Closed bcl closed 1 month ago
Similar Issues
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
The Go Release Policy states that each major Go release is supported until there are two newer major releases.
Since go 1.22 was released back in February it has been a couple months that Go 1.20 does not receive any kind of security update.
Plus you are installing the most recent commit of vuln (latest
) which is unlikely to work anyway with Go 1.20.
My advice is that you should update to a supported release.
Edit: sorry for the ping @latest
The go.mod argument is valid, we should probably change it to go 1.21.
cc @golang/vulndb
Looking a bit more into it, the only place that imports slices was added 2 weeks ago in https://go-review.googlesource.com/c/vuln/+/575859.
I wonder if we should have used x/exp/slices instead.
We have been discussing as a team what our strategy should be for keeping the go.mod go lines up to date across all the x repositories, we should probably just manually update this one for now as that conversation progresses. It would be ironic to expend effort to make a vulnerability tool compile with a vulnerable version of go, we definitely don't plan to support building with any version of go except the most recent security patch of actively supported versions!
Change https://go.dev/cl/593235 mentions this issue: all: require go1.21
Understood. I'm stuck on an older version until RHEL 9 tooling updates so that's why it's using v1.20
Change https://go.dev/cl/595935 mentions this issue: cmd/govulncheck: remove line about go version requirements
Understood. I'm stuck on an older version until RHEL 9 tooling updates so that's why it's using v1.20
Had the same issue. The two options are: install v1.1.1
of the tool or clone the repo and patch it so it doesn't use slices
FWIW, newly released govulncheck v1.1.3 now requires go1.21 and newer.
When using vuln with go v1.20.14 it fails to install because slices is not in the standard library. The vuln docs, and go.mod, claim to be compatible with go 1.18 and later.
https://github.com/osbuild/weldr-client/actions/runs/9542027269/job/26296139660?pr=139