Skip to content

exclude no-fix advisory GO-2026-5932 in checker templates#70

Merged
bborbe merged 2 commits into
masterfrom
fix/ignore-go-2026-5932
Jul 9, 2026
Merged

exclude no-fix advisory GO-2026-5932 in checker templates#70
bborbe merged 2 commits into
masterfrom
fix/ignore-go-2026-5932

Conversation

@bborbe

@bborbe bborbe commented Jul 9, 2026

Copy link
Copy Markdown
Owner

What

golang.org/x/crypto/openpgp triggers advisory GO-2026-5932 (unmaintained / unsafe-by-design). There is no fixed version — the advisory deprecates the package itself — so it must be excluded from the checker rather than bumped.

Excludes it in the shared templates across both scanners, so all consuming bborbe Go repos inherit the fix:

  • govulncheck: add GO-2026-5932 to VULNCHECK_IGNORE in Makefile.library + Makefile.service.
  • trivy: introduce a shared TRIVY_IGNORE baseline, merged with any repo-local .trivyignore via a temp ignorefile. This also upgrades Makefile.service's bare trivy one-liner (which had no ignorefile support at all) to honor an ignorefile.

Why

The finding surfaced from trivy in a dark-factory service; the same advisory is also govulncheck-reportable. A single shared-template exclusion is durable and propagates to every repo, vs. patching one repo's .trivyignore.

Verification

  • Merged-ignorefile shell logic verified: shared baseline always applied, repo-local .trivyignore appended when present.
  • make precommit green (30/30).

Comment on both files points back to the no-fix rationale and says "Revisit if the dependency is dropped."

@ben-s-pull-request-reviewer ben-s-pull-request-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on my analysis of the three changed files, here is my review:


PR Review: exclude no-fix advisory GO-2026-5932 in checker templates

Step 5: Consolidated Report

Must Fix (Critical)

None.

Should Fix (Important)

1. templates/Makefile.service — trivy target missing --db-repository flag

Makefile.library passes --db-repository ghcr.io/aquasecurity/trivy-db to keep the DB download deterministic. Makefile.service's trivy invocation omits it, relying on trivy's default CDN. This is a regression from the upgrade — the shared template should be consistent.

templates/Makefile.service:128
# library has:
trivy fs \
  --db-repository ghcr.io/aquasecurity/trivy-db \
  --ignorefile "$$IGN" \

# service is missing --db-repository

2. templates/Makefile.service — trivy target missing --skip-dirs vendor

Makefile.library explicitly skips the vendor directory. Makefile.service does not, potentially scanning vendored dependencies.

templates/Makefile.service:128

3. templates/Makefile.service — trivy target missing --quiet and --disable-telemetry

Makefile.library suppresses trivy output noise and telemetry. Makefile.service omits both, producing noisier CI output.

templates/Makefile.service:128

Nice to Have (Optional)

1. templates/Makefile.service trivy conditional logic simplified

Makefile.library has a two-step conditional for --secret-config:

$(if $(wildcard .trivy-secret.yaml),--secret-config .trivy-secret.yaml,$(if $(wildcard $(ROOTDIR)/.trivy-secret.yaml),--secret-config $(ROOTDIR)/.trivy-secret.yaml,))

Makefile.service omits secret config entirely — intentional for library templates, but if the service template is ever used for repos with secret scanning, this gap should be noted.


Step 6: Next Steps

No test coverage gaps found — this is a template-only change. The shell logic (mktemp + trap + printf loop) is correctly implemented in both files. No /go-write-test commands suggested.

Step 7: Manual Review (Complete)

The shell logic in both trivy targets is sound:

  • printf '%s\n' $(TRIVY_IGNORE) correctly writes one advisory ID per line (no embedded-newline risk — advisory IDs are alphanumeric)
  • trap 'rm -f "$$IGN"' EXIT INT TERM properly cleans up the temp file on any exit path
  • The for f in .trivyignore ... loop silently skips missing files ([ -f "$$f" ] && cat) — correct behavior

The vulncheck target's mktemp failure is also handled implicitly (unquoted variable expansion would expand to empty string, govulncheck would receive invalid args and fail with a clear error).


{
  "verdict": "request-changes",
  "summary": "The PR correctly adds GO-2026-5932 to both VULNCHECK_IGNORE and the new TRIVY_IGNORE baseline, with proper shell hygiene in the trivy targets. However, the Makefile.service trivy upgrade omits --db-repository, --skip-dirs vendor, --quiet, and --disable-telemetry that Makefile.library includes — these are consistency regressions from the template upgrade.",
  "comments": [
    {
      "file": "templates/Makefile.service",
      "line": 128,
      "severity": "major",
      "message": "trivy command missing --db-repository ghcr.io/aquasecurity/trivy-db flag present in Makefile.library:128 — makes DB download non-deterministic and inconsistent with the library template."
    },
    {
      "file": "templates/Makefile.service",
      "line": 128,
      "severity": "major",
      "message": "trivy command missing --skip-dirs vendor flag present in Makefile.library:128 — vendored dependencies may be scanned unnecessarily."
    },
    {
      "file": "templates/Makefile.service",
      "line": 128,
      "severity": "major",
      "message": "trivy command missing --quiet and --disable-telemetry flags present in Makefile.library:128-129 — produces noisier CI output."
    }
  ],
  "concerns_addressed": [
    "correctness: trivy target mktemp+trap+printf logic is correct — verified shell hygiene in both Makefile.library:117-130 and Makefile.service:124-128",
    "correctness: Makefile.service trivy --ignorefile flag is NOT omitted when $$IGN is empty — trivy simply receives the baseline ignorefile with GO-2026-5932; concern noted in plan does not apply",
    "security: VULNCHECK_IGNORE and TRIVY_IGNORE contain GO-2026-5932 — confirmed these are CI-only source-dependency scan suppressions, not production binary protections"
  ]
}

@ben-s-pull-request-reviewer
ben-s-pull-request-reviewer Bot dismissed their stale review July 9, 2026 15:00

superseded by new automated review

@ben-s-pull-request-reviewer ben-s-pull-request-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on my analysis of the diff against master, here is the consolidated review:

Diff Summary: 3 files changed — CHANGELOG.md (adds Unreleased entry), templates/Makefile.library and templates/Makefile.service (both add GO-2026-5932 to VULNCHECK_IGNORE, introduce TRIVY_IGNORE baseline, and rewrite trivy target to use a temp ignorefile merged with repo-local .trivyignore).

Assessment of plan concerns:

Concern Resolution
Trap handles SIGINT/SIGTERM correctly trap 'rm -f "$$IGN"' EXIT INT TERM covers all exit paths
printf '%s\n' with space-free TRIVY_IGNORE GO-2026-5932 contains no spaces; produces valid one-line trivy ignore entry
Makefile.service trivy flags aligned with Makefile.library --db-repository, --ignorefile, --secret-config, --skip-dirs vendor, --quiet, --no-progress, --disable-telemetry, --exit-code 1 all present
Consistency between both templates ✅ Identical trivy target pattern in both
GO-2026-5932 correctly describes unmaintained package ✅ Advisory (golang.org/x/crypto/openpgp, no-fix) correctly excluded

Version alignment: Not applicable — changes touch only CHANGELOG.md (Unreleased section) and template files. No manifest version bump needed for this template-only propagation fix.

Changelog format: Follows existing repo style.

{
  "verdict": "approve",
  "summary": "Clean bugfix that correctly propagates the GO-2026-5932 no-fix advisory exclusion (golang.org/x/crypto/openpgp, unmaintained) to both library and service Makefile templates. The trivy target rewrite introduces a shared TRIVY_IGNORE baseline merged with repo-local .trivyignore via a correctly-handled temp file and trap, and aligns Makefile.service's full flag set with Makefile.library. All plan concerns are resolved.",
  "comments": [],
  "concerns_addressed": [
    "correctness: trap 'rm -f \"$$IGN\"' EXIT INT TERM correctly handles all exit paths including SIGINT/SIGTERM — templates/Makefile.library:118, templates/Makefile.service:125",
    "correctness: printf '%s\\n' correctly produces valid trivy ignore entries from space-free TRIVY_IGNORE value (GO-2026-5932) — templates/Makefile.library:126, templates/Makefile.service:126",
    "correctness: Makefile.service trivy target now includes all flags from Makefile.library including --exit-code 1, --db-repository, --skip-dirs vendor — templates/Makefile.service:129-137",
    "correctness: Consistent trivy temp-file + trap pattern across both Makefile.library and Makefile.service — templates/Makefile.library:117-130, templates/Makefile.service:124-137",
    "security: GO-2026-5932 correctly describes golang.org/x/crypto/openpgp as unmaintained/no-fix and excludes it from both VULNCHECK_IGNORE and TRIVY_IGNORE"
  ]
}

@bborbe
bborbe merged commit 3ad0111 into master Jul 9, 2026
1 check passed
@bborbe
bborbe deleted the fix/ignore-go-2026-5932 branch July 9, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant