Add govulncheck script to expose go vulnerabilities #120562
Conversation
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
k8s-ci-robot
added
kind/feature
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-triage
Co-authored-by: LX <hwdefcom@outlook.com> Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
ArkaSaha30
force-pushed
the
govulncheck-script
branch
from
33ead06 to
9e34aa3
Compare
|
/lgtm |
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 85c2ef617e0473cda69f2b6f9e56339502cdc9a9
|
|
/sig security |
k8s-ci-robot
added
sig/security
There was a problem hiding this comment.
@ArkaSaha30 make sure to make changes to test infra PR to pull this file from right repository
/lgtm
Sure, I have already made the necessary changes - kubernetes/test-infra#30591 (comment) |
| export PATH=$PATH:$GOPATH/bin | ||
| mkdir -p "${WORKDIR}" | ||
| go install golang.org/x/vuln/cmd/govulncheck@v1.0.1 | ||
|
|
There was a problem hiding this comment.
use KUBE_VERIFY_GIT_BRANCH which is already populated in the verify CI job (other scripts in this repo already use it)
# KUBE_VERIFY_GIT_BRANCH is populated in verify CI jobs
BRANCH="${KUBE_VERIFY_GIT_BRANCH:-master}"
There was a problem hiding this comment.
master verify all failed for this verify script.
KUBE_VERIFY_GIT_BRANCH is overridden by Makefile.
kubernetes/build/root/Makefile
Lines 127 to 129 in 8319322
We got fatal: invalid reference: master in
https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-29/1727556821872283648
Should we skip this in release 1.29 verify-all? Or should we set BRANCH for this ci?
hack/verify-govulncheck.sh
Outdated
| mkdir -p "${WORKDIR}" | ||
| go install golang.org/x/vuln/cmd/govulncheck@v1.0.1 | ||
|
|
||
| govulncheck -scan module ./... > "${WORKDIR}/head.txt" |
There was a problem hiding this comment.
use the helper to make a temp dir that will get cleaned up
kube::util::ensure-temp-dir
WORKTREE="${KUBE_TEMP}/worktree"
# Create a copy of the repo with $BRANCH checked out
git worktree add -f "${WORKTREE}" "${BRANCH}"
# Clean up the copy on exit
kube::util::trap_add "git worktree remove -f ${WORKTREE}" EXIT
There was a problem hiding this comment.
Thank you for the suggestions @liggitt , I have updated the script with changes. My only concern is that ${KUBE_TEMP} tends to get removed and we do not get the artifacts. Do you suggest to copy them to /artifacts directory and add
export WORKDIR=${ARTIFACTS:-$TMPDIR}
export PATH=$PATH:$GOPATH/bin
mkdir -p "${WORKDIR}"
as it was?
|
FYI, new
|
|
@liggitt that's amazing. I learnt something new today. Also makes me happy we need one less job to run in test-infra because less code is more secure code 😎 On related note, Who needs to |
|
Oops looks like I missed the fact that there are some suggested edits before we can merge. @ArkaSaha30 Please feel free to ask for help from me on addressing these suggestions if needed. |
k8s-ci-robot
added
size/M
ArkaSaha30
force-pushed
the
govulncheck-script
branch
3 times, most recently
from
a4e9117 to
f6c151c
Compare
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
ArkaSaha30
force-pushed
the
govulncheck-script
branch
from
f6c151c to
7437ad2
Compare
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ArkaSaha30, dims, PushkarJ The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: a083f586ff5ea4b03fde385f17358ca7ff09be40
|
|
@ArkaSaha30: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR will add a govulncheck script to check for go vulnerabilities when a PR is raised. It will be triggered as a presubmit from test-infra/config/jobs/kubernetes/sig-security/govulncheck-presubmit.yaml for every PR opened for go module changes.
Which issue(s) this PR fixes:
Fixes: kubernetes/sig-security#99
Parent Issue: kubernetes/sig-security#95
Special notes for your reviewer:
Discussion threads:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: