search

kubernetes / sig-security

Process documentation, non-code deliverables, and miscellaneous artifacts of Kubernetes SIG Security
Apache License 2.0
161 stars 53 forks source link

[govulncheck] Periodic Prow Job for `govulncheck` #100

Open PushkarJ opened 10 months ago

PushkarJ commented 10 months ago

Description

Run govulncheck periodically in default mode symbol level on https://github.com/kubernetes/kubernetes for:

This will allow to get a sense of new vulnerabilities identified and help facilitate decision on cherry picks

Implementation Details

Create a new yaml file here: https://github.com/kubernetes/test-infra/tree/0e5705d1a7cfe4c0ba8e2518a15c26f8ebc1b66d/config/jobs/kubernetes/sig-security named as govulncheck-periodic.yaml that looks something like this:

periodics:
  - interval: 6h
    name: check-dependency-stats-periodical
    decorate: true
    decoration_config:
      timeout: 5m
    extra_refs:
    - org: kubernetes
      repo: kubernetes
      base_ref: master
      path_alias: k8s.io/kubernetes
    spec:
      containers:
      - image: golang
        command:
        - /bin/bash
        args:
        - -c
    spec:
      containers:
      - image: golang
        command:
        - /bin/bash
        args:
        - -c
        - |
          set -euo pipefail
          export WORKDIR=${ARTIFACTS:-$TMPDIR}
          export PATH=$PATH:$GOPATH/bin
          mkdir -p "${WORKDIR}"
          pushd "$WORKDIR"
          go install golang.org/x/vuln/cmd/govulncheck@latest
          popd

          govulncheck -scan module ./... > "${WORKDIR}/head.txt"

          stable=$(curl -Ls https://dl.k8s.io/release/stable.txt)
          minorversion=$(echo $stable | cut -d. -f2)
          prevminorversion=$(expr $minorversion - 1)
          oldestminorversion=$(expr $prevminorversion - 1)

          b1=$(echo "release-1.${minorversion}")
          b2=$(echo "release-1.${prevminorversion}")
          b3=$(echo "release-1.${oldestminorversion}")
          git reset --hard HEAD
          git checkout $b1
          govulncheck -scan module ./... > "${WORKDIR}/b1.txt"
          git reset --hard HEAD
          git checkout $b2
          govulncheck -scan module ./... > "${WORKDIR}/b2.txt"
          git reset --hard HEAD
          git checkout $b3
          govulncheck -scan module ./... > "${WORKDIR}/b3.txt"
          for file in *.txt; do if [ -s $file ]; then cat *.txt; exit -1; fi; done
  annotations:
    testgrid-create-test-group: "true"
    testgrid-dashboards: sig-security-govulncheck-periodics
    description: Runs `govulncheck` periodically on master and supported release branches

Tips and Caveats

Parent

95

Periodic Jobs:

https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-30 https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-29 https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-28 https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-1-27 https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-verify-master

Backport PRs

https://github.com/kubernetes/kubernetes/pull/124750 https://github.com/kubernetes/kubernetes/pull/124751

Links to Release branches script

https://github.com/kubernetes/kubernetes/blob/release-1.27/hack/verify-govulncheck.sh https://github.com/kubernetes/kubernetes/blob/release-1.28/hack/verify-govulncheck.sh https://github.com/kubernetes/kubernetes/blob/release-1.29/hack/verify-govulncheck.sh https://github.com/kubernetes/kubernetes/blob/release-1.30/hack/verify-govulncheck.sh

PushkarJ commented 10 months ago

/sig security architecture release /area dependency

ArkaSaha30 commented 10 months ago

/assign

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

PushkarJ commented 5 months ago

/remove-lifecycle stale

This is planned to be worked on soon

k8s-triage-robot commented 2 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

PushkarJ commented 1 month ago

Relevant slack conversation: https://kubernetes.slack.com/archives/C01CUSVMHPY/p1716151527074909

k8s-triage-robot commented 1 week ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

PushkarJ commented 1 week ago

Periodics are running for master / HEAD, v1.30, v1.29, v1.28 and v1.27. They are working for master , v1.30 and v1.29. Added a backport fix for v1.28: https://github.com/kubernetes/kubernetes/pull/125772 to maintain n-2 support of releases. Once that is merged and once release team agrees that v1.27 backport is needed or not, we will be done with the work needed to close this issue :)

Big thanks to @ArkaSaha30 for taking this forward to where it is today!

PushkarJ commented 1 week ago

remove-lifecycle rotten

PushkarJ commented 1 week ago

/remove-lifecycle rotten