Merge pull request #3283 from oasisprotocol/ptrus/feature/update-nancy

go/ci: update nancy
oasisprotocol · Sep 17, 2020 · d1348d9 · d1348d9
2 parents 0ad94c1 + f52d25d
commit d1348d9
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 18 deletions.
diff --git a/.buildkite/go/nancy_audit.sh b/.buildkite/go/nancy_audit.sh
@@ -15,4 +15,6 @@ set -euxo pipefail
 ########################################
 # Check dependencies for vulnerabilities
 ########################################
-nancy ./go/go.sum
+pushd go
+    go list -json -m all | nancy sleuth
+popd
diff --git a/.changelog/3283.internal.md b/.changelog/3283.internal.md
@@ -0,0 +1 @@
+go/ci: Update nancy to 1.0.0
diff --git a/.nancy-ignore b/.nancy-ignore
diff --git a/docker/development/Dockerfile b/docker/development/Dockerfile
@@ -2,6 +2,8 @@ FROM ubuntu:18.04
 
 # Package versions.
 ARG GO_VERSION=1.15.1
+ARG GO_NANCY_VERSION=1.0.0
+ARG GO_NANCY_CHECKSUM=13804837a34c07e7a933b0d6f52c5e580b03ccb209e38fc3d6394b791b414c33
 ARG GO_PROTOC_VERSION=3.6.1
 ARG GO_PROTOC_GEN_GO_VERSION=1.21.0
 ARG GOLANGCILINT_VERSION=1.28.2
@@ -62,8 +64,8 @@ RUN wget https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz && \
     # Install gocovmerge for e2e coverage.
     GO111MODULE=on go get github.com/wadey/gocovmerge@${GOCOVMERGE_VERSION} && \
     # Install nancy for auditing dependencies.
-    curl -sfL -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/v0.0.39/nancy-linux.amd64-v0.0.39 && \
-    echo 'eb3a93d7db24d115e6e67a2b17dba402978f856c891fa6f0ff09ad17ac53ebb5 nancy' | sha256sum -c && \
+    curl -sfL -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/v${GO_NANCY_VERSION}/nancy-linux.amd64-v${GO_NANCY_VERSION} && \
+    echo "${GO_NANCY_CHECKSUM} nancy" | sha256sum -c && \
     mv nancy /go/bin/nancy && \
     chmod +x /go/bin/nancy && \
     # Install gofumpt for code formatting.

diff --git a/go/.nancy-ignore b/go/.nancy-ignore
@@ -0,0 +1,15 @@
+# For some reason these are false positives in the golang/golang.org/x/net, we
+# use the latest version of this package which is not vulnerable.
+# See: https://github.com/sonatype-nexus-community/nancy/issues/189
+CVE-2018-17847
+CVE-2018-17142
+CVE-2018-17846
+CVE-2018-17075
+CVE-2018-17143
+CVE-2018-17848
+
+# Beats me how and why etcd is even imported in viper.
+# https://github.com/spf13/viper/issues/956
+CVE-2020-15114
+CVE-2020-15136
+CVE-2020-15115