Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automation to scan all release branches/tags for gomod (CVE) #1430

Open
dfarrell07 opened this issue Oct 18, 2023 · 1 comment
Open

Automation to scan all release branches/tags for gomod (CVE) #1430

dfarrell07 opened this issue Oct 18, 2023 · 1 comment
Assignees
@dfarrell07
Labels
automation priority:medium security

Comments

@dfarrell07
Copy link
Member

To quickly and reliably determine if we're impacted by a CVE, we need to be able to check all repos, at all release tags and at the tip of all release branches.

I think the best way to determine this is with go mod graph. That shows all direct and indirect dependencies, and why they are needed.
@dfarrell07 dfarrell07 self-assigned this Oct 18, 2023
@dfarrell07 dfarrell07 moved this from Todo to In Progress in Submariner 0.17 Oct 18, 2023
@skitt
Copy link
Member

skitt commented Oct 19, 2023

For security analysis, go mod graph can be misleading, notably because it includes all test dependencies. For accurate analysis, it’s better to list the modules present in our binaries (go version -m path/to/binary, on binaries built without upx).

@dfarrell07 dfarrell07 moved this from In Progress to Todo in Submariner 0.17 Dec 12, 2023
@maayanf24 maayanf24 moved this to Todo in Submariner 0.18 Feb 19, 2024
@tpantelis tpantelis moved this to Todo in Submariner 0.19 Jul 8, 2024
@maayanf24 maayanf24 moved this to Todo in Submariner 0.20 Nov 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dfarrell07 dfarrell07

Labels
automation priority:medium security
Projects
Submariner 0.20
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dfarrell07 @skitt