Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: govulncheck doesn't support loading vendored modules #65124

Closed
lachlan-smith opened this issue Jan 17, 2024 · 9 comments
Closed

x/vuln: govulncheck doesn't support loading vendored modules #65124

lachlan-smith opened this issue Jan 17, 2024 · 9 comments
Assignees
@maceonthompson
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@lachlan-smith
Copy link

Since the most recent update to govulncheck (v1.0.2) and the introduction of the LoadModules function (here), govulncheck can no longer run on projects that use private dependencies even when they are vendored locally unless the environment running govulncheck also has access to the private repositories.

We encountered this issue in our CI environment which does not have access to the private repositories and instead rely on the locally vendored dependencies.

The issue seems to be caused by calling go list with the -mod=mod flag, if this flag was omitted I believe it should instead first try using the vendored modules first.
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 17, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Jan 17, 2024
@tinmrn tinmrn mentioned this issue Jan 17, 2024
Closed
@zpavlinovic
Copy link
Contributor

@maceonthompson

@ffoebel
Copy link

ffoebel commented Jan 17, 2024

Broke our CI as well and since the Github action doesn't support selecting the govulncheck version, the only workaround is to build an own action.

@zpavlinovic
Copy link
Contributor

We are working on this and should have a fix soon.

@zpavlinovic zpavlinovic removed their assignment Jan 19, 2024
@chancez chancez mentioned this issue Jan 19, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/557495 mentions this issue: internal/scan, vulncheck: use packages.load for mod info

@maceonthompson
Copy link

The fix for this has just been merged - would those not using the github action try to reproduce the issue after running go install golang.org/x/vuln/cmd/govulncheck@master?

@nathanmcgarvey-modopayments
Copy link

The fix for this has just been merged - would those not using the github action try to reproduce the issue after running go install golang.org/x/vuln/cmd/govulncheck@master?

LGTM.... doing a containerized build using golang:1.21 and go install golang.org/x/vuln/cmd/govulncheck@master && govulncheck ./... with at least one private vendor module that does not work with @latest.

@nathanmcgarvey-modopayments
Copy link

@maceonthompson or @zpavlinovic , is there a chance of tagging a 1.0.3 soon? Since most folks that have CI pipelines tagged at @latest will still be broken indefinitely, that'd be a big win for this an the related workspace issue.

@maceonthompson
Copy link

@nathanmcgarvey-modopayments We're working on tagging 1.0.3 with the relevant fixes right now, it will be released by EOD today/sometime tomorrow.

@zpavlinovic
Copy link
Contributor

v1.0.3 tag is available now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
6 participants
@zpavlinovic @ffoebel @gopherbot @lachlan-smith @maceonthompson @nathanmcgarvey-modopayments