Integrate govulncheck #2119
Comments
|
Corresponding core CAPI issue: kubernetes-sigs/cluster-api#9091 |
|
Question: should we optionally consider using the gh action for it? https://github.com/golang/govulncheck-action I think being able to run it locally too leads myself to +1 to the makefile / via |
|
I think if the action doesn't have a significant upside I would favor a make target and to run it in our existing scan action. It's also very valuable to just be able to check out an arbitrary commit and then run the make target (e.g. for older releases / commits) |
|
/assign |
|
/reopen To close when cherry-picks are done |
|
@chrischdi: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@chrischdi Done? |
|
jep |
govulncheck is a tool provided by the Go team: https://go.dev/blog/vuln
It allows scanning Go code for vulnerabilities and then reports if the vulnerable code is actually used (it could be that we have a Go Dependency with a CVE, but the affected package in the dependency is not actually used). The huge benefit here is that it can help to assess the impact of CVE's (i.e. no impact if we don't use the code).
It should be pretty easy to integrate as it can be ~ run via
go run golang.org/x/vuln/cmd/govulncheck ./.... But let's integrate it with go install like other tools.Limitations:
Notes:
The text was updated successfully, but these errors were encountered: