Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cve-check): check for cves #10

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat(cve-check): check for cves #10

wants to merge 9 commits into from

Conversation

Guillaumebeuzeboc
Copy link
Collaborator

@Guillaumebeuzeboc Guillaumebeuzeboc commented Nov 4, 2024
edited
Loading

@Guillaumebeuzeboc Guillaumebeuzeboc marked this pull request as ready for review November 4, 2024 15:41
@Guillaumebeuzeboc
Copy link
Collaborator Author

The multiple runners thing was integrated, although there is a limitation in GH reusable workflows and matrix output: https://github.com/orgs/community/discussions/17245

Should we remove the runner matrix from the workflow?

artivis
artivis requested changes Nov 4, 2024
View reviewed changes
Copy link

@artivis artivis left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add an example of this to the '-test' repo?

Nevermind, just seen the follow up pr.

artivis
artivis reviewed Nov 13, 2024
View reviewed changes
.github/workflows/cves-check.yaml
description: The channel of the snap to scan.
required: false
type: string
runs-on:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to specify a runner? Can't we run an amd64 review-tools snaps on an arm64 snap? Can we download an arm64 snap file on an amd64 machine?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find a way to specify the arch from the snap download command. This means that snap download download the snap from the architecture of the host.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

Usage:
  snap download [download-OPTIONS] <snap>

The download command downloads the given snap and its supporting assertions
to the current directory with .snap and .assert file extensions, respectively.

[download command options]
      --channel=            Use this channel instead of stable
      --edge                Install from the edge channel
      --beta                Install from the beta channel
      --candidate           Install from the candidate channel
      --stable              Install from the stable channel
      --revision=           Download the given revision of a snap
      --basename=           Use this basename for the snap and assertion files (defaults to <snap>_<revision>)
      --target-directory=   Download to this directory (defaults to the current directory)
      --cohort=             Download from the given cohort

@Guillaumebeuzeboc
Copy link
Collaborator Author

The review-tool is reporting CVEs that have a fix in main or universe.
Passed the 5 years of LTS, the fixes are only available in Pro for main and universe.
But after 2 years, only fixes main are available. This means, that the workflow will have to be deprecated for 2 years old+ core version snaps.
Does it still make sense to automate this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giusebar giusebar Awaiting requested review from giusebar

@artivis artivis Awaiting requested review from artivis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Guillaumebeuzeboc @artivis