Description
Description
Run govulncheck when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch.
Implementation Details
- Create a new yaml file here: https://github.com/kubernetes/test-infra/tree/0e5705d1a7cfe4c0ba8e2518a15c26f8ebc1b66d/config/jobs/kubernetes/sig-security named as
govulncheck-presubmit.yamlthat looks something like this:
presubmits:
kubernetes/kubernetes:
- name: check-govulncheck-results
decorate: true
decoration_config:
timeout: 5m
path_alias: k8s.io/kubernetes
extra_refs:
- org: kubernetes
repo: sig-security
base_ref: main
workdir: true
always_run: false
optional: true
run_if_changed: '^(go.mod|go.sum|vendor)'
spec:
containers:
- image: golang
command:
- /bin/bash
args:
- -c
- |
- "cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh"
annotations:
testgrid-create-test-group: "true"
testgrid-dashboards: sig-security-govulncheck-presubmit
description: Runs `govulncheck` for PRs related to go module changes
Add a new file sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh in https://github.com/kubernetes/sig-security
set -euo pipefail
export WORKDIR=${ARTIFACTS:-$TMPDIR}
export PATH=$PATH:$GOPATH/bin
mkdir -p "${WORKDIR}"
pushd "$WORKDIR"
go install golang.org/x/vuln/cmd/govulncheck@latest
popd
govulncheck -scan module ./... > "${WORKDIR}/head.txt"
git reset --hard HEAD
git checkout -b base "${PULL_BASE_SHA}"
govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt"
diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true
Tips and Caveats
- Check the directory the scripts are running when any errors show up
|| trueis set so that the job doesn't fail since it's non-blocking- Check jobs like this one to see as reference: https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/118974/check-dependency-stats/1696148900479504384 and https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/auto-refreshing-official-cve-feed/1696307434462646272
Parent Issue
#95
/sig security architecture
/area dependency security