bump dependencies to fix govulncheck identified items #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved. | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| name: Go Vulnerability Check | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - "pull-request/[0-9]+" | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'docs/**' | |
| - 'LICENSE' | |
| - '.github/ISSUE_TEMPLATE/**' | |
| - '.github/headers/**' | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 6 * * *' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| permissions: | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| jobs: | |
| govulncheck: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Setup Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: 'stable' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck on all Go modules | |
| shell: bash | |
| run: | | |
| set +e # Disable exit on error to handle govulncheck failures ourselves | |
| # Find all directories with go.mod files | |
| go_modules=$(find . -name "go.mod" -type f | grep -v ".git" | sort) | |
| if [ -z "$go_modules" ]; then | |
| echo "No Go modules found in repository" | |
| exit 0 | |
| fi | |
| failed_modules=() | |
| exit_code=0 | |
| total_modules=0 | |
| echo "🔍 Discovered Go modules:" | |
| for mod_file in $go_modules; do | |
| mod_dir=$(dirname "$mod_file") | |
| # Extract module name from go.mod file | |
| mod_name=$(grep "^module " "$mod_file" | awk '{print $2}') | |
| echo " - $mod_name (path: $mod_dir)" | |
| total_modules=$((total_modules + 1)) | |
| done | |
| echo "" | |
| echo "Running govulncheck on $total_modules module(s)..." | |
| echo "" | |
| for mod_file in $go_modules; do | |
| mod_dir=$(dirname "$mod_file") | |
| mod_name=$(grep "^module " "$mod_file" | awk '{print $2}') | |
| echo "Checking $mod_name (path: $mod_dir)..." | |
| # Run govulncheck and capture output | |
| vuln_output=$(govulncheck -C "$mod_dir" ./... 2>&1) | |
| vuln_exit_code=$? | |
| if [ $vuln_exit_code -eq 0 ]; then | |
| echo "✅ $mod_name: No vulnerabilities found" | |
| else | |
| # Check if all vulnerabilities have "Fixed in: N/A" (non-actionable) | |
| if echo "$vuln_output" | grep -q "Fixed in: N/A"; then | |
| # Count total vulnerabilities and those with no fix | |
| total_vulns=$(echo "$vuln_output" | grep -c "Fixed in:") | |
| no_fix_vulns=$(echo "$vuln_output" | grep -c "Fixed in: N/A") | |
| if [ "$total_vulns" -eq "$no_fix_vulns" ]; then | |
| echo "⚠️ $mod_name: Found $no_fix_vulns non-actionable vulnerability(ies) (no fixes available)" | |
| echo " Skipping as these vulnerabilities cannot be fixed at this time" | |
| else | |
| actionable_vulns=$((total_vulns - no_fix_vulns)) | |
| echo "❌ $mod_name: Found $actionable_vulns actionable vulnerability(ies) that need fixing" | |
| failed_modules+=("$mod_name") | |
| exit_code=1 | |
| fi | |
| else | |
| echo "❌ $mod_name: Vulnerabilities detected" | |
| failed_modules+=("$mod_name") | |
| exit_code=1 | |
| fi | |
| # Show the vulnerability details | |
| echo "$vuln_output" | head -20 | |
| fi | |
| echo "" | |
| done | |
| echo "=== SUMMARY ===" | |
| if [ ${#failed_modules[@]} -eq 0 ]; then | |
| echo "🎉 All $total_modules module(s) passed actionable vulnerability checks!" | |
| echo " (Non-actionable vulnerabilities with 'Fixed in: N/A' are ignored)" | |
| else | |
| echo "🚨 Actionable vulnerabilities found in ${#failed_modules[@]} of $total_modules module(s):" | |
| for module in "${failed_modules[@]}"; do | |
| echo " - $module" | |
| done | |
| echo "" | |
| echo "Please review and address the actionable vulnerabilities in the modules listed above." | |
| echo "Note: Vulnerabilities marked 'Fixed in: N/A' are ignored as they have no available fixes." | |
| fi | |
| exit $exit_code |