Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-22 15:00:38 -04:00
Code Issues Projects Releases Packages Wiki Activity

ci: ignore GO-2024-3166 in govulncheck (#3404)

Browse source 
* ci: ignore GO-2024-3166 in govulncheck
This commit is contained in:
Markus Rudy 2024-10-11 15:39:44 +02:00 committed by GitHub
parent 1561d67a12
commit 60dcac1f1b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
MODULE.bazel
View file

@ -4,6 +4,7 @@ bazel_dep(name = "aspect_bazel_lib", version = "2.9.0")
bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains") bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
bazel_lib.yq() bazel_lib.yq()
use_repo(bazel_lib, "jq_toolchains")
use_repo(bazel_lib, "yq_toolchains") use_repo(bazel_lib, "yq_toolchains")
bazel_dep(name = "bazel_skylib", version = "1.7.1") bazel_dep(name = "bazel_skylib", version = "1.7.1")

2
bazel/ci/BUILD.bazel
View file

@ -288,11 +288,13 @@ sh_template(
name = "govulncheck", name = "govulncheck",
data = [ data = [
":go_bin_for_host", ":go_bin_for_host",
"@jq_toolchains//:resolved_toolchain",
"@org_golang_x_vuln//cmd/govulncheck", "@org_golang_x_vuln//cmd/govulncheck",
], ],
substitutions = { substitutions = {
"@@GO@@": "$(rootpath :go_bin_for_host)", "@@GO@@": "$(rootpath :go_bin_for_host)",
"@@GOVULNCHECK@@": "$(rootpath @org_golang_x_vuln//cmd/govulncheck:govulncheck)", "@@GOVULNCHECK@@": "$(rootpath @org_golang_x_vuln//cmd/govulncheck:govulncheck)",
"@@JQ@@": "$(rootpath @jq_toolchains//:resolved_toolchain)",
}, },
template = "govulncheck.sh.in", template = "govulncheck.sh.in",
) )

16
bazel/ci/govulncheck.sh.in
View file

@ -15,6 +15,8 @@ go=$(realpath @@GO@@)
stat "${go}" >> /dev/null stat "${go}" >> /dev/null
govulncheck=$(realpath @@GOVULNCHECK@@) govulncheck=$(realpath @@GOVULNCHECK@@)
stat "${govulncheck}" >> /dev/null stat "${govulncheck}" >> /dev/null
jq=$(realpath @@JQ@@)
stat "${jq}" >> /dev/null
cd "${BUILD_WORKSPACE_DIRECTORY}" cd "${BUILD_WORKSPACE_DIRECTORY}"
@ -24,6 +26,18 @@ submodules=$(${go} list -f '{{.Dir}}' -m)
PATH=$(dirname "${go}"):${PATH} PATH=$(dirname "${go}"):${PATH}
check_module() {
# shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
"${jq}" -sr '
(map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs |
map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
group_by(.osv) |
map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
if length > 0 then halt_error(1) else .[] end'
}
check() { check() {
err=0 err=0
@ -31,7 +45,7 @@ check() {
for mod in ${submodules}; do for mod in ${submodules}; do
echo " ${mod}" echo " ${mod}"
echo -n " " echo -n " "
CGO_ENABLED=0 ${govulncheck} -C "${mod}" "./..." || err=$? check_module "${mod}"
done done
exit "${err}" exit "${err}"