Comments (6)
Doh! I will add a CI readme file immediately, that should shed some light on the build process. (Most other projects have one already)
from ahab.
I've been wanting to learn about Nancy so I can blog about it, and this might be a good chance. I don't know anything about your build process (github actions?), but would be happy to dig in and try to figure this out if there's not already WIP.
from ahab.
see: https://github.com/sonatype-nexus-community/ahab/blob/master/.circleci/circleci-readme.md
Probably easier to run some of the CI commands individually, at least at the start.
One thing I like about CircleCI is the ability to locally "mimic" the whole build. It stubs out some things that can't be done locally, but a local build is helpful to find issues with shorter round-trips than doing full pushes every time.
from ahab.
That local build option is neato, reminds me of Concourse...very nice.
When adding nancy, we get two critical CVEs that fail the build. Should we go down the 🐰 🕳️ of getting those fixed up as part of this PR?
[1/2] pkg:golang/github.com/coreos/[email protected]
3 known vulnerabilities affecting installed version
[2/2] pkg:golang/golang.org/x/[email protected]
5 known vulnerabilities affecting installed version
Several are 7.5s. I can go get -u or whatever but that last one would seem to need newer go or pinning net somehow (not sure if replace can do that in go.mod).
from ahab.
@deadlysyn We solved an etcd
issue with a replace
directive in Nancy: https://github.com/sonatype-nexus-community/nancy/blob/main/go.mod#L40
The x/net
should be cleared up by tomorrow. It's a data issue on our side. See Nancy Issue #189
from ahab.
Thanks for the guidance @bhamail
I'll get a PR going for this, seems fine now:
❯ circleci local execute -c .circleci/local-config.yml --job 'build'
...
====>> go get -u github.com/sonatype-nexus-community/nancy
#!/bin/bash -eo pipefail
go get -u github.com/sonatype-nexus-community/nancy
...
====>> go list -json -m all | nancy sleuth
#!/bin/bash -eo pipefail
go list -json -m all | nancy sleuth
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies ┃ 113 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 0 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛
Success!
from ahab.
Related Issues (20)
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190522155817-f3200d17e092 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20180826012351-8a410e7b638d HOT 1
- [DepShield] (CVSS 7.7) Vulnerability due to usage of github.com/coreos:etcd:3.3.10 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181220203305-927f97764cc3 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190404232315-eb5bcb51f2a3 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181114220301-adae6a3d119a HOT 1
- Fix installed package parsing on fedora-based distros
- [DepShield] (CVSS 7.5) Vulnerability due to usage of github.com/hashicorp/consul:api:1.1.0 HOT 1
- [DepShield] (CVSS 7.7) Vulnerability due to usage of github.com/coreos:etcd:3.3.13 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181201002055-351d144fa1fc HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190108225652-1e06a53dbb7e HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190503192946-f4e77d36d62c HOT 1
- [DepShield] (CVSS 5.9) Vulnerability due to usage of golang.org/x:crypto:0.0.0-20181029021203-45a5f77698d3 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190603091049-60506f45cf65 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20181023162649-9b4f9f5ad519 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20190620200207-3b0461eec859 HOT 1
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20200226121028-0de0cce0169b HOT 1
- publish MacOS binaries HOT 2
- confusing error message when wrong password in IQ mode
- [DepShield] (CVSS 7.5) Vulnerability due to usage of golang.org/x:net:0.0.0-20200625001655-4c5254603344
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ahab.