From 5998980787d73895b6523d573c809ea76264720e Mon Sep 17 00:00:00 2001 From: shahar-h Date: Thu, 5 Sep 2024 16:43:28 +0300 Subject: [PATCH] ci: fix osv vulnerability and license scans and add license overrides (#4157) * ci: fix osv vulnerability and license scans Signed-off-by: Shahar Harari * fix lint issue Signed-off-by: Shahar Harari * unknown -> unidentified Signed-off-by: Shahar Harari * revert collect.go Signed-off-by: Shahar Harari * revert go.mod and go.sum Signed-off-by: Shahar Harari --------- Signed-off-by: Shahar Harari --- .github/workflows/license-scan.yml | 6 +- .github/workflows/osv-scanner.yml | 6 +- osv-scanner.toml | 122 +++++++++++++++++++++++++++++ tools/osv-scanner/config.toml | 3 - 4 files changed, 130 insertions(+), 7 deletions(-) create mode 100644 osv-scanner.toml delete mode 100644 tools/osv-scanner/config.toml diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index a754e0130fd..8be0962d2a1 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -20,8 +20,12 @@ jobs: - name: Run scanner uses: google/osv-scanner-action/osv-scanner-action@678a866dcba398c8ed0124a09928d250f187b52a # v1.8.4 with: + # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib + --no-call-analysis=go ./ - continue-on-error: true # TODO remove once all issues are resolved + # TODO remove once github.com/hashicorp/go-getter gets license exception in CNCF or removed from the project + # See https://github.com/cncf/foundation/issues/624 + continue-on-error: true diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index 0ca78e136d0..6810220c670 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -26,9 +26,9 @@ jobs: scan-args: |- --skip-git --recursive - ./ --config tools/osv-scanner/config.toml + ./ scan-pr: if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} @@ -38,9 +38,9 @@ jobs: contents: read security-events: write with: + # TODO enable call analysis once https://github.com/google/osv-scanner/issues/1220 is resolved scan-args: |- --skip-git --recursive + --no-call-analysis=go ./ - --config - tools/osv-scanner/config.toml diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 00000000000..e338d0da1b9 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,122 @@ +[[IgnoredVulns]] +id = "GO-2022-0646" +reason = "No a real issue, just a warning about third party package." + +[[PackageOverrides]] +name = "github.com/AdaLogics/go-fuzz-headers" +version = "0.0.0-20230811130428-ced1acdcaa24" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license since package version is missing in pkg.go.dev" + +[[PackageOverrides]] +name = "github.com/asaskevich/govalidator" +version = "0.0.0-20230301143203-a9d515a09cc2" +ecosystem = "Go" +license.override = ["MIT"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/87 is resolved" + +[[PackageOverrides]] +name = "github.com/containers/storage" +version = "1.55.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/104 is resolved" + +[[PackageOverrides]] +name = "github.com/distribution/distribution/v3" +version = "3.0.0-beta.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/105 is resolved" + +[[PackageOverrides]] +name = "github.com/docker/go-metrics" +version = "0.0.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/go-sql-driver/mysql" +version = "1.8.1" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/errwrap" +version = "1.1.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-cleanhttp" +version = "0.5.2" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-multierror" +version = "1.1.1" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-version" +version = "1.7.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/hcl" +version = "1.0.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/moby/patternmatcher" +version = "0.6.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/106 is resolved" + +[[PackageOverrides]] +name = "github.com/opencontainers/go-digest" +version = "1.0.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/shoenig/go-m1cpu" +version = "0.1.6" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" + +[[PackageOverrides]] +name = "stdlib" +ecosystem = "Go" +license.override = ["BSD-3-Clause"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" + +[[PackageOverrides]] +name = "github.com/grafana/tempo" +version = "1.5.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package is only used in e2e tests so we can ignore its license" \ No newline at end of file diff --git a/tools/osv-scanner/config.toml b/tools/osv-scanner/config.toml deleted file mode 100644 index 873ec8599d9..00000000000 --- a/tools/osv-scanner/config.toml +++ /dev/null @@ -1,3 +0,0 @@ -[[IgnoredVulns]] -id = "GO-2022-0646 " -reason = "No a real issue, just a warning about third party package."