[govulncheck] Periodic Prow Job for govulncheck

[PushkarJ]

Description

Run govulncheck periodically in default mode symbol level on https://github.com/kubernetes/kubernetes for:

• master branch i.e. HEAD
• release-1.stable-version
• release-1.prev-stable-minor-version
• release-1.oldest-stable-minor-version

This will allow to get a sense of new vulnerabilities identified and help facilitate decision on cherry picks

Implementation Details

Create a new yaml file here: https://github.com/kubernetes/test-infra/tree/0e5705d1a7cfe4c0ba8e2518a15c26f8ebc1b66d/config/jobs/kubernetes/sig-security named as govulncheck-periodic.yaml that looks something like this:

periodics:
  - interval: 6h
    name: check-dependency-stats-periodical
    decorate: true
    decoration_config:
      timeout: 5m
    extra_refs:
    - org: kubernetes
      repo: kubernetes
      base_ref: master
      path_alias: k8s.io/kubernetes
    spec:
      containers:
      - image: golang
        command:
        - /bin/bash
        args:
        - -c
    spec:
      containers:
      - image: golang
        command:
        - /bin/bash
        args:
        - -c
        - |
          set -euo pipefail
          export WORKDIR=${ARTIFACTS:-$TMPDIR}
          export PATH=$PATH:$GOPATH/bin
          mkdir -p "${WORKDIR}"
          pushd "$WORKDIR"
          go install golang.org/x/vuln/cmd/govulncheck@latest
          popd
          
          govulncheck -scan module ./... > "${WORKDIR}/head.txt"
          
          stable=$(curl -Ls https://dl.k8s.io/release/stable.txt)
          minorversion=$(echo $stable | cut -d. -f2)
          prevminorversion=$(expr $minorversion - 1)
          oldestminorversion=$(expr $prevminorversion - 1)
          
          b1=$(echo "release-1.${minorversion}")
          b2=$(echo "release-1.${prevminorversion}")
          b3=$(echo "release-1.${oldestminorversion}")
          git reset --hard HEAD
          git checkout $b1
          govulncheck -scan module ./... > "${WORKDIR}/b1.txt"
          git reset --hard HEAD
          git checkout $b2
          govulncheck -scan module ./... > "${WORKDIR}/b2.txt"
          git reset --hard HEAD
          git checkout $b3
          govulncheck -scan module ./... > "${WORKDIR}/b3.txt"
          for file in *.txt; do if [ -s $file ]; then cat *.txt; exit -1; fi; done
  annotations:
    testgrid-create-test-group: "true"
    testgrid-dashboards: sig-security-govulncheck-periodics
    description: Runs `govulncheck` periodically on master and supported release branches

Tips and Caveats

• Check which directory the script is running in when any errors show up
• Use prow jobs like this one as reference: https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/check-dependency-stats-periodical/1696290069356220416 and https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-kubernetes-snyk-master/1696294096638840832

Parent

#95

Periodic Jobs:

https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-30
https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-29
https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-28
https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-27
https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-master

Backport PRs

kubernetes/kubernetes#124750
kubernetes/kubernetes#124751
kubernetes/kubernetes#125772

Links to Release branches script

https://github.com/kubernetes/kubernetes/blob/release-1.27/hack/verify-govulncheck.sh
https://github.com/kubernetes/kubernetes/blob/release-1.28/hack/verify-govulncheck.sh
https://github.com/kubernetes/kubernetes/blob/release-1.29/hack/verify-govulncheck.sh
https://github.com/kubernetes/kubernetes/blob/release-1.30/hack/verify-govulncheck.sh

[PushkarJ]

/sig security architecture release
/area dependency

[ArkaSaha30]

/assign

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

/remove-lifecycle stale

This is planned to be worked on soon

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[PushkarJ]

Relevant slack conversation: https://kubernetes.slack.com/archives/C01CUSVMHPY/p1716151527074909

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[PushkarJ]

Periodics are running for master / HEAD, v1.30, v1.29, v1.28 and v1.27. They are working for master , v1.30 and v1.29. Added a backport fix for v1.28: kubernetes/kubernetes#125772 to maintain n-2 support of releases. Once that is merged and once release team agrees that v1.27 backport is needed or not, we will be done with the work needed to close this issue :)

Big thanks to @ArkaSaha30 for taking this forward to where it is today!

[PushkarJ]

remove-lifecycle rotten

[PushkarJ]

/remove-lifecycle rotten

[PushkarJ]

With kubernetes/kubernetes#125772 merged we can mark this issue as closed (complete)

Any future patch version upgrades to govulncheck do not need an issue but any minor (breaking only) and major version upgrade it is recommended to discuss it in an issue before opening a PR.

/close

[k8s-ci-robot]

@PushkarJ: Closing this issue.

In response to this:

With kubernetes/kubernetes#125772 merged we can mark this issue as closed (complete)

Any future patch version upgrades to govulncheck do not need an issue but any minor (breaking only) and major version upgrade it is recommended to discuss it in an issue before opening a PR.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tabbysable]

Relevant slack conversation: https://kubernetes.slack.com/archives/C01CUSVMHPY/p1716151527074909

for future reference: in this slack thread, it was decided to implement the govulncheck scanning as a verify-*.sh script which then runs both periodically and pre-commit.

So that means this issue, as well as #99, were both closed by kubernetes/kubernetes#120562