Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-5241

extend golang checks to catch dependency modifications

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: (None)
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
    • Sprint:
      MEN Sprint 151
    • Story Points:
      5
    • Backlog:
      yes
    • Days in progress:
      3

      Description

      This is a security issue.
      Due to the golang dependencies being included in the repository, it is possible to include malicious changes in the vendor folder, that are very likely to be missed when submitting a PR that affects dependencies (example PR here).
      While this could be addressed by no longer vendoring the dependencies and only rely on checking the committed dependencies in the go.mod and go.sum files, this task is focused on leaving the dependencies as they are. Instead this should add an additional check to be run in our golang repos CI to go mod tidy + go mod vendor and then check that git diff is empty in order to catch unexpected dependency changes.

      Acceptance criteria:

      • Add this check to the `check-golang-static` file in mendertesting.
      • Some story points are allocated, accounting for issues in a few repositories, when adding this, considering the different go versions abound, etc.

        Attachments

          Activity

            People

            Assignee:
            oleorhagen Ole Petter Orhagen
            Reporter:
            mzedel Manuel Zedel
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support