-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: Makefile: add Go vulnerability checker #14028
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you touch on what this does? Do we need to add it to ci? Git hook?
I am curious what overlaps it has with https://github.com/actions/dependency-review-action? We have this one in CI already. |
@tac0turtle it uses Go's new vulnerability scanner to check for packages that are reported as vulnerable from a bunch of crowd sourced public vulnerability databases. It was announced for Go1.19 at https://go.dev/blog/vuln and there is a listing of vulnerabilities in https://pkg.go.dev/vuln/ -- it helps us scalably catch vulnerable code in supply chains. We shall need it in CI so that if for example a vulnerable unaudited downstream dependency is introduced, it'll fail loudly.
@julienrbrt I believe that tagged Github action is a subset of what this new change does. That tagged Github action requires us to have a license to Github Advanced Security and it just checks from declared GHSAs which we have; The Go vulnerability checker reads from more diverse sources than just GHSA, like it reads from the National Vulnerability Database (NVD) as well where majority of the CVEs are reported directly. Please see this infographic from the website |
Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably.
2995d72
to
c7c906e
Compare
I think this is a great addition! However, I doubt engineers will remember to run the cmd so I recommend including it in a CI action as @tac0turtle mentioned |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs to be added somewhere its automatically run instead of only a makefile command
https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck This means we can simply add |
[Cosmos SDK - Rosetta] Kudos, SonarCloud Quality Gate passed! |
* build: Makefile: add Go vulnerability checker Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably. * add gh action * bump to 1.19.3 due to vulnerabilities Co-authored-by: Julien Robert <julien@rbrt.fr> (cherry picked from commit bcfb7dc)
* build: Makefile: add Go vulnerability checker Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably. * add gh action * bump to 1.19.3 due to vulnerabilities Co-authored-by: Julien Robert <julien@rbrt.fr> (cherry picked from commit bcfb7dc) Co-authored-by: Emmanuel T Odeke <emmanuel@orijtech.com>
Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably.