Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run govulncheck daily to alert us to vulnerabilities in the main branch #404

Merged
merged 4 commits into from
Mar 14, 2024
Merged

Run govulncheck daily to alert us to vulnerabilities in the main branch #404

merged 4 commits into from
Mar 14, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Mar 14, 2024
edited
Loading

Run govulncheck at midnight every night on the main branch to alert us to recent vulnerabilities which affect the Go code in this project.

For example, this would have alerted us to the vulnerabilities in the Go 1.21.7 which were fixed in Go 1.21.8.
The badge would have turned red and GitHub notifications would have been received by maintainers who are subscribed to this project.
The output of the failed action would have looked like:

Running 'GOTOOLCHAIN=go1.21.7 _bin/tools/govulncheck ./...' in directory '.'
Scanning your code and 1172 packages across 104 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2610
    Errors returned from JSON marshaling may break template escaping in
    html/template
  More info: https://pkg.go.dev/vuln/GO-2024-2610
  Standard library
    Found in: html/template@go1.21.7
    Fixed in: html/template@go1.21.8
    Example traces found:
      #1: test/env/env.go:73:24: env.RunControlPlane calls envtest.Environment.Start, which eventually calls template.Template.Execute
      #2: test/env/env.go:90:63: env.RunControlPlane calls webhook.StartWebhookServer, which eventually calls template.Template.ExecuteTemplate

Depends on the make verify-govulncheck target which was added to makefile_modules in cert-manager/makefile-modules#90:

Testing

I've tested the new workflow by updating the default branch of my fork and triggering it there, as explained by @jsoref in https://github.com/orgs/community/discussions/25746.
Here are the results:

And here's what the new badge in the README file should look like:

govulncheck

@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 14, 2024
@wallrj wallrj changed the title Add the make verify-govulncheck by importing the go module from makefile_modules WIP: Add the make verify-govulncheck by importing the go module from makefile_modules Mar 14, 2024
@jetstack-bot jetstack-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 14, 2024
@wallrj wallrj mentioned this pull request Mar 14, 2024
Merged
@wallrj wallrj force-pushed the govulncheck branch 2 times, most recently from 210acc8 to 37585a1 Compare March 14, 2024 12:00
@wallrj
Add go module from makefile_modules
b1e7cd4 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
make upgrade-klone
67c6187 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
Add a github action to run govulncheck nightly at midnight
517dfc2 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@wallrj
Add a badge to show us when govulncheck is failing
25b181f 
Signed-off-by: Richard Wall <richard.wall@venafi.com>
@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 14, 2024
@wallrj wallrj changed the title WIP: Add the make verify-govulncheck by importing the go module from makefile_modules Run govulncheck at midnight every night on the main branch Mar 14, 2024
@jetstack-bot jetstack-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 14, 2024
@wallrj wallrj requested a review from inteon March 14, 2024 14:26
@wallrj wallrj changed the title Run govulncheck at midnight every night on the main branch Run govulncheck daily to alert us to vulnerabilities in the main branch Mar 14, 2024
inteon
inteon reviewed Mar 14, 2024
View reviewed changes
Copy link
Member

@inteon inteon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not know if GH actions is better vs prow.
The badge seems to be an advantage of GH actions.
We can still move if there are any issues.
/approve
/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 14, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 14, 2024
@jetstack-bot jetstack-bot merged commit fadb1e4 into cert-manager:main Mar 14, 2024
5 checks passed
@wallrj wallrj deleted the govulncheck branch March 14, 2024 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inteon inteon inteon left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wallrj @jetstack-bot @inteon