forked from crypto-org-chain/chain-main
-
Notifications
You must be signed in to change notification settings - Fork 0
26 lines (23 loc) · 1.02 KB
/
audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: Go Nancy
on:
pull_request:
push:
branches:
- master
- release/**
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
submodules: true
- name: WriteGoList
run: go list -json -m all > go.list
- name: Nancy
uses: sonatype-nexus-community/nancy-github-action@main
# FIXME: https://github.com/crypto-com/chain-main/issues/25 remove exclusion when viper+tendermint are upgraded
# FIXME(CVE-2022-23327): github.com/coinbase/rosetta-sdk-go contains a vulnerable version of go-ethereum. Remove this when it is updated in upstream.
# (https://ossindex.sonatype.org/vulnerability/de9d3742-ac18-44af-bebb-5727e3957c94?component-type=golang&component-name=github.com/ethereum/go-ethereum&utm_source=nancy-client&utm_medium=integration&utm_content=0.0.0-dev)
with:
nancyCommand: sleuth --exclude-vulnerability CVE-2020-15115,CVE-2020-15136,CVE-2021-41173,CVE-2020-15114,CVE-2022-23327