From b302ace4ae305df6e7e537a9beb2a505e8f9c9de Mon Sep 17 00:00:00 2001 From: Piotr Lucinski Date: Thu, 4 May 2023 22:16:22 -0700 Subject: [PATCH] [chore] Add govulncheck scan (as a new job in build-and-test workflow) (#7526) --- .github/workflows/api-compatibility.yml | 2 +- .github/workflows/build-and-test-windows.yaml | 2 +- .github/workflows/build-and-test.yml | 36 +++++++++++++++---- .../workflows/builder-integration-test.yaml | 2 +- .github/workflows/builder-release.yaml | 2 +- .github/workflows/changelog.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/contrib-tests.yml | 2 +- .github/workflows/create-dependabot-pr.yml | 2 +- .github/workflows/prepare-release.yml | 2 +- Makefile.Common | 5 +++ cmd/builder/internal/builder/main_test.go | 2 +- internal/tools/go.mod | 3 +- internal/tools/go.sum | 8 +++-- internal/tools/tools.go | 1 + 15 files changed, 54 insertions(+), 19 deletions(-) diff --git a/.github/workflows/api-compatibility.yml b/.github/workflows/api-compatibility.yml index 369279f075b..916c2f07768 100644 --- a/.github/workflows/api-compatibility.yml +++ b/.github/workflows/api-compatibility.yml @@ -31,7 +31,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 # Generate apidiff states of Main - name: Generate-States diff --git a/.github/workflows/build-and-test-windows.yaml b/.github/workflows/build-and-test-windows.yaml index e28eacb28c1..fb2c273d976 100644 --- a/.github/workflows/build-and-test-windows.yaml +++ b/.github/workflows/build-and-test-windows.yaml @@ -19,7 +19,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Cache Go uses: actions/cache@v3 env: diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index eef94949121..3f27be6e584 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -19,7 +19,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Cache Go id: go-cache uses: actions/cache@v3 @@ -41,7 +41,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Cache Go id: go-cache uses: actions/cache@v3 @@ -55,6 +55,30 @@ jobs: - name: goimpi run: make goimpi + govulncheck: + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version: ~1.19.9 + - name: Cache Go + id: go-cache + uses: actions/cache@v3 + with: + path: | + ~/go/bin + ~/go/pkg/mod + key: go-cache-${{ runner.os }}-${{ hashFiles('**/go.sum') }} + - name: Install Tools + if: steps.go-cache.outputs.cache-hit != 'true' + run: make install-tools + - name: Run `govulncheck` + run: make govulncheck + checks: runs-on: ubuntu-latest needs: [setup-environment] @@ -64,7 +88,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Cache Go id: go-cache uses: actions/cache@v3 @@ -144,7 +168,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Cache Go id: go-cache uses: actions/cache@v3 @@ -204,7 +228,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Cache Go id: go-cache uses: actions/cache@v3 @@ -218,4 +242,4 @@ jobs: GOOS: ${{matrix.goos}} GOARCH: ${{matrix.goarch}} run: | - make otelcorecol \ No newline at end of file + make otelcorecol diff --git a/.github/workflows/builder-integration-test.yaml b/.github/workflows/builder-integration-test.yaml index e1f4af26582..50bf3647e07 100644 --- a/.github/workflows/builder-integration-test.yaml +++ b/.github/workflows/builder-integration-test.yaml @@ -30,6 +30,6 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Test run: cd ./cmd/builder && ./test/test.sh diff --git a/.github/workflows/builder-release.yaml b/.github/workflows/builder-release.yaml index 975d7e10c98..900c1bbc149 100644 --- a/.github/workflows/builder-release.yaml +++ b/.github/workflows/builder-release.yaml @@ -16,7 +16,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v4 with: diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 194c4192bbe..fac488c5b2e 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Cache Go id: go-cache uses: actions/cache@v3 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9d840a66ab8..ad4fe8f1a35 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,7 +19,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/contrib-tests.yml b/.github/workflows/contrib-tests.yml index 1f315f73ada..90d5a0098c8 100644 --- a/.github/workflows/contrib-tests.yml +++ b/.github/workflows/contrib-tests.yml @@ -23,7 +23,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Run Contrib Tests run: | contrib_path=/tmp/opentelemetry-collector-contrib diff --git a/.github/workflows/create-dependabot-pr.yml b/.github/workflows/create-dependabot-pr.yml index 76a3a934306..f16b4b357b0 100644 --- a/.github/workflows/create-dependabot-pr.yml +++ b/.github/workflows/create-dependabot-pr.yml @@ -11,7 +11,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 - name: Run dependabot-pr.sh run: ./.github/workflows/scripts/dependabot-pr.sh env: diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index f3029ed134a..09b1e5bdd64 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -63,7 +63,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: ~1.19.6 + go-version: ~1.19.9 # Prepare Core for release. # - Update CHANGELOG.md file, this is done via chloggen # - Run make prepare-release PREVIOUS_VERSION=1.0.0 RELEASE_CANDIDATE=1.1.0 MODSET=stable diff --git a/Makefile.Common b/Makefile.Common index 9a28e0d2f99..d9b097582c5 100644 --- a/Makefile.Common +++ b/Makefile.Common @@ -31,6 +31,7 @@ CROSSLINK := $(TOOLS_BIN_DIR)/crosslink GO_ACC := $(TOOLS_BIN_DIR)/go-acc GOCOVMERGE := $(TOOLS_BIN_DIR)/gocovmerge GOIMPORTS := $(TOOLS_BIN_DIR)/goimports +GOVULNCHECK := $(TOOLS_BIN_DIR)/govulncheck LINT := $(TOOLS_BIN_DIR)/golangci-lint IMPI := $(TOOLS_BIN_DIR)/impi MISSPELL := $(TOOLS_BIN_DIR)/misspell @@ -65,6 +66,10 @@ tidy: lint: $(LINT) $(LINT) run +.PHONY: govulncheck +govulncheck: $(GOVULNCHECK) + $(GOVULNCHECK) ./... + .PHONY: generate generate: $(GOCMD) generate ./... diff --git a/cmd/builder/internal/builder/main_test.go b/cmd/builder/internal/builder/main_test.go index bf80752466d..56dc35571a6 100644 --- a/cmd/builder/internal/builder/main_test.go +++ b/cmd/builder/internal/builder/main_test.go @@ -90,7 +90,7 @@ func TestGenerateAndCompile(t *testing.T) { cfg := NewDefaultConfig() cfg.Distribution.OutputPath = t.TempDir() cfg.Replaces = append(cfg.Replaces, replaces...) - cfg.LDFlags = `-X "test.gitVersion=0743dc6c6411272b98494a9b32a63378e84c34da" -X "test.gitTag=local-testing" -X "test.goVersion=go version go1.19.4 darwin/amd64"` + cfg.LDFlags = `-X "test.gitVersion=0743dc6c6411272b98494a9b32a63378e84c34da" -X "test.gitTag=local-testing" -X "test.goVersion=go version go1.19.9 darwin/amd64"` return cfg }, }, diff --git a/internal/tools/go.mod b/internal/tools/go.mod index c0842a0e508..8891ccd8c2b 100644 --- a/internal/tools/go.mod +++ b/internal/tools/go.mod @@ -17,6 +17,7 @@ require ( go.opentelemetry.io/build-tools/semconvgen v0.7.0 golang.org/x/exp v0.0.0-20221004215720-b9f4876ce741 golang.org/x/tools v0.8.0 + golang.org/x/vuln v0.0.0-20230411201117-aaaefcd264f6 ) require ( @@ -215,7 +216,7 @@ require ( mvdan.cc/gofumpt v0.4.0 // indirect mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect - mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d // indirect + mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 // indirect ) retract ( diff --git a/internal/tools/go.sum b/internal/tools/go.sum index 9fbf399af9c..56d8b808efe 100644 --- a/internal/tools/go.sum +++ b/internal/tools/go.sum @@ -280,6 +280,7 @@ github.com/google/addlicense v1.1.1 h1:jpVf9qPbU8rz5MxKo7d+RMcNHkqxi4YJi/laauX4a github.com/google/addlicense v1.1.1/go.mod h1:Sm/DHu7Jk+T5miFHHehdIjbi4M5+dJDRS3Cq0rncIxA= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= @@ -308,6 +309,7 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -1019,6 +1021,8 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/vuln v0.0.0-20230411201117-aaaefcd264f6 h1:SJ0lK20LZB3cfTHvYOXH2m7DCIEaFdSlXtICBRv5bYU= +golang.org/x/vuln v0.0.0-20230411201117-aaaefcd264f6/go.mod h1:64LpnL2PuSMzFYeCmJjYiRbroOUG9aCZYznINnF5PHE= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1159,8 +1163,8 @@ mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wp mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b h1:DxJ5nJdkhDlLok9K6qO+5290kphDJbHOQO1DFFFTeBo= mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4= -mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d h1:3rvTIIM22r9pvXk+q3swxUQAQOxksVMGK7sml4nG57w= -mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d/go.mod h1:IeHQjmn6TOD+e4Z3RFiZMMsLVL+A96Nvptar8Fj71is= +mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 h1:VuJo4Mt0EVPychre4fNlDWDuE5AjXtPJpRUWqZDQhaI= +mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8/go.mod h1:Oh/d7dEtzsNHGOq1Cdv8aMm3KdKhVvPbRQcM8WFpBR8= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= diff --git a/internal/tools/tools.go b/internal/tools/tools.go index 854944169b5..ee6d4adb732 100644 --- a/internal/tools/tools.go +++ b/internal/tools/tools.go @@ -37,4 +37,5 @@ import ( _ "go.opentelemetry.io/build-tools/semconvgen" _ "golang.org/x/exp/cmd/apidiff" _ "golang.org/x/tools/cmd/goimports" + _ "golang.org/x/vuln/cmd/govulncheck" )