Page MenuHomePhabricator
Create Task
Maniphest T309997

Implement an outdated modules check for golang
Closed, ResolvedPublic
Actions

Description

There's already a command within the golang cli for this:
go list -u

And some wrappers like:
https://github.com/psampaz/go-mod-outdated

Let's build a Gitlab CI include for this, as we've already done for npm and php/composer.

Update: we'll also want to add support for discovering nested go.mod files, like what had been implemented for the deprecated npm audit CI include, even if that isn't a best practice (because it still happens).

Details

Due Date
Dec 29 2023, 6:00 AM
TitleReferenceAuthorSource BranchDest Branch
Add support for nested go.mod filesrepos/security/gitlab-ci-security-templates!25sbassettT309997-add-nested-gomod-supportmain
Integrate go-mod-outdated ci template for Golang Dependency Managementrepos/security/gitlab-ci-security-templates!24mmartoranago-mod-outdatedmain
Customize query in GitLab

Related Objects
Search...

Event Timeline

sbassett renamed this task from Implement an outdated package check for golang to Implement an outdated modules check for golang .Jun 6 2022, 3:45 PM
sbassett created this task.
mmartorana claimed this task.Jun 6 2022, 4:28 PM
mmartorana triaged this task as Low priority.
sbassett moved this task from Incoming to Back Orders on the Security-Team board.Jun 6 2022, 4:38 PM
sbassett added a project: GitLab-Application-Security-Pipeline.Jul 13 2023, 7:29 PM
sbassett edited parent tasks, added: T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work; removed: T289290: Design and Build Application Security Pipeline Components for Gitlab.Jul 18 2023, 9:24 PM
sbassett changed the task status from Open to In Progress.Oct 3 2023, 4:54 PM
sbassett moved this task from Back Orders to In Progress on the Security-Team board.
sbassett set Due Date to Dec 29 2023, 6:00 AM.Oct 3 2023, 5:01 PM
sbassett added a comment.EditedNov 8 2023, 4:58 PM

Using go-mod-outdated, I think either of the following basic solutions should work:

more recent golang installed via bin
$ apt-get update -yqq && apt-get install -yqq ca-certificates curl git
$ curl -L --max-redirs 3 -O -s https://go.dev/dl/go1.21.3.linux-amd64.tar.gz
$ echo "1241381b2843fae5a9707eec1f8fb2ef94d827990582c7c7c32f5bdfbfd420c8 go1.21.3.linux-amd64.tar.gz" | sha256sum -c - && tar -C /usr/local -xzf go1.21.3.linux-amd64.tar.gz
$ export PATH=$PATH:/usr/local/go/bin
$ GOBIN=/usr/local/bin/ go install github.com/psampaz/go-mod-outdated@latest
$ go mod download
$ go list -u -m -json all | go-mod-outdated

Or...

golang installed via apt
$ apt-get update -yqq && apt-get install -yqq ca-certificates curl git golang-go
$ export PATH=$PATH:/usr/local/go/bin
$ GOBIN=/usr/local/bin/ go install github.com/psampaz/go-mod-outdated@latest
$ go mod download
$ go list -u -m -json all | go-mod-outdated

These work fine testing with bookworm:20231015 and random go.mod files. I'd note that go-mod-outdated seems to fail gracefully with a 0 exit code when no go.mod file is present (so no need to guard against that for now) but it can take a little longer to run than one might expect, e.g. with the buildkit example:

real	1m37.977s
user	0m15.711s
sys	0m2.445s
sbassett added a comment.Nov 16 2023, 9:07 PM

Fake gitlab bot: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/24

CodeReviewBot added a comment.Nov 21 2023, 11:49 AM

mmartorana updated https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/24

Integrate go-mod-outdated ci template for Golang Dependency Management

CodeReviewBot added a comment.Nov 22 2023, 4:54 PM

sbassett merged https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/24

Integrate go-mod-outdated ci template for Golang Dependency Management

sbassett updated the task description. (Show Details)Nov 22 2023, 7:50 PM
CodeReviewBot added a project: Patch-For-Review.Nov 22 2023, 9:23 PM

sbassett opened https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/25

Add support for nested go.mod files

CodeReviewBot added a comment.Nov 24 2023, 4:08 PM

mmartorana merged https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/25

Add support for nested go.mod files

mmartorana closed this task as Resolved.Nov 27 2023, 10:34 AM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Nov 27 2023, 3:40 PM
sbassett removed a project: Patch-For-Review.
sbassett moved this task from Backlog to Done on the GitLab-Application-Security-Pipeline board.Dec 20 2023, 7:51 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL