Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[govulncheck] Pre-submit Prow Job for govulncheck #99

Closed
Tracked by #95
PushkarJ opened this issue Aug 28, 2023 · 2 comments · Fixed by kubernetes/kubernetes#120562
Closed
Tracked by #95

[govulncheck] Pre-submit Prow Job for govulncheck #99

PushkarJ opened this issue Aug 28, 2023 · 2 comments · Fixed by kubernetes/kubernetes#120562
Assignees
@ArkaSaha30
Labels
area/dependency Issues or PRs related to dependency changes sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/security Categorizes an issue or PR as relevant to SIG Security.

Comments

@PushkarJ
Copy link
Member

PushkarJ commented Aug 28, 2023
edited
Loading

Description

Run govulncheck when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch.

Implementation Details

presubmits:
  kubernetes/kubernetes:
  - name: check-govulncheck-results
    decorate: true
    decoration_config:
      timeout: 5m
    path_alias: k8s.io/kubernetes
    extra_refs:
    - org: kubernetes
       repo: sig-security
       base_ref: main
       workdir: true
    always_run: false
    optional: true
    run_if_changed: '^(go.mod|go.sum|vendor)'
    spec:
      containers:
      - image: golang
        command:
        - /bin/bash
        args:
        - -c
        - |
        - "cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh"
    annotations:
    testgrid-create-test-group: "true"
    testgrid-dashboards: sig-security-govulncheck-presubmit
    description: Runs `govulncheck` for PRs related to go module changes

Add a new file sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh in https://github.com/kubernetes/sig-security

          set -euo pipefail

          export WORKDIR=${ARTIFACTS:-$TMPDIR}
          export PATH=$PATH:$GOPATH/bin
          mkdir -p "${WORKDIR}"
          pushd "$WORKDIR"
          go install golang.org/x/vuln/cmd/govulncheck@latest
          popd

          govulncheck -scan module ./... > "${WORKDIR}/head.txt"
          git reset --hard HEAD
          git checkout -b base "${PULL_BASE_SHA}"
          govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt"
          diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true

Tips and Caveats

Parent Issue

#95
/sig security architecture
/area dependency security
@k8s-ci-robot k8s-ci-robot added sig/security Categorizes an issue or PR as relevant to SIG Security. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. labels Aug 28, 2023
@k8s-ci-robot
Copy link
Contributor

@PushkarJ: The label(s) area/security cannot be applied, because the repository doesn't have them.

In response to this:

Description

Run govulncheck when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch.

Implementation Details

presubmits:
 kubernetes/kubernetes:
 - name: check-govulncheck-results
   decorate: true
   decoration_config:
     timeout: 5m
   path_alias: k8s.io/kubernetes
   extra_refs:
   - org: kubernetes
      repo: sig-security
      base_ref: main
      workdir: true
   always_run: false
   optional: true
   run_if_changed: '^(go.mod|go.sum|vendor)'
   spec:
     containers:
     - image: golang
       command:
       - /bin/bash
       args:
       - -c
       - |
       - "cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh"
   annotations:
   testgrid-create-test-group: "true"
   testgrid-dashboards: sig-security-govulncheck-presubmit
   description: Runs `govulncheck` for PRs related to go module changes

Add a new file sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh in https://github.com/kubernetes/sig-security

         set -euo pipefail

         export WORKDIR=$TMPDIR
         export PATH=$PATH:$GOPATH/bin

         mkdir -p "${WORKDIR}"
         pushd "$WORKDIR/kubernetes"
         go install golang.org/x/vuln/cmd/govulncheck@latest
         popd

         govulncheck -scan module ./... > "${WORKDIR}/head.txt"
         git reset --hard HEAD
         git checkout -b base "${PULL_BASE_SHA}"
         govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt"
         diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true

/sig security architecture
/area dependency security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the area/dependency Issues or PRs related to dependency changes label Aug 28, 2023
@PushkarJ PushkarJ mentioned this issue Aug 28, 2023
Open
3 tasks
@ArkaSaha30
Copy link
Member

/assign

This was referenced Sep 1, 2023
Closed
Closed
@ArkaSaha30 ArkaSaha30 mentioned this issue Sep 11, 2023
Merged
@tabbysable tabbysable mentioned this issue Oct 21, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ArkaSaha30 ArkaSaha30

Labels
area/dependency Issues or PRs related to dependency changes sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
None yet
Milestone
No milestone
3 participants
@PushkarJ @k8s-ci-robot @ArkaSaha30