From 9077172f8e3ef2c777b56b7818434b5f51c81abe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Federico=20Kunze=20K=C3=BCllmer?=
 <31522760+fedekunze@users.noreply.github.com>
Date: Fri, 2 Dec 2022 13:57:14 +0100
Subject: [PATCH] feat(ci): add Golang dependency vulnerability check (#1528)

* feat(ci): add Golang dependency vulnerability check

* update

* check run

* c++
---
 .github/workflows/dependencies.yml | 28 ++++++++++++++++++++++++++++
 .github/workflows/lint.yml         |  2 +-
 CHANGELOG.md                       |  3 ++-
 Makefile                           |  6 +++++-
 cmd/ethermintd/flags.go            |  4 +---
 5 files changed, 37 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/dependencies.yml

diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
new file mode 100644
index 00000000..c7f3aa8a
--- /dev/null
+++ b/.github/workflows/dependencies.yml
@@ -0,0 +1,28 @@
+name: "Dependency Review"
+on: pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+          check-latest: true
+      - name: "Checkout Repository"
+        uses: actions/checkout@v3
+      - uses: technote-space/get-diff-action@v6.1.1
+        with:
+          PATTERNS: |
+            **/**.go
+            go.mod
+            go.sum
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v3
+        if: env.GIT_DIFF
+      - name: "Go vulnerability check"
+        run: make vulncheck
+        if: env.GIT_DIFF
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9456bb5c..f9c1d988 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -32,7 +32,7 @@ jobs:
           args: --timeout 10m
           github-token: ${{ secrets.github_token }}
         # Check only if there are differences in the source code
-        if: "env.GIT_DIFF"
+        if: env.GIT_DIFF
   markdown-lint:
     name: Run markdown-lint
     runs-on: ubuntu-latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3b9f1840..f9d887ee 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -59,7 +59,8 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ### Features
 
-- (app) [#1501](https://github.com/evmos/ethermint/pull/1501) Set default File store listener for application from [ADR38](https://docs.cosmos.network/v0.47/architecture/adr-038-state-listening)
+* (ci) [#1528](https://github.com/evmos/ethermint/pull/1528) Add Golang dependency vulnerability checker.
+* (app) [#1501](https://github.com/evmos/ethermint/pull/1501) Set default File store listener for application from [ADR38](https://docs.cosmos.network/v0.47/architecture/adr-038-state-listening)
 
 ### Improvements
 
diff --git a/Makefile b/Makefile
index 2d698c74..e9cc5663 100644
--- a/Makefile
+++ b/Makefile
@@ -155,7 +155,7 @@ clean:
 
 all: build
 
-build-all: tools build lint test
+build-all: tools build lint test vulncheck
 
 .PHONY: distclean clean build-all
 
@@ -273,6 +273,10 @@ go.sum: go.mod
 	go mod verify
 	go mod tidy
 
+vulncheck: $(BUILDDIR)/
+	GOBIN=$(BUILDDIR) go install golang.org/x/vuln/cmd/govulncheck@latest
+	$(BUILDDIR)/govulncheck ./...
+
 ###############################################################################
 ###                              Documentation                              ###
 ###############################################################################
diff --git a/cmd/ethermintd/flags.go b/cmd/ethermintd/flags.go
index ed835f59..ea2b661f 100644
--- a/cmd/ethermintd/flags.go
+++ b/cmd/ethermintd/flags.go
@@ -8,9 +8,7 @@ import (
 	"github.com/evmos/ethermint/version"
 )
 
-const (
-	flagLong = "long"
-)
+const flagLong = "long"
 
 func init() {
 	infoCmd.Flags().Bool(flagLong, false, "Print full information")