Update govulncheck workflow to scan source code #11482
Conversation
Changed govulncheck to run on all source files (./...) instead of the built binary. This fixes uploading to GitHub Code Scanning as the location data will be valid, so it will get accepted.
There was a problem hiding this comment.
Pull Request Overview
Updates the govulncheck workflow to scan source code instead of binary mode to fix SARIF upload failures to GitHub Code Scanning. The issue was that binary mode scanning cannot provide source code line numbers required by GitHub Code Scanning.
- Removes binary build step and switches from binary mode to source code scanning
- Changes govulncheck command to scan
./...(all packages) instead of the built binary - Maintains the same SARIF output format for Code Scanning integration
Thank you for digging into this and that explanation! ❤️ Relates #11209 |
| @@ -21,8 +21,7 @@ jobs: | |||
| # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes. | |||
| - name: Check Go vulnerabilities | |||
| run: | | |||
| make | |||
| go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary -format sarif bin/gh > gh.sarif | |||
| go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -format sarif ./... > gh.sarif | |||
There was a problem hiding this comment.
question: Do you have any concerns about the other package main executables within the cli/cli code base being included in the scan?
I think this was my only concern previously but it isn't the end of the world especially with this failing.
There was a problem hiding this comment.
Good question. I guess I don't have any problems with scanning that code also. If it becomes a problem, we could filter it out of the SARIF 👍 As of now that code doesn't produce any alerts from running this on my machine.
Description
Our govulncheck workflow is failing to upload SARIF results to Code Scanning.
See a workflow run here
Explanation and solution
This is happening because we are scanning in binary mode. govulncheck is unable to deduce source code line numbers (
location) from the binary. GitHub Code Scanning requires this line number information to accept a SARIF file, otherwise it cannot provide annotations directly on the vulnerable code.The solution is to have govulncheck run on source files (
./...) instead of the built binary in binary mode. This way, govulncheck can find the source code line numbers (location) and include it in the SARIF, making GitHub Code Scanning accept it.See
physicallocationobject for additional reference on this requirement.