Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(dep): Ignore known dependency failure in nancy #1378

Merged
merged 1 commit into from Sep 21, 2020
Merged

build(dep): Ignore known dependency failure in nancy #1378

merged 1 commit into from Sep 21, 2020
+15 −4

Conversation

sayboras
Copy link
Member

@sayboras sayboras commented Sep 20, 2020
edited

Currently nancy is always failed, and we seem to ignore it completely.
This reduces the value of having security scanning significantly.
Ideally, the underlying issue should be fixed, however it will require
long time for external collaboration.

This commit is to ignore two known dependency failures.

Signed-off-by: Tam Mach sayboras@yahoo.com

Note: ignoring any dependency must be consious choice.

@sayboras
build(dep): Ignore known dependency failure in nancy
bc0a228 
Currently nancy is always failed, and we seem to ignore it completely.
This reduces the value of having security scanning significantly.
Ideally, the underlying issue should be fixed, however it will require
long time for external collaboration.

This commit is to ignore two known dependency failures.

Signed-off-by: Tam Mach <sayboras@yahoo.com>
@sayboras sayboras marked this pull request as ready for review September 20, 2020 00:21
@sayboras sayboras requested a review from a team September 20, 2020 00:22
sayboras
sayboras commented Sep 20, 2020
View reviewed changes
.github/workflows/pr-extra.yml
- name: Run go list
run: go list -json -m all > go.list
- name: Nancy
uses: sonatype-nexus-community/nancy-github-action@master
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changed to github action as it's updated to the latest now, another benefit is that we don't need to mount volume for .nancy-ignore file.

sayboras
sayboras commented Sep 20, 2020
View reviewed changes
.nancy-ignore
@@ -0,0 +1,11 @@
# Skip for golang/golang.org/x/net@v0.0.0-20200904194848-62affa334b73
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

latest x/net package is still having some vulnerbilities

Nivl
Nivl approved these changes Sep 21, 2020
View reviewed changes
Copy link
Member

@Nivl Nivl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, Thanks!

@Nivl Nivl mentioned this pull request Sep 21, 2020
Merged
@sayboras sayboras merged commit ad26b68 into golangci:master Sep 21, 2020
@sayboras sayboras deleted the build/nancy branch September 21, 2020 03:14
@ldez ldez added the area: ci PR that update CI label Dec 7, 2020
@ldez ldez added this to the v1.32 milestone Mar 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nivl Nivl Nivl approved these changes

Assignees
No one assigned
Labels
area: ci PR that update CI
Projects
None yet
Milestone
v1.32
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sayboras @Nivl @ldez