From 7bc65031c47db244287bbb2424871ec9d8617312 Mon Sep 17 00:00:00 2001 From: Lenin Alevski Date: Mon, 7 Mar 2022 14:47:07 -0800 Subject: [PATCH] Nancy vulnerability dependency scanner (#1676) Signed-off-by: Lenin Alevski --- .github/workflows/jobs.yaml | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/.github/workflows/jobs.yaml b/.github/workflows/jobs.yaml index 11fd93bd2..23923ab38 100644 --- a/.github/workflows/jobs.yaml +++ b/.github/workflows/jobs.yaml @@ -39,6 +39,37 @@ jobs: run: | make verifiers + vulnerable-dependencies-checks: + name: "Check for vulnerable dependencies" + runs-on: ${{ matrix.os }} + strategy: + matrix: + go-version: [ 1.17.x ] + os: [ ubuntu-latest ] + steps: + - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }} + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + id: go + + - name: Check out code into the Go module directory + uses: actions/checkout@v2 + + - name: Build on ${{ matrix.os }} + continue-on-error: false + if: matrix.os == 'ubuntu-latest' + env: + CGO_ENABLED: 0 + GO111MODULE: on + run: | + sudo apt install jq -y + sudo sysctl net.ipv6.conf.all.disable_ipv6=0 + sudo sysctl net.ipv6.conf.default.disable_ipv6=0 + nancy_version=$(curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/sonatype-nexus-community/nancy/releases/latest | sed "s/https:\/\/github.com\/sonatype-nexus-community\/nancy\/releases\/tag\///") + curl -L -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/${nancy_version}/nancy-${nancy_version}-linux-amd64 && chmod +x nancy + go list -deps -json ./... | jq -s 'unique_by(.Module.Path)|.[]|select(has("Module"))|.Module' | ./nancy sleuth + no-warnings-and-make-assets: name: "React Code Has No Warnings and then Make Assets" runs-on: ${{ matrix.os }} @@ -132,6 +163,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -168,6 +200,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -204,6 +237,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -240,6 +274,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -276,6 +311,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -312,6 +348,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -348,6 +385,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -384,6 +422,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -428,6 +467,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ubuntu-latest strategy: @@ -495,6 +535,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -511,6 +552,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: @@ -583,6 +625,7 @@ jobs: - lint-job - no-warnings-and-make-assets - reuse-golang-dependencies + - vulnerable-dependencies-checks runs-on: ${{ matrix.os }} strategy: matrix: