Skip to content

x/vuln: use govulncheck in bazel #61494

New issue
New issue
Open
Open
x/vuln: use govulncheck in bazel#61494
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
 
vuln/unplanned
@ukai

Description

@ukai
ukai
opened on Jul 21, 2023

What version of Go are you using (go version)?

$ go version
go version go1.21-20230628-RC02 cl/544161750 +8b5fe5980c X:fieldtrack,boringcrypto linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/usr/local/google/home/ukai/.cache/go-build'
GOENV='/usr/local/google/home/ukai/.config/go/env'
GOEXE=''
GOEXPERIMENT='fieldtrack,boringcrypto'
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/usr/local/google/home/ukai/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/usr/local/google/home/ukai/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/lib/google-golang'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/google-golang/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21-20230628-RC02 cl/544161750 +8b5fe5980c X:fieldtrack,boringcrypto'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3493584143=/tmp/go-build -gno-record-gcc-switches'

What did you do?

install govulncheck and run it in bazel workspace.

e.g.

$  git clone https://github.com/bazelbuild/reclient
Cloning into 'reclient'...
remote: Enumerating objects: 640, done.
remote: Counting objects: 100% (640/640), done.
remote: Compressing objects: 100% (410/410), done.
remote: Total 640 (delta 211), reused 628 (delta 199), pack-reused 0
Receiving objects: 100% (640/640), 757.42 KiB | 12.84 MiB/s, done.
Resolving deltas: 100% (211/211), done.
$ cd reclient 
$ govulncheck ./...

What did you expect to see?

check go vulnerabilities in workspace

What did you see instead?

$ govulncheck ./..
Using go1.21-20230628-RC02 cl/544161750 +8b5fe5980c X:fieldtrack,boringcrypto and [email protected] with vulnerability data from https://vuln.go.dev (last modified 2023-07-13 22:19:53 +0000 UTC).

govulncheck: no go.mod file

govulncheck only works with Go modules. Try navigating to your module directory.
Otherwise, run go mod init to make your project a module.

See https://go.dev/doc/modules/managing-dependencies for more information.

how can we use govulncheck for bazel go code?

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.vulncheck or vulndbIssues for the x/vuln or x/vulndb repo

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions