From a994c256faab810f87a0f668f61a8d74cabfa5c7 Mon Sep 17 00:00:00 2001 From: oh0387 Date: Fri, 3 Feb 2023 15:41:31 +0530 Subject: [PATCH 1/3] Optionally run Trivy scan check against PR - Trivy checks whether any dependency mentioned in the go.mod file needs any security patch upgrade. - Github action runs Trivy scans on pull request changes or the newly merged commit in the master branch. - Pull requests may not make changes to the go.mod file. So we can skip Trivy scans for such cases. For this, commit adds the paths filter [1] check for pull request event. References: - [1] https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore --- .github/workflows/security.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b56ddad9142..f256d8751af 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -5,6 +5,8 @@ on: branches: [master] pull_request: branches: [master] + paths: + - go.mod jobs: build: From 315b00255d0af462525c908820cfbc8976871298 Mon Sep 17 00:00:00 2001 From: bsardo <1168933+bsardo@users.noreply.github.com> Date: Wed, 8 Feb 2023 09:16:19 -0500 Subject: [PATCH 2/3] Downgrade golang.org/x/net module to v0.4.0 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index f3e3cdab932..d4d6ca4161b 100644 --- a/go.mod +++ b/go.mod @@ -30,7 +30,7 @@ require ( github.com/vrischmann/go-metrics-influxdb v0.1.1 github.com/xeipuuv/gojsonschema v1.2.0 github.com/yudai/gojsondiff v1.0.0 - golang.org/x/net v0.5.0 + golang.org/x/net v0.4.0 golang.org/x/text v0.6.0 google.golang.org/grpc v1.46.2 gopkg.in/evanphx/json-patch.v4 v4.12.0 From 0d692a69c2f36e9ead4a77cc00aeeb93d62ff1e5 Mon Sep 17 00:00:00 2001 From: bsardo <1168933+bsardo@users.noreply.github.com> Date: Wed, 8 Feb 2023 09:20:40 -0500 Subject: [PATCH 3/3] Use golang.org/x/net module v0.5.0 again --- endpoints/openrtb2/auction.go | 2 ++ go.mod | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/endpoints/openrtb2/auction.go b/endpoints/openrtb2/auction.go index f8c4aecdd82..9cdaab57068 100644 --- a/endpoints/openrtb2/auction.go +++ b/endpoints/openrtb2/auction.go @@ -1641,6 +1641,8 @@ func validateOrFillChannel(reqWrapper *openrtb_ext.RequestWrapper, isAmp bool) e if err != nil { return err } + + requestPrebid := requestExt.GetPrebid() if requestPrebid == nil || requestPrebid.Channel == nil { diff --git a/go.mod b/go.mod index d4d6ca4161b..f3e3cdab932 100644 --- a/go.mod +++ b/go.mod @@ -30,7 +30,7 @@ require ( github.com/vrischmann/go-metrics-influxdb v0.1.1 github.com/xeipuuv/gojsonschema v1.2.0 github.com/yudai/gojsondiff v1.0.0 - golang.org/x/net v0.4.0 + golang.org/x/net v0.5.0 golang.org/x/text v0.6.0 google.golang.org/grpc v1.46.2 gopkg.in/evanphx/json-patch.v4 v4.12.0