Missing latest release

[alexmurray]

Upstream has released 1.0.4 - https://github.com/golang/vuln/tags - can the snap please be updated for this?

[sudhackar]

The go version is quite old too I think.

$ /snap/bin/govulncheck ./...
Using go1.18.1 and govulncheck@v0.0.0-f69de671333b-20230713045519 with vulnerability data from https://vuln.go.dev (last modified 2024-02-29 17:17:45 +0000 UTC).
govulncheck: loading packages: err: exit status 1: stderr: go: errors parsing go.mod:
/home/sudhackar/repos/authd/go.mod:3: invalid go version '1.21.0': must match format 1.23
/home/sudhackar/repos/authd/go.mod:5: unknown directive: toolchain

There were quite a few changes after 1.18 that break the backwards compatibility

We should update go version as well - 1.18 is about 2 years old now

[sespiros]

@alexmurray I updated the snap to 1.0.4, amd64 is already built and released, the rest are pending. I am keeping this open until everything is released.

@sudhackar I believe the go version is whatever comes with the base core snap, that is core22. So I am not sure we can do anything in the snap for now. Scratch that last comment, updating the tool's version brought the new go with it as well.

[alexmurray]

@sespiros thanks - since the go snap has separate tracks for each major version, you can choose a particular one by using the snap rather than the golang-go deb package - so removing golang-go from build/stage-packages and instead add go (or even go/1.22/stable to specify a particular track) under build/stage-snaps instead.

[sespiros]

So when putting go/latest/stable in both build-snaps and stage-snaps, govulncheck fails to run in any repos that I tried. I believe govulncheck is supposed to use the Go version that is in the path but when it is snapped it uses the Go version that is listed under staged-snaps/packages and this causes some issue when govulncheck is invoked.

The currently uploaded version still fails for the authd repo (hence the bug label).

I haven't managed to find a combination of Go version (either snap or package) that works for all cases (hence the help wanted label). Meanwhile installing govulncheck using go install works without issues.

As a sidenote, govulncheck is checking for open vulnerabilities in the Go standard library as well so for example if I am on mantic with Go version 1.21 but govulncheck snap contains Go version 1.18 (as it currently does), vulnerabilities for Go 1.18 show up in the results which is a bit confusing.

[alexmurray]

Hmm try setting confinement: classic and see if that helps (then it should just just the go version installed on the host)

[sespiros]

@alexmurray it does help, with classic confinement everything works. I wanted to try and make it work with strict but maybe in that case it actually makes more sense to run it with classic.