build: Makefile: add Go vulnerability checker #14028
Conversation
|
I am curious what overlaps it has with https://github.com/actions/dependency-review-action? We have this one in CI already. |
@tac0turtle it uses Go's new vulnerability scanner to check for packages that are reported as vulnerable from a bunch of crowd sourced public vulnerability databases. It was announced for Go1.19 at https://go.dev/blog/vuln and there is a listing of vulnerabilities in https://pkg.go.dev/vuln/ -- it helps us scalably catch vulnerable code in supply chains. We shall need it in CI so that if for example a vulnerable unaudited downstream dependency is introduced, it'll fail loudly.
@julienrbrt I believe that tagged Github action is a subset of what this new change does. That tagged Github action requires us to have a license to Github Advanced Security and it just checks from declared GHSAs which we have; The Go vulnerability checker reads from more diverse sources than just GHSA, like it reads from the National Vulnerability Database (NVD) as well where majority of the CVEs are reported directly. Please see this infographic from the website
|
Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably.
odeke-em
force-pushed
the
govulnchecker-to-Makefile
branch
from
2995d72
to
c7c906e
Compare
odeke-em
changed the title
|
I think this is a great addition! However, I doubt engineers will remember to run the cmd so I recommend including it in a CI action as @tac0turtle mentioned |
https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck This means we can simply add |
julienrbrt
added
the
backport/v0.47.x
|
[Cosmos SDK - Rosetta] Kudos, SonarCloud Quality Gate passed!
|
* build: Makefile: add Go vulnerability checker Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably. * add gh action * bump to 1.19.3 due to vulnerabilities Co-authored-by: Julien Robert <julien@rbrt.fr> (cherry picked from commit bcfb7dc)
* build: Makefile: add Go vulnerability checker Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably. * add gh action * bump to 1.19.3 due to vulnerabilities Co-authored-by: Julien Robert <julien@rbrt.fr> (cherry picked from commit bcfb7dc) Co-authored-by: Emmanuel T Odeke <emmanuel@orijtech.com>
Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably.