Plugin/.github/workflows/dependency-check.yml at main · GoPlugin/Plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: Dependency Vulnerability Check

on: [push]
jobs:
  Go:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v2

      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: ^1.15
        id: go

      - name: Write Go Modules list
        run: go list -json -m all > go.list

      - name: Check vulnerabilities
        uses: sonatype-nexus-community/nancy-github-action@aae196481b961d446f4bff9012e4e3b63d7921a4
        with:
          nancyCommand: sleuth -e bba60acb-c7b5-4621-af69-f4085a8301d0,d373dc3f-aa88-483b-b501-20fe5382cc80,5def94e5-b89c-4a94-b9c6-ae0e120784c2,dcf6da03-f9dd-4a4e-b792-0262de36a0b1
          # Check the dependency by entering the OSS index UUID here:
          # https://ossindex.sonatype.org/vuln/bba60acb-c7b5-4621-af69-f4085a8301d0
          #
          # To get more detail locally run `go list -json -m all | nancy sleuth`
          # dcf6da03-f9dd-4a4e-b792-0262de36a0b1 is because of gogo/protobuf@1.3.1
          # which is used by go-libp2p-core, need them to upgrade to 1.3.2 before we can remove it.