build(dep): Ignore known dependency failure in nancy (#1378)

Currently nancy is always failed, and we seem to ignore it completely. This reduces the value of having security scanning significantly. Ideally, the underlying issue should be fixed, however it will require long time for external collaboration. This commit is to ignore two known dependency failures. Signed-off-by: Tam Mach <sayboras@yahoo.com>
golangci · Sep 21, 2020 · ad26b68 · ad26b68
1 parent 5f93c93
commit ad26b68
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/.github/workflows/pr-extra.yml b/.github/workflows/pr-extra.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
-      # We cannot use nancy-github-action because it is outdated, so it's better to use the latest
-      # docker image for the validation
-      - name: nancy
-        run: go list -json -m all | docker run -i sonatypecommunity/nancy:v0.3
+      - name: Run go list
+        run: go list -json -m all > go.list
+      - name: Nancy
+        uses: sonatype-nexus-community/nancy-github-action@master
diff --git a/.nancy-ignore b/.nancy-ignore
@@ -0,0 +1,11 @@
+# Skip for golang/golang.org/x/net@v0.0.0-20200904194848-62affa334b73
+CVE-2018-17848
+CVE-2018-17143
+CVE-2018-17847
+CVE-2018-17142
+CVE-2018-17846
+
+# Skip for indirect dependency github.com/coreos/etcd@3.3.13
+CVE-2020-15114
+CVE-2020-15115
+CVE-2020-15136