WORKDIR" | ||
| go install golang.org/x/vuln/cmd/govulncheck@latest | ||
| popd | ||
|
|
||
| govulncheck -scan module ./... > "${WORKDIR}/head.txt" | ||
| git reset --hard HEAD | ||
| git checkout -b base "${PULL_BASE_SHA}" | ||
| govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt" | ||
| diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true |
There was a problem hiding this comment.
@ArkaSaha30 were you able to test this locally with prow to see if the directories line up correctly with where govulncheck needs to run?
There was a problem hiding this comment.
I tried with pj-on-kind, looks like it is trying to run in the current directory instead of k8s.io/kubernetes. Working on fixing it, thank you
There was a problem hiding this comment.
Instead of changing this script I have fixed the path in check-govulncheck-results presubmit:
- cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh
+ cd ../kubernetes
+ ../sig-security/sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh
And the govulncheck is running successfully(used #120341 as the PR to run the presubmit):
/logs/artifacts /home/prow/go/src/k8s.io/kubernetes
go: downloading golang.org/x/vuln v1.0.1
go: downloading golang.org/x/mod v0.12.0
go: downloading golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846
go: downloading golang.org/x/sync v0.3.0
go: downloading golang.org/x/sys v0.11.0
/home/prow/go/src/k8s.io/kubernetes
HEAD is now at 6e95fa1942e Merge commit '123da8cc1fed775a68f97fd4beb032f2b45a0200'
Switched to a new branch 'base'
--- /logs/artifacts/pr-base.txt 2023-09-05 15:17:04.307034006 +0000
+++ /logs/artifacts/head.txt 2023-09-05 15:16:47.373852012 +0000
@@ -1,4 +1,4 @@
-Scanning your code and 2056 packages across 219 dependent modules for known vulnerabilities...
+Scanning your code and 2088 packages across 221 dependent modules for known vulnerabilities...
No vulnerabilities found.
There was a problem hiding this comment.
Can I go ahead with the above change?
There was a problem hiding this comment.
Yes go for it. Thanks for testing this 🙌🏼
ArkaSaha30
force-pushed
the
govulncheck-presubmit
branch
from
b0e4b26
to
abae1f9
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ArkaSaha30 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
ArkaSaha30
force-pushed
the
govulncheck-presubmit
branch
from
abae1f9
to
ed62a0e
Compare
There was a problem hiding this comment.
[SIG Testing Hat On]
Typically we run a tool like this with a script in the repo under test (IE kubernetes/kubernetes).
That way changes to the script can be safely made without suddenly failing all PRs, the new changes will only take affect once the PR with the changes passes running those tests on the repo under test because it is the same repo with the script.
Additionally, it is best practice to install a specific version of a linter etc for the same reason, rather than @latest. In k/k it should be versioned in hack/tools/go.mod
|
+1 to the verify script living in k/k and versioning the govulncheck lib |
|
Completed via kubernetes/kubernetes#120562 /close |
|
@PushkarJ: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR will add a govulncheck script to check for go vulnerabilities when a PR is raised. It will be triggered as a presubmit from
test-infra/config/jobs/kubernetes/sig-security/govulncheck-presubmit.yamlfor every PR opened for go module changes.Fixes: #99
Parent Issue: #95