Make govulncheck run more reliable #6021
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
* Update go version to 1.23.7 * Update version for GH workflows that had " or ' delimiters * Use GO_VERSION pattern on gitlab-ci too * make gendependabot
pjanotti
force-pushed
the
make-govulncheck-run-reliable
branch
from
36ca070 to
e6dafa5
Compare
|
@crobert-1 just to be clear, we can really get rid of all of these by just setting the scan mode to be |
Broken down the execution per packages, but, in the end that was not enough and had to change the scan scope to
package. The main disadvantage of that is that withsymbolthe tool can better asses if the code uses a function or code pattern, withpackagescan we may have to do some follow up to understand if/how the vulnerability should be treated. This is not ideal, the alternative would be have some larger runner that could take the memory hit of the tool with thesymbolscan.Although the breakdown in packages was not enough I opted to keep it because it lowers the chances of more OOMs in the future and also make easier to run it locally when investigating issues. Similar to the changes on the Makefile: in the end it was not necessary to solve the problem, but, since it was already in place it is good to have it at hand.
Example run: https://github.com/signalfx/splunk-otel-collector/actions/runs/14010129646/job/39228876676?pr=6021