[govulncheck] Pre-submit Prow Job for `govulncheck`

[PushkarJ]

Description

Run govulncheck when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch.

Implementation Details

• Create a new yaml file here: https://github.com/kubernetes/test-infra/tree/0e5705d1a7cfe4c0ba8e2518a15c26f8ebc1b66d/config/jobs/kubernetes/sig-security named as govulncheck-presubmit.yaml that looks something like this:

presubmits:
  kubernetes/kubernetes:
  - name: check-govulncheck-results
    decorate: true
    decoration_config:
      timeout: 5m
    path_alias: k8s.io/kubernetes
    extra_refs:
    - org: kubernetes
       repo: sig-security
       base_ref: main
       workdir: true
    always_run: false
    optional: true
    run_if_changed: '^(go.mod|go.sum|vendor)'
    spec:
      containers:
      - image: golang
        command:
        - /bin/bash
        args:
        - -c
        - |
        - "cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh"
    annotations:
    testgrid-create-test-group: "true"
    testgrid-dashboards: sig-security-govulncheck-presubmit
    description: Runs `govulncheck` for PRs related to go module changes

Add a new file sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh in https://github.com/kubernetes/sig-security

          set -euo pipefail

          export WORKDIR=${ARTIFACTS:-$TMPDIR}
          export PATH=$PATH:$GOPATH/bin
          mkdir -p "${WORKDIR}"
          pushd "$WORKDIR"
          go install golang.org/x/vuln/cmd/govulncheck@latest
          popd

          govulncheck -scan module ./... > "${WORKDIR}/head.txt"
          git reset --hard HEAD
          git checkout -b base "${PULL_BASE_SHA}"
          govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt"
          diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true

Tips and Caveats

• Check the directory the scripts are running when any errors show up
• || true is set so that the job doesn't fail since it's non-blocking
• Check jobs like this one to see as reference: https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/118974/check-dependency-stats/1696148900479504384 and https://prow.k8s.io/view/gs/kubernetes-jenkins/logs/auto-refreshing-official-cve-feed/1696307434462646272

Parent Issue

95

/sig security architecture /area dependency security

[k8s-ci-robot]

@PushkarJ: The label(s) area/security cannot be applied, because the repository doesn't have them.

In response to [this](https://github.com/kubernetes/sig-security/issues/99): >## Description > >Run `govulncheck` when a new PR is opened for go module changes to understand if the new changes are bringing newer vulnerabilities than the ones affecting main (master) branch. > >## Implementation Details > >- Create a new yaml file here: https://github.com/kubernetes/test-infra/tree/0e5705d1a7cfe4c0ba8e2518a15c26f8ebc1b66d/config/jobs/kubernetes/sig-security named as `govulncheck-presubmit.yaml` that looks something like this: > >``` >presubmits: > kubernetes/kubernetes: > - name: check-govulncheck-results > decorate: true > decoration_config: > timeout: 5m > path_alias: k8s.io/kubernetes > extra_refs: > - org: kubernetes > repo: sig-security > base_ref: main > workdir: true > always_run: false > optional: true > run_if_changed: '^(go.mod|go.sum|vendor)' > spec: > containers: > - image: golang > command: > - /bin/bash > args: > - -c > - | > - "cd sig-security-tooling/govulncheck/hack/ && ./govulncheck-presubmit.sh" > annotations: > testgrid-create-test-group: "true" > testgrid-dashboards: sig-security-govulncheck-presubmit > description: Runs `govulncheck` for PRs related to go module changes >``` > >Add a new file `sig-security-tooling/govulncheck/hack/govulncheck-presubmit.sh` in https://github.com/kubernetes/sig-security > >``` > set -euo pipefail > > export WORKDIR=$TMPDIR > export PATH=$PATH:$GOPATH/bin > > mkdir -p "${WORKDIR}" > pushd "$WORKDIR/kubernetes" > go install golang.org/x/vuln/cmd/govulncheck@latest > popd > > govulncheck -scan module ./... > "${WORKDIR}/head.txt" > git reset --hard HEAD > git checkout -b base "${PULL_BASE_SHA}" > govulncheck -scan module ./... > "${WORKDIR}/pr-base.txt" > diff -s -u --ignore-all-space "${WORKDIR}"/pr-base.txt "${WORKDIR}"/head.txt || true >``` > >/sig security architecture >/area dependency security Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[ArkaSaha30]

/assign