golang version used for each release

[quample]

Hello team,

We are planning to use the latest version of this plugin, but when running the package through our sec scan tool, we got vulnerability hits on the Golang version. We are assuming it's a false positive but wanted to make sure & re-run the scan with a targeted Golang version. We asked the question to Venafi support, but they directed us to post a GH issue to get the answer.

Could you specify which version of Golang was used for plugin version 0.12.1.

Also as a feature request, I think it will be beneficial to include the version of Golang used in the changelog, an example would be the HashiCorp Vault changelog, which calls out the Golang version for each release.

Appreciate the help :)

[luispresuelVenafi]

Hi @quample,

Answering your comments:

We are planning to use the latest version of this plugin, but when running the package through our sec scan tool, we got vulnerability hits on the Golang version.

Is there a chance it read version in the go.mod? There we have minimum requirement to develop for our plugin of using at least Go 1.13 (which is very old, hence would make sense for your script hinting about Go version).

Could you specify which version of Golang was used for plugin version 0.12.1.

Sure. Our latest version for our plugin was built using Golang is 1.17. We have plans on our upgrading our plugin to be able to handle latest version of the plugin, so most likely we will upgrade the version of Golang we use for building our binaries.

Also as a feature request, I think it will be beneficial to include the version of Golang used in the changelog, an example would be the HashiCorp Vault changelog, which calls out the Golang version for each release.

I'll bring this up to my manager. Thank you for the feedback :)

[quample]

gotcha, I think the scanner might have just picked up the min Golang version from the go.mod file...just a guess though.

But thank you for the info, much appreciated! I'll close this issue :)