Skip to content

Make govulncheck run more reliable #6021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 25, 2025
Merged

Make govulncheck run more reliable #6021

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e8cebbc
Make govulncheck run more reliable
pjanotti Mar 21, 2025
53e2be0
Update go version to 1.23.7 (#6003)
pjanotti Mar 21, 2025
e6dafa5
Add required options and log versions
pjanotti Mar 21, 2025
44c70b6
Merge branch 'main' into make-govulncheck-run-reliable
pjanotti Mar 22, 2025
9251a1a
Renames and clean up
pjanotti Mar 22, 2025
f094166
Merge branch 'main' into make-govulncheck-run-reliable
pjanotti Mar 24, 2025
f242a1a
Describe why not using the full package name
pjanotti Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/workflows/scripts/govulncheck-run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/bin/bash

set -euo pipefail

mkdir -p ./govulncheck 2>/dev/null

# Get all package directories
ALL_PKG_DIRS=$(go list ./...)

# Initialize failure flag
FAILED=0

# Repository prefix to remove from package names
REPO_PREFIX=$(go list -m)

# Run govulncheck for each package
for pkg in $ALL_PKG_DIRS; do
# Remove the repository prefix from the package name to keep the category names short
# and replace slashes with underscores to make clear that the categories are not nested.
OUTPUT_FILE="./govulncheck/$(echo "$pkg" | sed "s|^$REPO_PREFIX/||" | tr '/' '_').sarif"
echo -e "\nRunning govulncheck for package $pkg"
if ! govulncheck ${GOVULN_OPTS:-} "$pkg" > "$OUTPUT_FILE"; then
echo "govulncheck failed for package $pkg, output saved to $OUTPUT_FILE"
FAILED=1
else
echo "govulncheck succeeded for package $pkg, output saved to $OUTPUT_FILE"
fi
done

if [ $FAILED -ne 0 ]; then
echo -e "\ngovulncheck failed for one or more packages"
exit 1
fi

echo -e "\ngovulncheck completed successfully for all packages"
60 changes: 56 additions & 4 deletions .github/workflows/vuln-scans.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,7 @@ jobs:
with:
sarif_file: snyk.sarif

govulncheck:
govulncheck-run:
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
Expand All @@ -278,11 +278,63 @@ jobs:
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: '**/go.sum'

- name: Install Tools
run: make install-tools
- name: Run `govulncheck`
run: govulncheck -format sarif ./... > govulncheck.sarif

- run: govulncheck --version

- name: Run `govulncheck` script
env:
GOVULN_OPTS: --format sarif --scan package
run: ./.github/workflows/scripts/govulncheck-run.sh

- name: Save govulncheck results as artifact
uses: actions/upload-artifact@v4
with:
name: govulncheck-results
path: ./govulncheck/

govulncheck-categories:
runs-on: ubuntu-24.04
outputs:
matrix: ${{ steps.capture-packages.outputs.matrix }}
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: '**/go.sum'
- name: Capture Go Packages
id: capture-packages
run: |
repoPrefix=$(go list -m)
packages=$(go list ./... | sed "s|^$repoPrefix/||" | tr '/' '_')
category=$(for p in $(echo -e "$packages"); do echo "\"$p\","; done)
matrix=$(echo "{\"category\": [${category%,}]}" | tr -d '\n')
echo "$matrix" | jq
echo "matrix=${matrix}" >> $GITHUB_OUTPUT

govulncheck-upload:
runs-on: ubuntu-24.04
needs: [govulncheck-run, govulncheck-categories]
strategy:
matrix: ${{ fromJSON(needs.govulncheck-categories.outputs.matrix) }}
steps:
- name: Checkout Repo
uses: actions/checkout@v4

- name: Download govulncheck results artifact
uses: actions/download-artifact@v4
with:
name: govulncheck-results
path: ./govulncheck/

- name: Upload result to GitHub Code Scanning
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: govulncheck.sarif
sarif_file: ./govulncheck/${{ matrix.category }}.sarif
category: ${{ matrix.category }}
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,6 @@ deployments/heroku/test/node_modules

# temp file created during testing
tests/installation/testdata/systemd/splunk-otel-collector.conf

# For convenience excluding sarif files generated by ./.github/workflows/scripts/govulncheck-run.sh
/govulncheck/
12 changes: 10 additions & 2 deletions Makefile.Common
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,5 +136,13 @@ moddownload:
$(GOCMD) mod download

.PHONY: govulncheck
govulncheck: install-tools
govulncheck ./...
govulncheck:
@FAILED=0; \
@for pkg in $(shell $(GOCMD) list $(ALL_PKG_DIRS)); do \
echo "\nRunning govulncheck for package $$pkg\n"; \
govulncheck $${GOVULN_OPTS} $$pkg || FAILED=1; \
done; \
@if [ $$FAILED -ne 0 ]; then \
echo "\ngovulncheck failed for one or more packages"; \
exit 1; \
fi
Loading