The tool govulncheck "reports known vulnerabilities that affect Go code". Add a feature to obs-service-go_modules to run govulncheck, checking the application source and vendored modules.
Report govulncheck output as plaintext in the build log for this initial version.
Run govulncheck by default, but do not break the Go application build based on a positive CVE report or other error at this time. A separate feature implemented later to parse JSON output can opt-in to break the build based on the CVE matching certain platform data e.g. GOOS and GOARCH. We need some operating experience with govulncheck, the https://vuln.go.dev/ service reliability and fields available in the output before it will be practical to enable a build-breaking mode.
Allow running only the govulncheck step without forcing re-vendoring Go applications which use a populated vendor/ directory committed into the upstream repository. Re-vendoring is normally recommended to ensure consistency, but it should be possible to skip if circumstances require doing so.
Soft dependency on govulncheck package, possibly becoming a hard dependency only after package is accepted into all relevant repositories. If the tool is unavailable, report that and exit.
The tool
govulncheck"reports known vulnerabilities that affect Go code". Add a feature toobs-service-go_modulesto rungovulncheck, checking the application source and vendored modules.Package
govulncheckis already in openSUSE Factory (devel:languages:go/govulncheck).Feature goals:
Report
govulncheckoutput as plaintext in the build log for this initial version.Run
govulncheckby default, but do not break the Go application build based on a positive CVE report or other error at this time. A separate feature implemented later to parse JSON output can opt-in to break the build based on the CVE matching certain platform data e.g.GOOSandGOARCH. We need some operating experience withgovulncheck, the https://vuln.go.dev/ service reliability and fields available in the output before it will be practical to enable a build-breaking mode.Allow running only the
govulncheckstep without forcing re-vendoring Go applications which use a populatedvendor/directory committed into the upstream repository. Re-vendoring is normally recommended to ensure consistency, but it should be possible to skip if circumstances require doing so.Soft dependency on
govulncheckpackage, possibly becoming a hard dependency only after package is accepted into all relevant repositories. If the tool is unavailable, report that and exit.Assigning to myself.