govulncheck: run from a container (#494)

xcoulon · web-flow · commit 72303aac7526 · 2025-12-11T13:33:31.000+01:00
see changes for the govulncheck-action in codeready-toolchain/toolchain-cicd#159 also, update ignored vulnerabilities (remove obsolete and unneeded 🤷‍♂️) also, new vuln exclusions --------- Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
@@ -16,6 +16,5 @@ jobs:
     - name: Run govulncheck
       uses: codeready-toolchain/toolchain-cicd/govulncheck-action@master
       with:
-        go-version-file: go.mod
-        cache: false
-        config: .govulncheck.yaml
+        config: .govulncheck.yaml 
+        debug: true # optional (default = false)
diff --git a/.govulncheck.yaml b/.govulncheck.yaml
@@ -1,25 +1,26 @@
 ignored-vulnerabilities:
-  # Parsing DER payload can cause memory exhaustion in encoding/asn1
-  # Found in: encoding/asn1@go1.23.12
-  # Fixed in: encoding/asn1@go1.24.8
-  - id: GO-2025-4011
-    info: https://pkg.go.dev/vuln/GO-2025-4011
-    silence-until: 2025-12-03
-# Insufficient validation of bracketed IPv6 hostnames in net/url
+  # Insufficient validation of bracketed IPv6 hostnames in net/url
   # Found in: net/url@go1.23.12
   # Fixed in: net/url@go1.24.8
   - id: GO-2025-4010
     info: https://pkg.go.dev/vuln/GO-2025-4010
-    silence-until: 2025-12-03
-  # Quadratic complexity when parsing some invalid inputs in encoding/pem
-  # Found in: encoding/pem@go1.23.12
-  # Fixed in: encoding/pem@go1.24.8
-  - id: GO-2025-4009
-    info: https://pkg.go.dev/vuln/GO-2025-4009
-    silence-until: 2025-12-03
+    silence-until: 2026-01-03
   # Quadratic complexity when checking name constraints in crypto/x509
   # Found in: crypto/x509@go1.23.12
   # Fixed in: crypto/x509@go1.24.9
   - id: GO-2025-4007
     info: https://pkg.go.dev/vuln/GO-2025-4007
-    silence-until: 2025-12-03
+    silence-until: 2026-01-10
+  # Quadratic complexity when parsing some invalid inputs in encoding/pem
+  # Found in: encoding/pem@go1.23.12
+  # Fixed in: encoding/pem@go1.24.8
+  - id: GO-2025-4009
+    info: https://pkg.go.dev/vuln/GO-2025-4009
+    silence-until: 2026-01-10
+  # Parsing DER payload can cause memory exhaustion in encoding/asn1
+  # Found in: encoding/asn1@go1.23.12
+  # Fixed in: encoding/asn1@go1.24.8
+  - id: GO-2025-4011
+    info: https://pkg.go.dev/vuln/GO-2025-4011
+    silence-until: 2026-01-10
+  
