Get go stdlib version from go.mod #704
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #704 +/- ##
==========================================
+ Coverage 78.62% 78.70% +0.07%
==========================================
Files 85 84 -1
Lines 6055 6047 -8
==========================================
- Hits 4761 4759 -2
+ Misses 1088 1085 -3
+ Partials 206 203 -3 ☔ View full report in Codecov by Sentry. |
cuixq
reviewed
Dec 11, 2023
This was referenced Dec 27, 2023
another-rex
added a commit
that referenced
this pull request
Jan 10, 2024
While the change made in #704 is the ideal solution, it only works for people using go 1.21 or later. Adding a patch version to go.mod will cause go1.20 or earlier to fail to build. Since 1.20 is still fully supported and is still the default version for many workflows, this causes too many breakages for users to be acceptable. There's a few alternative fixes: - Assume latest patch version (This PR) - This means osv-scanner is no longer checking whether a project is updating to the latest patch version to resolve vulnerabilities, but will still catch users using an out of support go minor version that has no patch available. - Remove stdlib vulnerability check entirely / move stdlib vuln check behind a experimental flag - Add a way to hint to osv-scanner the go version (e.g. .go-version file, or a comment in the go.mod file specifically for osv-scanner to check). I am leaning towards assuming the latest patch as a fix in the mean time until go1.22 releases (at which point 1.20 will no longer be supported), and less people will be using 1.20, and perhaps reintroducing the patch version check. --- This implementation also means when a stdlib vulnerability is found, the version that is printed will be 1.xx.99, which is not quite accurate.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix #679