Silence govulncheck #619
Silence govulncheck #619
Conversation
|
I recall we had that at some point and the problem is that this enforce other projects that use go-tuf to also pin the minor version and not everyone likes that. To be honest I'm in favour of removing govulncheck or make failing the job not failing the whole workflow just because we can't silence this. |
|
I'm also not a fan of having a patch version pinned in the |
|
Yeah, exactly 👍 Let's stay away from pinning this. Also I think what you suggest is reasonable 👍 |
This change should always allow the step to pass even on error. As the issue are often times fixed in stdlib, we'd have to bump our go.mod to a certain patch level which is undesirable. Otherwise having this check fail will always mark the CI pipeline as failed. Signed-off-by: Marvin Drees <marvin.drees@9elements.com>
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #619 +/- ##
==========================================
+ Coverage 70.51% 72.96% +2.45%
==========================================
Files 10 10
Lines 2123 1650 -473
==========================================
- Hits 1497 1204 -293
+ Misses 505 325 -180
Partials 121 121 ☔ View full report in Codecov by Sentry. |
|
Ok setting it to always pass works but this feels wrong as well. Now this check is always green even if it found issues. You can still click on the job itself to look at the report but the overview is green. I think we should add a more fine tuned linter config that marks common security pitfalls as CI fails (e.g. enable gosec in golangci-lint) instead of relying on the CVE checker here. Though in the current state it at least doesn't mark CI runs as failed... |
MDr164
changed the title
|
What do you think about adding a bit of automation around this? If it sounds dumb feel free to say it's dumb, no worries 😄 I'm thinking we can keep the |
There was a problem hiding this comment.
I think we should have continue-on-error. As this is a module (and a source distribution) and it's ultimately any client that compiles the code with a specific compiler, I don't see much we can do for bugs in Go.
As discussed we could bin the minor, but I believe that is something a module should not do, it's the responsibility of the project that uses this module to define what minor version to use.
That's definitely feasible and only requires another step after govulncheck to run conditionally which is fully supported. I'll have a go at it on a test repo first to not spam this PR. I think the only 'tricky' part is to not have it spam on PR updates, aka behave like the Codecov comment. |
|
Sounds good 👍 Alright, let's merge this then and we can try to make its output more explicit in another one 👍 |
|
Feel free to merge, I still don't have the necessary repo rights to do so 😅 |
As we only pin the minor version and not the patch version of Go (as most projects do), we can't guarantee the CI to use a toolchain version which has security fixes govulncheck would otherwise complain about.
EDIT: We keep the go.mod as is but modified the CI pipeline as outlined below.