ci: Update nancy to 1.0.33, switch to used dependencies audit

oasisprotocol · May 25, 2022 · a69793d · a69793d
1 parent b7d2534
commit a69793d
Show file tree

Hide file tree

Showing 6 changed files with 7 additions and 13 deletions.
diff --git a/.buildkite/go/nancy_audit.sh b/.buildkite/go/nancy_audit.sh
@@ -15,6 +15,6 @@ set -euxo pipefail
 ########################################
 # Check dependencies for vulnerabilities
 ########################################
-pushd go
-    go list -json -m all | nancy sleuth
+pushd go/oasis-node
+    go list -json -deps | nancy sleuth
 popd
diff --git a/.changelog/4762.trivial.md b/.changelog/4762.trivial.md
diff --git a/docker/development/Dockerfile b/docker/development/Dockerfile
@@ -1,9 +1,9 @@
 FROM ubuntu:20.04
 
 # Package versions.
-ARG GO_VERSION=1.17.7
-ARG GO_NANCY_VERSION=1.0.0
-ARG GO_NANCY_CHECKSUM=13804837a34c07e7a933b0d6f52c5e580b03ccb209e38fc3d6394b791b414c33
+ARG GO_VERSION=1.17.9
+ARG GO_NANCY_VERSION=1.0.33
+ARG GO_NANCY_CHECKSUM=a4bf5290d41b095c04f941ed5380674770c79d59735e33b1bd07a5cd5fbb135d
 ARG GO_PROTOC_VERSION=3.6.1
 ARG GO_PROTOC_GEN_GO_VERSION=1.21.0
 ARG GOLANGCILINT_VERSION=1.41.1
@@ -66,7 +66,7 @@ RUN wget https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz && \
     # Install gocovmerge for e2e coverage.
     go install github.com/wadey/gocovmerge@${GOCOVMERGE_VERSION} && \
     # Install nancy for auditing dependencies.
-    curl -sfL -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/v${GO_NANCY_VERSION}/nancy-linux.amd64-v${GO_NANCY_VERSION} && \
+    curl -sfL -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/v${GO_NANCY_VERSION}/nancy-v${GO_NANCY_VERSION}-linux-amd64 && \
     echo "${GO_NANCY_CHECKSUM} nancy" | sha256sum -c && \
     mv nancy /go/bin/nancy && \
     chmod +x /go/bin/nancy && \

diff --git a/go/.nancy-ignore b/go/.nancy-ignore
@@ -1 +0,0 @@
-CVE-2020-26160 # Until viper and etcd/prometheus are upgraded to not need jwt-go.

diff --git a/go/go.mod b/go/go.mod
@@ -1,11 +1,6 @@
 module github.com/oasisprotocol/oasis-core/go
 
 replace (
-	// Fixes vulnerabilities in etcd v3.3.{10,13} (dependencies via viper).
-	// Can be removed once there is a spf13/viper release with updated
-	// etcd and other dependencies using viper are updated.
-	// https://github.com/spf13/viper/issues/956
-	github.com/coreos/etcd => github.com/coreos/etcd v3.3.25+incompatible
 	// Updates the version used by badgerdb, because some of the Go
 	// module caches apparently have a messed up copy that causes
 	// build failures.

diff --git a/go/go.sum b/go/go.sum
@@ -186,7 +186,7 @@ github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8a
 github.com/containerd/continuity v0.2.0 h1:j/9Wnn+hrEWjLvHuIxUU1YI5JjEjVlT2AA68cse9rwY=
 github.com/containerd/continuity v0.2.0/go.mod h1:wCYX+dRqZdImhGucXOqTQn05AhX6EUDaGEMUzTFFpLg=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
-github.com/coreos/etcd v3.3.25+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=