exclude no-fix advisory GO-2026-5932 in checker templates#70
Conversation
There was a problem hiding this comment.
Based on my analysis of the three changed files, here is my review:
PR Review: exclude no-fix advisory GO-2026-5932 in checker templates
Step 5: Consolidated Report
Must Fix (Critical)
None.
Should Fix (Important)
1. templates/Makefile.service — trivy target missing --db-repository flag
Makefile.library passes --db-repository ghcr.io/aquasecurity/trivy-db to keep the DB download deterministic. Makefile.service's trivy invocation omits it, relying on trivy's default CDN. This is a regression from the upgrade — the shared template should be consistent.
templates/Makefile.service:128
# library has:
trivy fs \
--db-repository ghcr.io/aquasecurity/trivy-db \
--ignorefile "$$IGN" \
# service is missing --db-repository2. templates/Makefile.service — trivy target missing --skip-dirs vendor
Makefile.library explicitly skips the vendor directory. Makefile.service does not, potentially scanning vendored dependencies.
templates/Makefile.service:128
3. templates/Makefile.service — trivy target missing --quiet and --disable-telemetry
Makefile.library suppresses trivy output noise and telemetry. Makefile.service omits both, producing noisier CI output.
templates/Makefile.service:128
Nice to Have (Optional)
1. templates/Makefile.service trivy conditional logic simplified
Makefile.library has a two-step conditional for --secret-config:
$(if $(wildcard .trivy-secret.yaml),--secret-config .trivy-secret.yaml,$(if $(wildcard $(ROOTDIR)/.trivy-secret.yaml),--secret-config $(ROOTDIR)/.trivy-secret.yaml,))Makefile.service omits secret config entirely — intentional for library templates, but if the service template is ever used for repos with secret scanning, this gap should be noted.
Step 6: Next Steps
No test coverage gaps found — this is a template-only change. The shell logic (mktemp + trap + printf loop) is correctly implemented in both files. No /go-write-test commands suggested.
Step 7: Manual Review (Complete)
The shell logic in both trivy targets is sound:
printf '%s\n' $(TRIVY_IGNORE)correctly writes one advisory ID per line (no embedded-newline risk — advisory IDs are alphanumeric)trap 'rm -f "$$IGN"' EXIT INT TERMproperly cleans up the temp file on any exit path- The
for f in .trivyignore ...loop silently skips missing files ([ -f "$$f" ] && cat) — correct behavior
The vulncheck target's mktemp failure is also handled implicitly (unquoted variable expansion would expand to empty string, govulncheck would receive invalid args and fail with a clear error).
{
"verdict": "request-changes",
"summary": "The PR correctly adds GO-2026-5932 to both VULNCHECK_IGNORE and the new TRIVY_IGNORE baseline, with proper shell hygiene in the trivy targets. However, the Makefile.service trivy upgrade omits --db-repository, --skip-dirs vendor, --quiet, and --disable-telemetry that Makefile.library includes — these are consistency regressions from the template upgrade.",
"comments": [
{
"file": "templates/Makefile.service",
"line": 128,
"severity": "major",
"message": "trivy command missing --db-repository ghcr.io/aquasecurity/trivy-db flag present in Makefile.library:128 — makes DB download non-deterministic and inconsistent with the library template."
},
{
"file": "templates/Makefile.service",
"line": 128,
"severity": "major",
"message": "trivy command missing --skip-dirs vendor flag present in Makefile.library:128 — vendored dependencies may be scanned unnecessarily."
},
{
"file": "templates/Makefile.service",
"line": 128,
"severity": "major",
"message": "trivy command missing --quiet and --disable-telemetry flags present in Makefile.library:128-129 — produces noisier CI output."
}
],
"concerns_addressed": [
"correctness: trivy target mktemp+trap+printf logic is correct — verified shell hygiene in both Makefile.library:117-130 and Makefile.service:124-128",
"correctness: Makefile.service trivy --ignorefile flag is NOT omitted when $$IGN is empty — trivy simply receives the baseline ignorefile with GO-2026-5932; concern noted in plan does not apply",
"security: VULNCHECK_IGNORE and TRIVY_IGNORE contain GO-2026-5932 — confirmed these are CI-only source-dependency scan suppressions, not production binary protections"
]
}superseded by new automated review
There was a problem hiding this comment.
Based on my analysis of the diff against master, here is the consolidated review:
Diff Summary: 3 files changed — CHANGELOG.md (adds Unreleased entry), templates/Makefile.library and templates/Makefile.service (both add GO-2026-5932 to VULNCHECK_IGNORE, introduce TRIVY_IGNORE baseline, and rewrite trivy target to use a temp ignorefile merged with repo-local .trivyignore).
Assessment of plan concerns:
| Concern | Resolution |
|---|---|
| Trap handles SIGINT/SIGTERM correctly | ✅ trap 'rm -f "$$IGN"' EXIT INT TERM covers all exit paths |
printf '%s\n' with space-free TRIVY_IGNORE |
✅ GO-2026-5932 contains no spaces; produces valid one-line trivy ignore entry |
| Makefile.service trivy flags aligned with Makefile.library | ✅ --db-repository, --ignorefile, --secret-config, --skip-dirs vendor, --quiet, --no-progress, --disable-telemetry, --exit-code 1 all present |
| Consistency between both templates | ✅ Identical trivy target pattern in both |
| GO-2026-5932 correctly describes unmaintained package | ✅ Advisory (golang.org/x/crypto/openpgp, no-fix) correctly excluded |
Version alignment: Not applicable — changes touch only CHANGELOG.md (Unreleased section) and template files. No manifest version bump needed for this template-only propagation fix.
Changelog format: Follows existing repo style.
{
"verdict": "approve",
"summary": "Clean bugfix that correctly propagates the GO-2026-5932 no-fix advisory exclusion (golang.org/x/crypto/openpgp, unmaintained) to both library and service Makefile templates. The trivy target rewrite introduces a shared TRIVY_IGNORE baseline merged with repo-local .trivyignore via a correctly-handled temp file and trap, and aligns Makefile.service's full flag set with Makefile.library. All plan concerns are resolved.",
"comments": [],
"concerns_addressed": [
"correctness: trap 'rm -f \"$$IGN\"' EXIT INT TERM correctly handles all exit paths including SIGINT/SIGTERM — templates/Makefile.library:118, templates/Makefile.service:125",
"correctness: printf '%s\\n' correctly produces valid trivy ignore entries from space-free TRIVY_IGNORE value (GO-2026-5932) — templates/Makefile.library:126, templates/Makefile.service:126",
"correctness: Makefile.service trivy target now includes all flags from Makefile.library including --exit-code 1, --db-repository, --skip-dirs vendor — templates/Makefile.service:129-137",
"correctness: Consistent trivy temp-file + trap pattern across both Makefile.library and Makefile.service — templates/Makefile.library:117-130, templates/Makefile.service:124-137",
"security: GO-2026-5932 correctly describes golang.org/x/crypto/openpgp as unmaintained/no-fix and excludes it from both VULNCHECK_IGNORE and TRIVY_IGNORE"
]
}
What
golang.org/x/crypto/openpgptriggers advisory GO-2026-5932 (unmaintained / unsafe-by-design). There is no fixed version — the advisory deprecates the package itself — so it must be excluded from the checker rather than bumped.Excludes it in the shared templates across both scanners, so all consuming bborbe Go repos inherit the fix:
GO-2026-5932toVULNCHECK_IGNOREinMakefile.library+Makefile.service.TRIVY_IGNOREbaseline, merged with any repo-local.trivyignorevia a temp ignorefile. This also upgradesMakefile.service's baretrivyone-liner (which had no ignorefile support at all) to honor an ignorefile.Why
The finding surfaced from trivy in a dark-factory service; the same advisory is also govulncheck-reportable. A single shared-template exclusion is durable and propagates to every repo, vs. patching one repo's
.trivyignore.Verification
.trivyignoreappended when present.make precommitgreen (30/30).Comment on both files points back to the no-fix rationale and says "Revisit if the dependency is dropped."