Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-04-05 05:27:31 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: exclude go vulns that don't affect library usage (#3721)

Browse Source
This commit is contained in:
Markus Rudy 2025-03-27 10:23:30 +01:00 committed by GitHub
parent be146cdb22
commit 5a1b7b7944
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
bazel/ci/govulncheck.sh.in
View File

@ -27,11 +27,16 @@ submodules=$(${go} list -f '{{.Dir}}' -m)
PATH=$(dirname "${go}"):${PATH}
check_module() {
excluded_osvs=(
"GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access
"GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition
)
# shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
"${jq}" -sr '
"${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr '
(map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs |
map(select( .finding and .finding.osv != "GO-2024-3166" and .finding.osv != "GO-2025-3408" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
group_by(.osv) |
map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
if length > 0 then halt_error(1) else .[] end'