govulncheck to report known vulnerabilities#48311
Conversation
| find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} + | ||
|
|
||
| govulncheck: | ||
| runs-on: ubuntu-24.04 |
There was a problem hiding this comment.
Reminds me; I see the other ones are still on 20.04, and some on "ubuntu-latest".
There was a problem hiding this comment.
Ah right we should pin to ubuntu-24.04 where it's possible imo.
There was a problem hiding this comment.
Yeah, It's fine to do that separately and have this one already on 24.04 I guess.
I thought I had a PR to do that, but maybe I never opened one 🙈
|
Hm... |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Forgot to disable uploading scan result on PR, let me do that 😅 |
| if [ "${FORMAT}" = "sarif" ]; then | ||
| # Make sure "results" field is defined in SARIF output otherwise GitHub Code Scanning | ||
| # will fail when uploading report with "Invalid SARIF. Missing 'results' array in run." | ||
| # Relates to https://github.com/golang/vuln/blob/ffdef74cc44d7eb71931d8d414c478b966812488/internal/sarif/sarif.go#L69 | ||
| jq '(.runs[] | select(.results == null) | .results) |= []' /out/govulncheck.out | tee >(sponge /out/govulncheck.out) | ||
| fi |
There was a problem hiding this comment.
Hm...
Uploading results Processing sarif files: ["./build/govulncheck.out"] Validating ./build/govulncheck.out Combining SARIF files using the CodeQL CLI Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information. Error: Invalid SARIF. Missing 'results' array in run.
Yes seems govulncheck omitempty for results: https://github.com/golang/vuln/blob/ffdef74cc44d7eb71931d8d414c478b966812488/internal/sarif/sarif.go#L69
So as a workaround set it if not defined to make GitHub happy. Not yet sure if this is something that needs to be fixed on GitHub or govulncheck side.
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
3 participants
similar to moby/buildkit#5199
Runs govulncheck tool in our workflow to report known vulnerabilities that affect Go code using the Go vulnerability database at https://vuln.go.dev/ and output a SARIF report that will be uploaded to GitHub Code scanning so we have these issues reported in the Security tab.