Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use govulncheck in CI #522

Closed
orpheuslummis opened this issue Jun 13, 2022 · 1 comment · Fixed by #1689
Closed

Use govulncheck in CI #522

orpheuslummis opened this issue Jun 13, 2022 · 1 comment · Fixed by #1689
Labels
ci/build This is issue is about the build or CI system, and the administration of it. security Related to security

Comments

@orpheuslummis
Copy link
Contributor

Go introduces new tooling for vulnerability detection: golang.org/x/vuln/vulncheck

Command govulncheck reports known vulnerabilities that affect Go code. It uses static analysis or a binary's symbol table to narrow down reports to only those that potentially affect the application. For more information about the API behind govulncheck, see https://go.dev/security/vulncheck.

Because it is experimental it could potentially report false positives, thereby "blocking" PRs. We can be mindful of that and perhaps additionally it shouldn't be enabled on the develop/main branch checks, just on PRs.
@orpheuslummis orpheuslummis added ci/build This is issue is about the build or CI system, and the administration of it. security Related to security labels Jun 13, 2022
@shahzadlone shahzadlone mentioned this issue Jul 22, 2023
Closed
@shahzadlone
Copy link
Member

Use govulncheck to find vulnerabilities and update go version in the future.

I gave it a dry run and all our vulnerabilities that it was showing on go1.19 version were fixed by just bumping to go1.20

This was referenced Jul 22, 2023
Closed
Merged
shahzadlone added a commit that referenced this issue Jul 23, 2023
@shahzadlone
chore: Bump to GoLang v1.20 (#1689)
912824e 
## Relevant issue(s)
- Resolves #522
- Resolves #1687 

## Description
- This is a routine version bump of GoLang, the previous bump was done
in (#818)
- This PR also introduces a new workflow action (not-mandatory to pass
in order to merge) that was showing some vulnerabilities
pre-version-bump, all of the vulnerabilities were resolved once the
golang version was bumped. In future this trigger will be used to bump
golang versions.
- Also updates the golang version for AWS AMI generation.

Note:
- Before the bump we had 13 vulnerabilities:
https://github.com/sourcenetwork/defradb/actions/runs/5629964770/job/15255493129?pr=1688
- After the bump: passing with no vulnerabilities.


## How has this been tested?
- Added action that failed with vulnerabilities.
- Bumped version.
- Vulnerabilities were resolved and action passed.

Specify the platform(s) on which this was tested:
- Arch Linux
shahzadlone added a commit to shahzadlone/defradb that referenced this issue Feb 23, 2024
@shahzadlone
chore: Bump to GoLang v1.20 (sourcenetwork#1689)
6f2f8dd 
## Relevant issue(s)
- Resolves sourcenetwork#522
- Resolves sourcenetwork#1687 

## Description
- This is a routine version bump of GoLang, the previous bump was done
in (sourcenetwork#818)
- This PR also introduces a new workflow action (not-mandatory to pass
in order to merge) that was showing some vulnerabilities
pre-version-bump, all of the vulnerabilities were resolved once the
golang version was bumped. In future this trigger will be used to bump
golang versions.
- Also updates the golang version for AWS AMI generation.

Note:
- Before the bump we had 13 vulnerabilities:
https://github.com/sourcenetwork/defradb/actions/runs/5629964770/job/15255493129?pr=1688
- After the bump: passing with no vulnerabilities.


## How has this been tested?
- Added action that failed with vulnerabilities.
- Bumped version.
- Vulnerabilities were resolved and action passed.

Specify the platform(s) on which this was tested:
- Arch Linux
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ci/build This is issue is about the build or CI system, and the administration of it. security Related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Bump to GoLang v1.20 sourcenetwork/defradb
2 participants
@orpheuslummis @shahzadlone