tools: Add ability to filter `govulncheck` output (!6898) · Merge requests · GitLab.org / gitaly

James Liu requested to merge jliu-vulncheck-filter into master May 09, 2024

Closes https://gitlab.com/gitlab-org/gitaly/-/issues/5968

govulncheck inspects Go dependencies for known vulnerabilities. We invoke it in the vulnerability CI job which runs in pipelines on the default branch. The job is designed to fail if vulns are detected. This is mostly desirable, unless the vuln is related to a dependency that the Gitaly team cannot directly update, such as the Go standard library.

In these cases, a failing vulnerability job will continue to fail and block pipelines until our Go build images are updated, or the job is disabled completely (leaving us open to other vulns).

Introduce a filter which receives the human-readable output of the govulncheck tool, applies an ignore list, and allows the job to pass if necessary. An issue template has also been created to track the removal of vulns from the ignore list.

Edited May 09, 2024 by James Liu

tools: Add ability to filter `govulncheck` output

Merge request reports