cosmos-sdk icon indicating copy to clipboard operation
cosmos-sdk copied to clipboard
verified publisher icon cosmos

build: Makefile: add Go vulnerability checker

Open odeke-em opened this issue 3 years ago • 4 comments

Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably.

odeke-em avatar Nov 26 '22 00:11 odeke-em

I am curious what overlaps it has with https://github.com/actions/dependency-review-action? We have this one in CI already.

julienrbrt avatar Nov 26 '22 09:11 julienrbrt

Could you touch on what this does? Do we need to add it to ci? Git hook?

@tac0turtle it uses Go's new vulnerability scanner to check for packages that are reported as vulnerable from a bunch of crowd sourced public vulnerability databases. It was announced for Go1.19 at https://go.dev/blog/vuln and there is a listing of vulnerabilities in https://pkg.go.dev/vuln/ -- it helps us scalably catch vulnerable code in supply chains. We shall need it in CI so that if for example a vulnerable unaudited downstream dependency is introduced, it'll fail loudly.

I am curious what overlaps it has with https://github.com/actions/dependency-review-action? We have this one in CI already.

@julienrbrt I believe that tagged Github action is a subset of what this new change does. That tagged Github action requires us to have a license to Github Advanced Security and it just checks from declared GHSAs which we have; The Go vulnerability checker reads from more diverse sources than just GHSA, like it reads from the National Vulnerability Database (NVD) as well where majority of the CVEs are reported directly. Please see this infographic from the website

image

odeke-em avatar Nov 26 '22 23:11 odeke-em

I think this is a great addition! However, I doubt engineers will remember to run the cmd so I recommend including it in a CI action as @tac0turtle mentioned

fedekunze avatar Nov 27 '22 10:11 fedekunze

Govulncheck exits successfully (exit code 0) if there are no vulnerabilities, and exits unsuccessfully if there are. It also exits successfully if -json flag is provided, regardless of the number of detected vulnerabilities.

https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck

This means we can simply add make vulncheck here: https://github.com/cosmos/cosmos-sdk/blob/main/.github/workflows/dependencies-review.yml

julienrbrt avatar Dec 01 '22 12:12 julienrbrt

[Cosmos SDK - Rosetta] Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

sonarqubecloud[bot] avatar Dec 02 '22 11:12 sonarqubecloud[bot]