trying out govuln #193
trying out govuln #193
Conversation
michaelneale
requested review from
decentralgabe and
nitro-neal
as code owners
|
@decentralgabe not familiar enough with permissions to know how to try tweaks from a fork to workflows (I would hope it doesn't allow them) |
There was a problem hiding this comment.
thanks @michaelneale this is great to add. I think it should be done via mage, perhaps a mage vuln check?
assuming that if it finds a vuln it'll return an error code and fail CI
|
yes I think could be part of mage (still not sure if govuln should be run earlier or later, need to read more about how it works). If its always quick, makes sense to have it earlier before tests (or in parallel perhaps?) |
parallel would be nice, but the pipeline isn't too long now a days, so I don't mind it going first, last, or wherever! |
|
Realized this relies on go 1.18. We're still on 1.17, which is pre-generics support. Given that 1.19 is out it seems reasonable to bump to the latest. Though I'm still a little hesitant to start introducing generics 🤔 Opened #198 |
|
ok, #198 is done - after mage this should be good to go |
|
@decentralgabe ah thanks. Hadn't had a chance to look at this again. This tool seems nice - it won't return an error if there are informational only warnings (which there are at the moment - it knows that code isn't used). I think it could run parallel to build step perhaps? or do you like it how it is. |
|
@michaelneale let's go for parallel! |
|
@decentralgabe ok - try it again (in parallel - doesn't need to run the build to scan). |
|
nice @michaelneale looks like it works |
|
@decentralgabe not sure what you mean by mageification? |
|
@michaelneale call go vuln via mage like func Vuln() error {
fmt.Println("Vulnerability checks...")
return sh.Run("govulncheck", "./...")
}here: https://github.com/TBD54566975/ssi-sdk/blob/main/magefile.go then access via
|
|
@decentralgabe ah thanks. Trying it again with mage - letting it install govulncheck on demand is probably a good way to go to keep it fresh too (and easier for end users). |
|
Hmm looks like the binary isn't found on the path 🤔 : https://github.com/TBD54566975/ssi-sdk/actions/runs/3120487785/jobs/5094376835 |
|
Oh that’s annoying. is that the correct way to install it to ensure it’s available? |
|
I thought what you had should work. let me investigate |
|
@michaelneale I pushed a fix to your branch michaelneale#3 threw in some other magefile tidyings, couldn't help myself 😉 |
|
the issue is the command needs upon some further reading it seems like maybe |
Go has build in vuln management - thought it may be worth a try
https://go.dev/blog/vuln