Use govulncheck instead of nancy

2024-08-30 18:22:48 +00:00 · 2023-07-24 14:44:59 +10:00 · 2023-07-24 14:44:59 +10:00 · 72b071dbaa
commit 72b071dbaa
parent fd277973cd
3 changed files with 6 additions and 51 deletions
--- a/11
+++ b/11
@ -68,17 +68,10 @@ pipeline {
 				}
 			}
 		}
-		stage('Frontend') {
+		stage('Build') {
 			steps {
 				sh './scripts/ci/build-frontend'
-			}
-		}
-		stage('Backend') {
-			steps {
-				withCredentials([usernamePassword(credentialsId: 'oss-index-token', passwordVariable: 'NANCY_TOKEN', usernameVariable: 'NANCY_USER')]) {
-					sh './scripts/ci/test-backend'
-				}
-				// Build all the golang binaries
+				sh './scripts/ci/test-backend'
 				sh './scripts/ci/build-backend'
 				// Build the docker image used for testing below
 				sh '''docker build --pull --no-cache \\
--- a/backend/.nancy-ignore
+++ b/backend/.nancy-ignore
@ -1,37 +0,0 @@
-# If you need to ignore any of nancy's warnings add them
-# here with a reference to the package/version that
-# triggers them and rational for ignoring it.
-# pkg:golang/github.com/coreos/etcd@3.3.10
-# etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation
-CVE-2020-15115
-
-# pkg:golang/github.com/coreos/etcd@3.3.10
-# In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records
-CVE-2020-15136
-
-# pkg:golang/github.com/coreos/etcd@3.3.10
-# In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access
-CVE-2020-15114
-
-# pkg:golang/github.com/gorilla/websocket@1.4.0
-# Integer Overflow or Wraparound
-CWE-190
-
-# jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrict...
-CVE-2020-26160
-
-# https://ossindex.sonatype.org/vulnerability/sonatype-2021-1485
-sonatype-2021-1485
-
-# CWE-770: Allocation of Resources Without Limits or Throttling
-CVE-2022-41717
-CVE-2022-41723
-
-# CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
-CVE-2022-41723
-
-# CWE-20: Improper Input Validation
-CVE-2023-26125
-
-# CWE-494: Download of Code Without Integrity Check
-CVE-2023-29401
--- a/scripts/ci/test-backend
+++ b/scripts/ci/test-backend
@ -31,14 +31,13 @@ echo "  NOW:           $NOW"

 if [ "${1:-}" = "--inside-docker" ]; then
 	mkdir -p /workspace
-	echo -e "${BLUE}❯ ${CYAN}Nancy setup${RESET}"
+	echo -e "${BLUE}❯ ${CYAN}govulncheck setup${RESET}"
 	cd /workspace
-	# go get github.com/sonatype-nexus-community/nancy
-	cp /app/backend/go.mod /app/backend/go.sum /app/backend/.nancy-ignore .
+	cp /app/backend/go.mod /app/backend/go.sum .
 	go mod download

-	echo -e "${BLUE}❯ ${CYAN}Nancy testing${RESET}"
-	go list -json -m all | nancy sleuth --quiet --username "${NANCY_USER}" --token "${NANCY_TOKEN:-}"
+	echo -e "${BLUE}❯ ${CYAN}govulncheck testing${RESET}"
+	govulncheck ./...
 	rm -rf /workspace

 	echo -e "${BLUE}❯ ${CYAN}Testing backend code${RESET}"