You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@skywalking.apache.org by "rabajaj0509 (via GitHub)" <gi...@apache.org> on 2023/03/04 05:24:01 UTC

[GitHub] [skywalking] rabajaj0509 opened a new issue, #10482: [Feature] [Golang] Add support for govulncheck in github actions for Go apps.

rabajaj0509 opened a new issue, #10482:
URL: https://github.com/apache/skywalking/issues/10482

   ### Search before asking
   
   - [X] I had searched in the [issues](https://github.com/apache/skywalking/issues?q=is%3Aissue) and found no similar feature requirement.
   
   
   ### Description
   
   Currently, none of our golang applications are checked for vulnerabilities. Since going applications are used as binaries, these are difficult to test for vulnerabilities. All applications that are written in Golang can be scanned using  [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) as a part of the GitHub actions.  This highly reduces the possibility of supply chain attacks through dependencies used by our application. 
   
   We would need to write GitHub actions for the following projects:
   1) [skywalking-kubernetes-event-exporter](https://github.com/apache/skywalking-kubernetes-event-exporter)
   2) [skywalking-cli](https://github.com/apache/skywalking-cli)
   3) [skywalking-rover](https://github.com/apache/skywalking-rover)
   4) [skywalking-banyandb](https://github.com/apache/skywalking-banyandb)
   5) [skywalking-eyes](https://github.com/apache/skywalking-eyes)
   6) [skywalking-infra-e2e](https://github.com/apache/skywalking-infra-e2e)
   7) [skywalking-swck](https://github.com/apache/skywalking-swck)
   8) [skywalking-satellite](https://github.com/apache/skywalking-satellite)
   
   Related links: 
   1) https://go.dev/blog/vuln
   2) https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
   3) https://github.com/marketplace/actions/golang-vulncheck
   
   ### Use case
   
   _No response_
   
   ### Related issues
   
   _No response_
   
   ### Are you willing to submit a PR?
   
   - [X] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] wu-sheng closed issue #10482: [Feature] [Golang] Add support for govulncheck in github actions for Go apps.

Posted by "wu-sheng (via GitHub)" <gi...@apache.org>.

wu-sheng closed issue #10482: [Feature] [Golang] Add support for govulncheck in github actions for Go apps.
URL: https://github.com/apache/skywalking/issues/10482


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] wu-sheng commented on issue #10482: [Feature] [Golang] Add support for govulncheck in github actions for Go apps.

Posted by "wu-sheng (via GitHub)" <gi...@apache.org>.

wu-sheng commented on issue #10482:
URL: https://github.com/apache/skywalking/issues/10482#issuecomment-1454521098

   Moving to discussion.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] Superskyyy commented on issue #10482: [Feature] [Golang] Add support for govulncheck in github actions for Go apps.

Posted by "Superskyyy (via GitHub)" <gi...@apache.org>.

Superskyyy commented on issue #10482:
URL: https://github.com/apache/skywalking/issues/10482#issuecomment-1454480616

   Dependabot can only search for vulnerabilities in claimed dependencies in the repository right (We do have dependabot working in the security tab.)? If so then this is a great addition to cover our own code through static analysis. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [skywalking] wu-sheng commented on issue #10482: [Feature] [Golang] Add support for govulncheck in github actions for Go apps.

Posted by "wu-sheng (via GitHub)" <gi...@apache.org>.

wu-sheng commented on issue #10482:
URL: https://github.com/apache/skywalking/issues/10482#issuecomment-1454520626

   dependabot is working, activated by ASF Infra. We also have sonatype setup for Java.
   
   https://lift.sonatype.com/results/github.com/apache/skywalking/01GK31R4GXW0Y7JZS3BWY047YG?tab=bom-dr
   
   
   What is the additional value for this?
   CVEs should be scan and report in private if possible. 
   If we add it to CI, we have to force other contributer to fix things may not relative to them.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@skywalking.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org