Add golang.org/x/vuln/vulncheck as a linter #3094
Comments
|
Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors. |
|
Hello, There are several problems:
https://golangci-lint.run/contributing/new-linters/#how-to-add-a-public-linter-to-golangci-lint So I will decline this proposal. |
|
Hi, I think the issue should be re-opened because of https://go.dev/blog/vuln and the vulncheck library that's used by the command |
|
Looks like they have a API now, I havent looked at it though.
|
|
It seems mentioned PR is currently Draft, and since they have an API as Ryan mentioned above, we can re-open this one. @ldez Wdyt? |
|
As vulncheck is based on SSA, I think the integration will not work but I will re-open. |
|
Thanks! @luxifer Is your PR final? If so, can you please remove draft tag? |
|
I need to rewrite the commit as it's with the wrong address. But yes, I
need some feedback on my proposal because it's the first time I'm using
go/analysis
|
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Having this tool running as part of the linters will be extremely useful |
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
* Add govulncheck linter This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199 * Upgrade actions/setup-go Also ensure that it installs the latest available matching Go release.
|
I didn't really provide my opinion on this topic: I think that vulncheck is not a linter. Also, as the "rules" of vulncheck are outside the configuration file, golangci-lint will ignore any "rule" changes because it's not a part of the information used to handle the cache. As you can understand, for now, I disagree with the integration of vulncheck, but I'm not alone on this project, and I can change my mind over time, I will wait for feedback from other maintainers. I'm not making any decision at this time. |
|
I understand your concerns about that. And the afct that the database is external make it difficult to integrate properly with caching. Anyway, if it's not integrated, it's not a big deal for me and it helped me better understand the internal structure of this project. |
|
Maybe we can close this issue as well? |
|
yes I will close it, thank you @luxifer |
Your feature request related to a problem? Please describe.
govulncheck allows you to check if your code is calling any vulnerable code.
Describe the solution you'd like.
Add https://pkg.go.dev/golang.org/x/vuln/vulncheck as a linter.
Describe alternatives you've considered.
I can't find another vulnerability checker that can determine if the vulnerable code is being called or not.
Additional context.
No response
The text was updated successfully, but these errors were encountered: