Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[eks-operator] VEX related improvements for the build process #1067

Closed
macedogm opened this issue Jan 9, 2025 · 4 comments
Closed

[eks-operator] VEX related improvements for the build process #1067

macedogm opened this issue Jan 9, 2025 · 4 comments
Assignees
@macedogm
Labels
kind/enhancement New feature or request
Milestone
v2.10.2

Comments

@macedogm
Copy link
Member

macedogm commented Jan 9, 2025

The VEX Hub initiative in rancher/vexhub is now a mature project in Rancher where we generate VEX reports for known false-positive CVEs in our projects (images and binaries).

In order for VEX to fully work and for security scanners (e.g., Trivy) to correctly match a VEX entry in our VEX Hub with a Go binary being scanned, the Go binary must have its full package path inside of it. Example:

> go version -m bin/eks-operator | head -n 3
bin/eks-operator: go1.23.4
	path	github.com/rancher/eks-operator
	mod	github.com/rancher/eks-operator	(devel)

When a Go binary is compiled by specifying directly the file as go build main.go as opposed to go build ., the binary won't contain the package path.


> go version -m bin/eks-operator | head -n 2

bin/eks-operator: go1.23.4
	path	command-line-arguments

In the above case, the security scanner won't be able to match the binary with its respective VEX entry.

Further automation that we developed internally also relies on identifying the commit ID from where the binary was built. Example:

> go version -m bin/eks-operator
(...)
	build	-ldflags="-X github.com/rancher/eks-operator/pkg/version.GitCommit=550fce8486ceda01335b28267d741ee628df0c59             -X github.com/rancher/eks-operator/pkg/version.Version=v0.0.0-550fce8"
(...)
	build	vcs.revision=550fce8486ceda01335b28267d741ee628df0c59
(...)

Some branches of eks-operator have the needed package path, but lack the commit ID. We'll propose some PRs to help improve the build process and add the needed information for Rancher's VEX Hub project. None of those PRs are expected to affect the code's behavior and features, as they are only metadata information.
@macedogm macedogm self-assigned this Jan 9, 2025
@macedogm macedogm added the kind/enhancement New feature or request label Jan 9, 2025
This was referenced Jan 9, 2025
Merged
Merged
Merged
Merged
@macedogm
Copy link
Member Author

macedogm commented Jan 9, 2025

PRs:

CC @mbologna and @kkaempf

@kkaempf
Copy link

kkaempf commented Jan 9, 2025

@macedogm all PRs have been merged.
Do you request QA on this ?

@kkaempf kkaempf added this to the v2.10.2 milestone Jan 9, 2025
@kkaempf
Copy link

kkaempf commented Jan 9, 2025

closing as fixed

@kkaempf kkaempf closed this as completed Jan 9, 2025
@kkaempf kkaempf moved this to Done in CAPI / Turtles Jan 9, 2025
@macedogm
Copy link
Member Author

macedogm commented Jan 9, 2025

@kkaempf:

Do you request QA on this ?

No, this shouldn't be needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@macedogm macedogm

Labels
kind/enhancement New feature or request
Projects
CAPI / Turtles
Archived in project
Milestone
v2.10.2
Development

No branches or pull requests
2 participants
@kkaempf @macedogm