Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add govulncheck presubmit to expose go vulnerabilities in a PR #30591

Closed
wants to merge 2 commits into from
Closed

Add govulncheck presubmit to expose go vulnerabilities in a PR #30591

wants to merge 2 commits into from

Conversation

ArkaSaha30
Copy link
Member

@ArkaSaha30 ArkaSaha30 commented Sep 1, 2023
edited
Loading

This PR will add a govulncheck presubmit to check for go vulnerabilities when a PR is opened for go module changes. It will trigger the script from sig-security/sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh kubernetes/hack/verify-govulncheck.sh.

Fixes: kubernetes/sig-security#99
Parent Issue: kubernetes/sig-security#95

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. area/config Issues or PRs related to code in /config area/jobs sig/security Categorizes an issue or PR as relevant to SIG Security. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Sep 1, 2023
@k8s-ci-robot k8s-ci-robot requested review from dims and rjsadow September 1, 2023 15:11
@ArkaSaha30 ArkaSaha30 force-pushed the govulncheck-presubmit branch 4 times, most recently from 0ed8d1d to d9c8c8d Compare September 1, 2023 15:49
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. area/testgrid and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 1, 2023
@ArkaSaha30 ArkaSaha30 force-pushed the govulncheck-presubmit branch from d9c8c8d to 2eaa81f Compare September 1, 2023 16:31
@rjsadow
Copy link
Contributor

rjsadow commented Sep 1, 2023

I don't see any issues with this @ArkaSaha30. Would you be able to run this on the EKS cluster instead of the default cluster like it's currently set up? You can use https://github.com/kubernetes/test-infra/pull/30556/files as a guide on what updates are needed.

@rjsadow
Copy link
Contributor

rjsadow commented Sep 1, 2023

/hold until kubernetes/sig-security#101 is merged

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 1, 2023
@ArkaSaha30 ArkaSaha30 force-pushed the govulncheck-presubmit branch from 2eaa81f to 200757c Compare September 1, 2023 17:37
@ArkaSaha30 ArkaSaha30 requested a review from rjsadow September 1, 2023 17:38
@rjsadow
Copy link
Contributor

rjsadow commented Sep 1, 2023

/retest

@PushkarJ
Copy link
Member

PushkarJ commented Sep 1, 2023

/assign @liggitt @PushkarJ

@rjsadow
Copy link
Contributor

rjsadow commented Sep 1, 2023

Will this job just create the vulnerability artifact that can be reviewed for informational purposes, or is the intent to have some kind of gatekeeping element to fail if (for example) there are any CVEs found? If it's for gatekeeping, I'm not currently understanding how/where the job will fail out of the test.

@PushkarJ
Copy link
Member

PushkarJ commented Sep 1, 2023
edited
Loading

Will this job just create the vulnerability artifact that can be reviewed for informational purposes, or is the intent to have some kind of gatekeeping element to fail if (for example) there are any CVEs found? If it's for gatekeeping, I'm not currently understanding how/where the job will fail out of the test.

This will be mostly for informational purposes (atleast for now) since we want the job to not block a PR right now. This will allow us to observe and iterate over the accuracy of the scan results and then potentially in future act as gatekeeping for a PR if needed

@rjsadow
Copy link
Contributor

rjsadow commented Sep 1, 2023

Awesome, thank you @ArkaSaha30 and @PushkarJ
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 1, 2023
@ArkaSaha30 ArkaSaha30 force-pushed the govulncheck-presubmit branch from 200757c to bbce756 Compare September 6, 2023 05:50
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 6, 2023
@ArkaSaha30
Copy link
Member Author

ArkaSaha30 commented Sep 6, 2023
edited
Loading

Made a small change to the presubmit after testing locally:

-          cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh
+          cd ../kubernetes
+          ../sig-security/sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh

The govulncheck-presubmit.sh needs to be triggered from inside kubernetes directory.
Ref: kubernetes/sig-security#101 (comment)

@ArkaSaha30 ArkaSaha30 force-pushed the govulncheck-presubmit branch from bbce756 to 7b2eeb5 Compare September 6, 2023 07:32
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 6, 2023
@BenTheElder
Copy link
Member

kubernetes/sig-security#101 (review)
/hold

@ArkaSaha30
Copy link
Member Author

Pushing the changes as per discussion threads:

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 11, 2023
@ArkaSaha30 ArkaSaha30 requested a review from rjsadow September 12, 2023 05:45
rjsadow
rjsadow approved these changes Sep 12, 2023
View reviewed changes
Copy link
Contributor

@rjsadow rjsadow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is much more clean! Well done.
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 12, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ArkaSaha30, rjsadow
Once this PR has been reviewed and has the lgtm label, please assign tallclair for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@rjsadow
Copy link
Contributor

rjsadow commented Sep 12, 2023

/hold for kubernetes/kubernetes#120562

@ArkaSaha30 ArkaSaha30 mentioned this pull request Sep 14, 2023
Merged
@rjsadow
Copy link
Contributor

rjsadow commented Sep 19, 2023

@ArkaSaha30 @PushkarJ are we ok to close this based on kubernetes/kubernetes#120562 (comment) or do you see any other uses for having a separate job?

@liggitt
Copy link
Member

liggitt commented Sep 19, 2023

The default verify script will make sure the PR doesn't make things worse, but I think we'd want a periodic job to check if existing state has issues, right?

@PushkarJ
Copy link
Member

@liggitt yes we need the periodic one for sure. We are tracking it separately with this issue kubernetes/sig-security#100

@rjsadow
Copy link
Contributor

rjsadow commented Sep 30, 2023

I'm going to close this pr for now since kubernetes/kubernetes#120562 will add it to k/k presubmits and there's a separate issue tracking the periodic.

/close

@k8s-ci-robot
Copy link
Contributor

@rjsadow: Closed this PR.

In response to this:

I'm going to close this pr for now since kubernetes/kubernetes#120562 will add it to k/k presubmits and there's a separate issue tracking the periodic.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rjsadow rjsadow rjsadow approved these changes

@dims dims Awaiting requested review from dims

Assignees

@liggitt liggitt

@PushkarJ PushkarJ

@rjsadow rjsadow

Labels
area/config Issues or PRs related to code in /config area/jobs area/testgrid cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/security Categorizes an issue or PR as relevant to SIG Security. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[govulncheck] Pre-submit Prow Job for govulncheck
6 participants
@ArkaSaha30 @rjsadow @PushkarJ @BenTheElder @k8s-ci-robot @liggitt