diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 54ebe7c..f209f8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,8 +33,20 @@ jobs: - name: Install govulncheck run: go install golang.org/x/vuln/cmd/govulncheck@latest + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + - name: Check for vulnerabilities - run: $HOME/go/bin/govulncheck ./... + run: | + $HOME/go/bin/govulncheck -format json ./...|jq -r .finding.osv|grep -v null|sort -u >/tmp/vuln-cves + CVES="$(cat .govulncheck-ignorecves .govulncheck-ignorecves /tmp/vuln-cves|sort|uniq -u)" + if [ -n "$CVES" ]; then + echo >&2 + echo "***" govulncheck CVES that are not ignored: $CVES "***" >&2 + echo >&2 + set -x + $HOME/go/bin/govulncheck -show verbose ./... + fi - name: Build Source run: go build ./... diff --git a/.govulncheck-ignorecves b/.govulncheck-ignorecves new file mode 100644 index 0000000..5f00946 --- /dev/null +++ b/.govulncheck-ignorecves @@ -0,0 +1,2 @@ +GO-2025-3373 +GO-2025-3420 diff --git a/go.mod b/go.mod index 28c1d2b..be9502b 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/sebdah/goldie/v2 v2.5.5 github.com/sigstore/sigstore v1.8.12 github.com/spf13/cobra v1.8.1 - github.com/spf13/pflag v1.0.5 + github.com/spf13/pflag v1.0.6 ) require ( diff --git a/go.sum b/go.sum index 32ec476..59a17c8 100644 --- a/go.sum +++ b/go.sum @@ -63,8 +63,9 @@ github.com/sigstore/sigstore v1.8.12 h1:S8xMVZbE2z9ZBuQUEG737pxdLjnbOIcFi5v9UFfk github.com/sigstore/sigstore v1.8.12/go.mod h1:+PYQAa8rfw0QdPpBcT+Gl3egKD9c+TUgAlF12H3Nmjo= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= +github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=