Home > Back-end >  How to run govulncheck with a specific Go version?
How to run govulncheck with a specific Go version?

Time:09-17

I'm trying to scan my Go module for vulnerabilities using the govulncheck tool. Following the instructions on the "Managing Go installations" page, I have two Go versions installed: 1.17.9 and 1.18.6:

$ go version
go version go1.17.9 linux/amd64
$ go1.18.6 version
go version go1.18.6 linux/amd64

My module is built and run with 1.18.6. I installed govulncheck using go 1.18.6 using this command:

$ go1.18.6 install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20220913170424-c9fe2ba7ccad
go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
go: downloading golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e

But when I ran govulncheck ./... against my module, it reported issues against Go 1.17.9.

$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 5 known vulnerabilities.

Vulnerability #1: GO-2022-0524
  Calling Reader.Read on an archive containing a large number of
  concatenated 0-length compressed files can cause a panic due to
  stack exhaustion.

  Call stacks in your code:
      path/omitted/example.go:79:67: example.com/example-project/path/omitted/example.Method calls example.com/vulnerable-dependency/path/omitted/example.Foo.Bar, which eventually calls compress/gzip.Reader.Read

  Found in: compress/[email protected]
  Fixed in: compress/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0524

(etc)

The example issue is already fixed in the Go version I'm using (1.18.6), but since govulncheck is using 1.17.9 instead of 1.18.6, it's not seeing that the problem is mitigated.

How do I run this tool using my desired Go version?

CodePudding user response:

I'm going to write my comment as a (slightly more detailed) answer:

According to the docs, govulncheck will use the go command found on the PATH. So one solution would be to export a different PATH (having go point to 1.18.6 instead of 1.17.9) only when using govulncheck.

You could do this in your Makefile pretty easily like so:

vulncheck: export PATH:=$(PATH_TO_GO_1_18_6):$(PATH)
vulncheck:
     govulncheck ./...

Page link:https//www.codepudding.com/Backend/547769.html

Prev:Is there a library to work with this files in golang?
Next:Swagger-codegen command project structure
  •  Tags:  
    • go
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding