From bc0a228a2d518e3574dc14745ad1fc14ea6b8f6e Mon Sep 17 00:00:00 2001 From: Tam Mach Date: Sun, 20 Sep 2020 10:19:45 +1000 Subject: [PATCH] build(dep): Ignore known dependency failure in nancy Currently nancy is always failed, and we seem to ignore it completely. This reduces the value of having security scanning significantly. Ideally, the underlying issue should be fixed, however it will require long time for external collaboration. This commit is to ignore two known dependency failures. Signed-off-by: Tam Mach --- .github/workflows/pr-extra.yml | 8 ++++---- .nancy-ignore | 11 +++++++++++ 2 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 .nancy-ignore diff --git a/.github/workflows/pr-extra.yml b/.github/workflows/pr-extra.yml index a99d027aa622..7c6e1363261a 100644 --- a/.github/workflows/pr-extra.yml +++ b/.github/workflows/pr-extra.yml @@ -13,7 +13,7 @@ jobs: steps: - uses: actions/checkout@v2 - uses: actions/setup-go@v2 - # We cannot use nancy-github-action because it is outdated, so it's better to use the latest - # docker image for the validation - - name: nancy - run: go list -json -m all | docker run -i sonatypecommunity/nancy:v0.3 + - name: Run go list + run: go list -json -m all > go.list + - name: Nancy + uses: sonatype-nexus-community/nancy-github-action@master diff --git a/.nancy-ignore b/.nancy-ignore new file mode 100644 index 000000000000..0a194a5d55e9 --- /dev/null +++ b/.nancy-ignore @@ -0,0 +1,11 @@ +# Skip for golang/golang.org/x/net@v0.0.0-20200904194848-62affa334b73 +CVE-2018-17848 +CVE-2018-17143 +CVE-2018-17847 +CVE-2018-17142 +CVE-2018-17846 + +# Skip for indirect dependency github.com/coreos/etcd@3.3.13 +CVE-2020-15114 +CVE-2020-15115 +CVE-2020-15136