feat(tools): add go-dependency-analyzer skill#20247
Open
Conversation
User request: Create a Go dependency analyzer skill for StackRox codebase to support CVE triage, security analysis, and dependency impact assessment. Key features: - Branching workflow for direct vs transitive dependencies - Wrapper pattern detection (e.g., zap via pkg/logging) - Mandatory goda visualization for dependency trees - Replace directive tracking for StackRox forks - Team assignment recommendations based on component usage Tested with pgx, docker, prometheus, zap, protoc-gen-validate, and kubevirt.io/containerized-data-importer-api dependencies. Skill designed for team sharing via repository .claude/skills/ directory. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Skipping CI for Draft Pull Request. |
janisz
changed the title
User feedback: Component-to-team mapping should be based on .github/CODEOWNERS, remove redundant "Recommended Action" sections, and handle dependencies that can be both direct and indirect. Changes: - Use .github/CODEOWNERS for team assignment instead of hardcoded mapping - Remove "Recommended Action" checkbox sections from all report templates - Add nuance for dependencies that can be both direct and indirect - Update transitive dependency team assignment to target teams using intermediate packages - Updated all 7 examples to reflect new team assignment approach Reasoning: - CODEOWNERS is the source of truth for code ownership - "Recommended Action" sections were redundant and not actionable - Dependencies can appear as both direct and transitive simultaneously - Transitive deps should be assigned to teams that introduced them via intermediate dependencies Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Simplify skill review findings: - Fix typo: missing space after 'on' in Example 6 - Standardize phrasing: 'From CODEOWNERS' across all examples - Simplify verbose explanations while keeping essential info - Improve readability and consistency Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
🚀 Build Images ReadyImages are ready for commit c97e60f. To use with deploy scripts: export MAIN_IMAGE_TAG=4.11.x-788-gc97e60fc00 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #20247 +/- ##
=======================================
Coverage 49.79% 49.79%
=======================================
Files 2770 2770
Lines 210223 210238 +15
=======================================
+ Hits 104673 104689 +16
+ Misses 97829 97826 -3
- Partials 7721 7723 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
User request: "make this skill compact... to bare minimum to make it work correctly" Achieved 33.4% reduction (760 → 506 lines) while preserving all critical functionality. **Removed (254 lines total):** - Advanced Techniques section (66 lines) - complete duplication of Steps 2-7 - Example 3: yaml.v3 (23 lines) - redundant with test-only pattern - Example 4: Go deprecation (28 lines) - out of scope for dependency analysis - Example 7: Transitive dependency (52 lines) - duplicates Step 2A workflow - Example 3 "Key Findings" section (15 lines) - repeated table data - CODEOWNERS examples (8 lines) - users can read actual file - Verbose explanations in Steps 4-5 (62 lines) - consolidated to essentials **Streamlined:** - Step 4: Wrapper detection workflow (43 → 14 lines) - Step 5: Function analysis (35 → 7 lines) - Removed redundant prose, consolidated bash commands **Preserved:** - All critical branching logic (direct vs transitive) - MANDATORY commands (go mod why, goda graph) - Wrapper pattern detection workflow - Both report templates (direct and transitive) - CODEOWNERS team assignment - All essential troubleshooting Skill maintains full functionality, faster to read and understand. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@janisz: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Skill for using
go mod ...andgodato learn about dependencies and their usage useful when dealing with CVE reports in dependencies.User-facing documentation
Testing and quality
Automated testing
How I validated my change
/go-dependency-analyzer analyze kubevirt.io/containerized-data-importer-api ● Dependency Analysis: kubevirt.io/containerized-data-importer-api (TRANSITIVE) Dependency: kubevirt.io/containerized-data-importer-api v1.64.0 Status: TRANSITIVE ONLY - Not directly imported Dependency Chain: Our code (StackRox) ↓ imports kubevirt.io/api v1.8.2 (KubeVirt virtual machine API) ↓ depends on kubevirt.io/containerized-data-importer-api v1.64.0 (CDI API for persistent storage) Why It Exists: From go mod why: - pkg/virtualmachine imports kubevirt.io/api/core/v1 (KubeVirt core API) - KubeVirt API depends on containerized-data-importer-api/pkg/apis/core/v1beta1 for DataVolume specs - CDI (Containerized Data Importer) is KubeVirt's persistent storage subsystem for VM disks Our Usage of Intermediate Package: - We import: kubevirt.io/api (KubeVirt virtual machine APIs) - Used in: 5 production files (direct kubevirt.io/api imports) - Plus: 7 production files via pkg/virtualmachine wrapper - Components: Central (VM pipeline), Sensor (VM monitoring) - Files (direct kubevirt.io/api usage): - pkg/virtualmachine/api.go - VM type definitions - sensor/kubernetes/listener/resources/virtualmachine/dispatcher/*.go - VM event dispatching (4 files) What Intermediate Uses It For: - KubeVirt API uses CDI API to define DataVolume types for VM persistent storage - When VMs reference persistent disks, they use CDI DataVolume specs - We monitor VM resources through KubeVirt API, which includes CDI DataVolume references - CDI API defines schemas for volume provisioning, cloning, and importing Recommended Action: - ✅ No direct action needed - transitive dependency - ✅ Monitor for security updates (managed by kubevirt.io/api) - ✅ Low priority - updated automatically with KubeVirt API Team Assignment: N/A - Managed via kubevirt.io/api updates (If CVE: assign to @sensor-team who owns VM monitoring feature in sensor/kubernetes/listener/resources/virtualmachine)