add cves to exclude from govulncheck

DrDaveD · DrDaveD · commit c9a6cbbb328a · 2025-01-30T10:31:42.000-06:00
Signed-off-by: Dave Dykstra &lt;2129743+DrDaveD@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,8 +33,20 @@ jobs:
       - name: Install govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+
       - name: Check for vulnerabilities
-        run: $HOME/go/bin/govulncheck ./...
+        run: |
+            $HOME/go/bin/govulncheck -format json ./...|jq -r .finding.osv|grep -v null|sort -u >/tmp/vuln-cves
+            CVES="$(cat .govulncheck-ignorecves .govulncheck-ignorecves /tmp/vuln-cves|sort|uniq -u)"
+            if [ -n "$CVES" ]; then
+                echo >&2
+                echo "***" govulncheck CVES that are not ignored: $CVES "***" >&2
+                echo >&2
+                set -x
+                $HOME/go/bin/govulncheck -show verbose ./...
+            fi
 
       - name: Build Source
         run: go build ./...
diff --git a/.govulncheck-ignorecves b/.govulncheck-ignorecves
@@ -0,0 +1,3 @@
+GO-2025-3373
+#comment one at first as a test
+#GO-2025-3420
