Skip to content

Commit 65b8657

Browse files
gerardsngerardsn
authored
V5.4 fix vulnerabilities (#3654)
* Fix vulnerabilites found by govulncheck * add govulncheck action to the branch * backport e2e-test fix
1 parent 7428895 commit 65b8657

File tree

5 files changed

+38
-7
lines changed

5 files changed

+38
-7
lines changed

.github/workflows/e2e-tests.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,7 @@ jobs:
7575
7676
- name: package cleanup
7777
uses: bots-house/ghcr-delete-image-action@v1.1.0
78+
continue-on-error: true # action doesn't fail when this step fails
7879
if: ${{ github.actor != 'dependabot' }}
7980
with:
8081
owner: nuts-foundation
@@ -85,6 +86,7 @@ jobs:
8586

8687
- name: package cleanup dependabot
8788
uses: bots-house/ghcr-delete-image-action@v1.1.0
89+
continue-on-error: true # action doesn't fail when this step fails
8890
if: ${{ github.actor == 'dependabot' }}
8991
with:
9092
owner: nuts-foundation

.github/workflows/govulncheck.yaml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# "Govulncheck reports known vulnerabilities that affect Go code.
2+
# It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application."
3+
#
4+
# For more information see https://go.dev/blog/vuln and https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
5+
name: 'govulncheck'
6+
7+
on:
8+
push:
9+
branches:
10+
- 'master'
11+
- 'V*'
12+
pull_request:
13+
# The branches below must be a subset of the branches above
14+
branches:
15+
- 'master'
16+
- 'V*'
17+
18+
jobs:
19+
govulncheck_job:
20+
runs-on: ubuntu-latest
21+
name: Run govulncheck
22+
steps:
23+
- id: govulncheck
24+
uses: golang/govulncheck-action@v1
25+
with:
26+
go-version-input: 'stable'
27+
go-package: ./...

Dockerfile

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# golang alpine
2-
FROM golang:1.21.5-alpine as builder
2+
FROM golang:1.23.4-alpine as builder
33

44
ARG TARGETARCH
55
ARG TARGETOS
@@ -25,12 +25,11 @@ COPY . .
2525
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts
2626

2727
# alpine
28-
FROM alpine:3.18.2
28+
FROM alpine:3.21.2
2929
RUN apk update \
3030
&& apk add --no-cache \
3131
tzdata \
32-
curl \
33-
&& update-ca-certificates
32+
curl
3433
COPY --from=builder /opt/nuts/nuts /usr/bin/nuts
3534

3635
HEALTHCHECK --start-period=30s --timeout=5s --interval=10s \

go.mod

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
module github.com/nuts-foundation/nuts-node
22

3-
go 1.21
3+
// This is the minimal version, the actual go version is determined by the images in the Dockerfile
4+
// This version is used in automated tests such as the 'Scheduled govulncheck' action
5+
go 1.23.4
46

57
require (
68
github.com/alicebob/miniredis/v2 v2.33.0
@@ -98,7 +100,7 @@ require (
98100
github.com/gobwas/pool v0.2.1 // indirect
99101
github.com/gobwas/ws v1.3.2 // indirect
100102
github.com/goccy/go-json v0.10.2 // indirect
101-
github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
103+
github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
102104
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
103105
github.com/golang-sql/sqlexp v0.1.0 // indirect
104106
github.com/golang/snappy v0.0.4 // indirect

go.sum

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -240,8 +240,9 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69
240240
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
241241
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
242242
github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
243-
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
244243
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
244+
github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
245+
github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
245246
github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
246247
github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
247248
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=

0 commit comments

Comments
 (0)