x/vuln: package slices is not in GOROOT

[bcl]

When using vuln with go v1.20.14 it fails to install because slices is not in the standard library. The vuln docs, and go.mod, claim to be compatible with go 1.18 and later.

https://github.com/osbuild/weldr-client/actions/runs/9542027269/job/26296139660?pr=139

Setup go version spec 1.20.x
Found in cache @ /opt/hostedtoolcache/go/1.20.14/x64
Added go to the path
Successfully set up Go version 1.20.x
/opt/hostedtoolcache/go/1.20.14/x64/bin/go env GOMODCACHE
/opt/hostedtoolcache/go/1.20.14/x64/bin/go env GOCACHE
/home/runner/go/pkg/mod
/home/runner/.cache/go-build
Cache is not found
go version go1.20.14 linux/amd64

Run go install golang.org/x/vuln/cmd/govulncheck@latest
  go install golang.org/x/vuln/cmd/govulncheck@latest
  shell: /usr/bin/bash -e {0}
go: downloading golang.org/x/vuln v1.1.2
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.18.0
go: downloading golang.org/x/tools v0.22.0
go: downloading golang.org/x/sync v0.7.0
Error: ../../../go/pkg/mod/golang.org/x/vuln@v1.1.2/internal/openvex/handler.go:12:2: package slices is not in GOROOT (/opt/hostedtoolcache/go/1.20.14/x64/src/slices)
Error: Process completed with exit code 1.

[gabyhelp]

Similar Issues

• x/tools/gopls: broken build with x/vuln@latest #59837
• x/vuln: govulncheck is confused when go command version doesn't match that used to build it #55045

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[mauri870]

The Go Release Policy states that each major Go release is supported until there are two newer major releases.

Since go 1.22 was released back in February it has been a couple months that Go 1.20 does not receive any kind of security update.

Plus you are installing the most recent commit of vuln (latest) which is unlikely to work anyway with Go 1.20.

My advice is that you should update to a supported release.

Edit: sorry for the ping @latest

[mauri870]

The go.mod argument is valid, we should probably change it to go 1.21.

[mauri870]

cc @golang/vulndb

[mauri870]

Looking a bit more into it, the only place that imports slices was added 2 weeks ago in https://go-review.googlesource.com/c/vuln/+/575859.

I wonder if we should have used x/exp/slices instead.

[ianthehat]

We have been discussing as a team what our strategy should be for keeping the go.mod go lines up to date across all the x repositories, we should probably just manually update this one for now as that conversation progresses. It would be ironic to expend effort to make a vulnerability tool compile with a vulnerable version of go, we definitely don't plan to support building with any version of go except the most recent security patch of actively supported versions!

[gopherbot]

Change https://go.dev/cl/593235 mentions this issue: all: require go1.21

[bcl]

Understood. I'm stuck on an older version until RHEL 9 tooling updates so that's why it's using v1.20

[gopherbot]

Change https://go.dev/cl/595935 mentions this issue: cmd/govulncheck: remove line about go version requirements

[xswordsx]

Understood. I'm stuck on an older version until RHEL 9 tooling updates so that's why it's using v1.20

Had the same issue. The two options are: install v1.1.1 of the tool or clone the repo and patch it so it doesn't use slices

[PATCH] Remove slices package

```diff diff --git a/go.mod b/go.mod index 1412cb1..dd7e820 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module golang.org/x/vuln -go 1.21 +go 1.18 require ( github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 diff --git a/internal/openvex/handler.go b/internal/openvex/handler.go index b5e43aa..8553743 100644 --- a/internal/openvex/handler.go +++ b/internal/openvex/handler.go @@ -9,7 +9,7 @@ import ( "encoding/json" "fmt" "io" - "slices" + "sort" "time" "golang.org/x/vuln/internal/govulncheck" @@ -153,16 +153,8 @@ func statements(h *handler) []Statement { statements = append(statements, s) } - slices.SortFunc(statements, func(a, b Statement) int { - if a.Vulnerability.ID > b.Vulnerability.ID { - return 1 - } - if a.Vulnerability.ID < b.Vulnerability.ID { - return -1 - } - // this should never happen in practice, since statements are being - // populated from a map with the vulnerability IDs as keys - return 0 + sort.Slice(statements, func(i, j int) bool { + return statements[i].Vulnerability.ID < statements[j].Vulnerability.ID }) return statements } ```

[zpavlinovic]

FWIW, newly released govulncheck v1.1.3 now requires go1.21 and newer.