Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 add osv-scanner config for correcting go version used #695

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🌱 add osv-scanner config for correcting go version used #695

wants to merge 1 commit into from
+33 −29

Conversation

tuminoid
Copy link
Member

@tuminoid tuminoid commented Sep 25, 2024
edited
Loading

Use OSV scanner config, that sets the used go version manually, instead of osv-scanner detecting it from go.mod, which is not correct way for us. Go version from go.mod is not user-friendly way of bumping Go as it forced everyone downstream to use that Go version or newer, forcing unwanted toolchain bumps.

It also changes the reporter action to not fail if there are vulns, we want to get the vulns into Security tab, and failing a scan should mean the scan action itself had issue.

TODO items for later PRs:

  • release branch support (scheduled actions cannot target other branches directly)

@metal3-io-bot metal3-io-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Sep 25, 2024
@tuminoid
Copy link
Member Author

/cc @kashifest
FYI

@metal3-io-bot metal3-io-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 25, 2024
@metal3-io-bot metal3-io-bot added the needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. label Oct 16, 2024
@tuminoid tuminoid force-pushed the tuomo/add-gomod-fixes-to-osv-scanner branch from 570a9a1 to 9e6275e Compare November 11, 2024 06:30
@metal3-io-bot metal3-io-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 11, 2024
@tuminoid tuminoid force-pushed the tuomo/add-gomod-fixes-to-osv-scanner branch from 9e6275e to 4022c4b Compare November 11, 2024 07:37
@Rozzii
Copy link
Member

Rozzii commented Nov 11, 2024

/retest
Just testing Prow

@tuminoid tuminoid force-pushed the tuomo/add-gomod-fixes-to-osv-scanner branch 4 times, most recently from 8ac994a to 4a40b8c Compare November 12, 2024 07:51
@tuminoid tuminoid changed the title WIP: 🌱 add osv-scanner config for correcting go version used 🌱 add osv-scanner config for correcting go version used Nov 12, 2024
@metal3-io-bot metal3-io-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 12, 2024
@tuminoid
add osv-scanner config for correcting go version used
257a719 
Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
@tuminoid tuminoid force-pushed the tuomo/add-gomod-fixes-to-osv-scanner branch from 4a40b8c to 257a719 Compare November 12, 2024 08:30
@tuminoid
Copy link
Member Author

Removed test triggers etc, should be final version. See TODO for release branches in some later PR.
/unhold

@metal3-io-bot metal3-io-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 12, 2024
@tuminoid
Copy link
Member Author

/override metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main

@metal3-io-bot
Copy link
Contributor

@tuminoid: Overrode contexts on behalf of tuminoid: metal3-centos-e2e-integration-test-main, metal3-ubuntu-e2e-integration-test-main

In response to this:

/override metal3-centos-e2e-integration-test-main metal3-ubuntu-e2e-integration-test-main

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@tuminoid
Copy link
Member Author

/cc @kashifest @lentzi90

lentzi90
lentzi90 reviewed Nov 12, 2024
View reviewed changes
Copy link
Member

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@metal3-io-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lentzi90

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@metal3-io-bot metal3-io-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lentzi90 lentzi90 lentzi90 left review comments

@kashifest kashifest Awaiting requested review from kashifest

@Rozzii Rozzii Awaiting requested review from Rozzii

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tuminoid @Rozzii @metal3-io-bot @lentzi90