Dogfood Nancy - Githubissues

sonatype-nexus-community / ahab

ahab is a tool to check for vulnerabilities in your apt, apk, or yum powered operating systems, powered by Sonatype OSS Index.

Apache License 2.0

68 stars 18 forks source link

Dogfood Nancy #33

Closed zendern closed 4 years ago

zendern commented 4 years ago

Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

What are you trying to do? I mean we should really be using nancy on this project since well its golang project :)
What feature or behavior is this required for? DOOOOGGGGFOOOODDINNNGGG IT :)
How could we solve this issue? (Not knowing is okay!) Add nancy to the build process of the project

cc @bhamail / @DarthHater / @ken-duck

deadlysyn commented 4 years ago

I've been wanting to learn about Nancy so I can blog about it, and this might be a good chance. I don't know anything about your build process (github actions?), but would be happy to dig in and try to figure this out if there's not already WIP.

bhamail commented 4 years ago

Doh! I will add a CI readme file immediately, that should shed some light on the build process. (Most other projects have one already)

bhamail commented 4 years ago

see: https://github.com/sonatype-nexus-community/ahab/blob/master/.circleci/circleci-readme.md

Probably easier to run some of the CI commands individually, at least at the start.

One thing I like about CircleCI is the ability to locally "mimic" the whole build. It stubs out some things that can't be done locally, but a local build is helpful to find issues with shorter round-trips than doing full pushes every time.

deadlysyn commented 4 years ago

That local build option is neato, reminds me of Concourse...very nice.

When adding nancy, we get two critical CVEs that fail the build. Should we go down the :rabbit: :hole: of getting those fixed up as part of this PR?

[1/2]   pkg:golang/github.com/coreos/etcd@3.3.10
3 known vulnerabilities affecting installed version 
[2/2]   pkg:golang/golang.org/x/net@0.0.0-20190522155817-f3200d17e092
5 known vulnerabilities affecting installed version

Several are 7.5s. I can go get -u or whatever but that last one would seem to need newer go or pinning net somehow (not sure if replace can do that in go.mod).

bhamail commented 4 years ago

@deadlysyn We solved an etcd issue with a replace directive in Nancy: https://github.com/sonatype-nexus-community/nancy/blob/main/go.mod#L40

The x/net should be cleared up by tomorrow. It's a data issue on our side. See Nancy Issue #189

deadlysyn commented 4 years ago

Thanks for the guidance @bhamail

I'll get a PR going for this, seems fine now:

❯ circleci local execute -c .circleci/local-config.yml --job 'build'
...
====>> go get -u github.com/sonatype-nexus-community/nancy
  #!/bin/bash -eo pipefail
go get -u github.com/sonatype-nexus-community/nancy
...
====>> go list -json -m all | nancy sleuth
  #!/bin/bash -eo pipefail
go list -json -m all | nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                       ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies    ┃ 113 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 0   ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛
Success!