sig-security
sig-security copied to clipboard
kubernetes
[govulncheck] Periodic Prow Job for `govulncheck`
Description
Run govulncheck periodically in default mode symbol level on https://github.com/kubernetes/kubernetes for:
masterbranch i.e. HEAD- release-1.
stable-version - release-1.
prev-stable-minor-version - release-1.
oldest-stable-minor-version
This will allow to get a sense of new vulnerabilities identified and help facilitate decision on cherry picks
Implementation Details
Create a new yaml file here: https://github.com/kubernetes/test-infra/tree/0e5705d1a7cfe4c0ba8e2518a15c26f8ebc1b66d/config/jobs/kubernetes/sig-security named as govulncheck-periodic.yaml that looks something like this:
periodics:
- interval: 6h
name: check-dependency-stats-periodical
decorate: true
decoration_config:
timeout: 5m
extra_refs:
- org: kubernetes
repo: kubernetes
base_ref: master
path_alias: k8s.io/kubernetes
spec:
containers:
- image: golang
command:
- /bin/bash
args:
- -c
spec:
containers:
- image: golang
command:
- /bin/bash
args:
- -c
- |
set -euo pipefail
export WORKDIR=${ARTIFACTS:-$TMPDIR}
export PATH=$PATH:$GOPATH/bin
mkdir -p "${WORKDIR}"
pushd "$WORKDIR"
go install golang.org/x/vuln/cmd/govulncheck@latest
popd
govulncheck -scan module ./... > "${WORKDIR}/head.txt"
stable=$(curl -Ls https://dl.k8s.io/release/stable.txt)
minorversion=$(echo $stable | cut -d. -f2)
prevminorversion=$(expr $minorversion - 1)
oldestminorversion=$(expr $prevminorversion - 1)
b1=$(echo "release-1.${minorversion}")
b2=$(echo "release-1.${prevminorversion}")
b3=$(echo "release-1.${oldestminorversion}")
git reset --hard HEAD
git checkout $b1
govulncheck -scan module ./... > "${WORKDIR}/b1.txt"
git reset --hard HEAD
git checkout $b2
govulncheck -scan module ./... > "${WORKDIR}/b2.txt"
git reset --hard HEAD
git checkout $b3
govulncheck -scan module ./... > "${WORKDIR}/b3.txt"
for file in *.txt; do if [ -s $file ]; then cat *.txt; exit -1; fi; done
annotations:
testgrid-create-test-group: "true"
testgrid-dashboards: sig-security-govulncheck-periodics
description: Runs `govulncheck` periodically on master and supported release branches
Tips and Caveats
- Check which directory the script is running in when any errors show up
- Use prow jobs like this one as reference: https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/check-dependency-stats-periodical/1696290069356220416 and https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/ci-kubernetes-snyk-master/1696294096638840832
Parent
#95
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
Relevant slack conversation: https://kubernetes.slack.com/archives/C01CUSVMHPY/p1716151527074909
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
Periodics are running for master / HEAD, v1.30, v1.29, v1.28 and v1.27. They are working for master , v1.30 and v1.29. Added a backport fix for v1.28: https://github.com/kubernetes/kubernetes/pull/125772 to maintain n-2 support of releases. Once that is merged and once release team agrees that v1.27 backport is needed or not, we will be done with the work needed to close this issue :)
Big thanks to @ArkaSaha30 for taking this forward to where it is today!
With https://github.com/kubernetes/kubernetes/issues/125772 merged we can mark this issue as closed (complete)
Any future patch version upgrades to govulncheck do not need an issue but any minor (breaking only) and major version upgrade it is recommended to discuss it in an issue before opening a PR.
/close
@PushkarJ: Closing this issue.
In response to this:
With https://github.com/kubernetes/kubernetes/issues/125772 merged we can mark this issue as closed (complete)
Any future patch version upgrades to
govulncheckdo not need an issue but any minor (breaking only) and major version upgrade it is recommended to discuss it in an issue before opening a PR./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
