Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action #9144

Merged
merged 1 commit into from
Aug 14, 2023

Conversation

chrischdi
Copy link
Member

What this PR does / why we need it:

Adds:

  • verify-govulncheck target, to scan the code via govulncheck
  • verify-vulnerabilities target which runs ./hack/verify-vulnerabilities.sh
    • Runs make verify-container-images
    • Runs make verify-govulncheck
    • Exit code is 1 if one or both targets report vulnerabilities or errors
  • Use verify-vulnerabilities in scan action instead of verify-container-images

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #9091

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 8, 2023
@chrischdi
Copy link
Member Author

/hold

Want to check if it works like this for submodules

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 8, 2023
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 8, 2023
@chrischdi
Copy link
Member Author

/hold cancel

We have to run it on a per-module base.

Added all modules to make-govulncheck.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 8, 2023
Makefile Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 9, 2023
@chrischdi chrischdi force-pushed the pr-govulncheck branch 2 times, most recently from cf19c1c to 742571c Compare August 9, 2023 07:24
Copy link
Member

@sbueringer sbueringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one nit otherwise lgtm from my side

Makefile Outdated Show resolved Hide resolved
@sbueringer
Copy link
Member

/assign @vincepri
for another review

@chrischdi
Copy link
Member Author

@vincepri : kindly asking for another look if you find some time :-)

@sbueringer
Copy link
Member

sbueringer commented Aug 14, 2023

I'll merge it for now so we can get some experience.

If there are further comments let's open a follow-up PR.

I think there were no general objections

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 14, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 48c20f9b67f8adef679a49b898fda363f337eff0

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 14, 2023
@k8s-ci-robot k8s-ci-robot merged commit 14e6248 into kubernetes-sigs:main Aug 14, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.6 milestone Aug 14, 2023
@chrischdi
Copy link
Member Author

/cherry-pick release-1.5

@chrischdi
Copy link
Member Author

/cherry-pick release-1.4

@k8s-infra-cherrypick-robot

@chrischdi: #9144 failed to apply on top of branch "release-1.5":

Applying: Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action
Using index info to reconstruct a base tree...
A	.github/workflows/weekly-image-scan.yaml
M	Makefile
M	docs/release/release-tasks.md
Falling back to patching base and 3-way merge...
Auto-merging docs/release/release-tasks.md
CONFLICT (content): Merge conflict in docs/release/release-tasks.md
Auto-merging Makefile
CONFLICT (rename/rename): Rename ".github/workflows/weekly-image-scan.yaml"->".github/workflows/scan.yml" in branch "HEAD" rename ".github/workflows/weekly-image-scan.yaml"->".github/workflows/weekly-security-scan.yaml" in "Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action"
Auto-merging .github/workflows/scan.yml and .github/workflows/weekly-security-scan.yaml, both renamed from .github/workflows/weekly-image-scan.yaml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-infra-cherrypick-robot

@chrischdi: #9144 failed to apply on top of branch "release-1.4":

Applying: Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action
Using index info to reconstruct a base tree...
A	.github/workflows/weekly-image-scan.yaml
M	Makefile
M	docs/release/release-tasks.md
M	hack/verify-container-images.sh
Falling back to patching base and 3-way merge...
Auto-merging hack/verify-container-images.sh
Auto-merging docs/release/release-tasks.md
CONFLICT (content): Merge conflict in docs/release/release-tasks.md
Auto-merging Makefile
CONFLICT (rename/rename): Rename ".github/workflows/weekly-image-scan.yaml"->".github/workflows/scan.yml" in branch "HEAD" rename ".github/workflows/weekly-image-scan.yaml"->".github/workflows/weekly-security-scan.yaml" in "Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action"
Auto-merging .github/workflows/scan.yml and .github/workflows/weekly-security-scan.yaml, both renamed from .github/workflows/weekly-image-scan.yaml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Add verify-govulncheck and verify-vulnerabilities targets and integrate to scan action
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@chrischdi
Copy link
Member Author

/area ci

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ci Issues or PRs related to ci cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Integrate govulncheck
5 participants