The implementation looks like it will generate quite a few false positives, compared to x/vuln/cmd/govulncheck, as well as being less useful.

It would be better to focus efforts there, it can graduate to a go subcommand at a later date

@seankhliao What is the difference between direct requests to https://vuln.go.dev and x/vuln/cmd/govulncheck, if I may ask?

call graph traversal vs everything in a module, suppport for multiple vulndb servers, reporting for the standard library

There is also the Open Source Insights service at https://deps.dev, which aims to be more comprehensive.

cc @golang/vulndb

Change https://go.dev/cl/423615 mentions this issue: cmd/go: implement go mod audit

@seankhliao What is the difference between direct requests to https://vuln.go.dev and x/vuln/cmd/govulncheck, if I may ask?

govulncheck can detect calls to vulnerable symbols (functions or methods). It constructs a call graph and tries to figure out what vulnerable functions and methods are transitively called from entry points (inits, main, exported functions/methods). It then communicates a description of a call stack witnessing the finding. Detection at this level of granularity is more precise, because a vulnerable symbol can be imported (or its module) but that does not mean it is actually used. govulncheck uses the vuln.go.dev db by default, but more dbs can be added.

govulncheck is built on top of vulncheck library, which also supports less expensive detection of vulnerable imports only. More information can also be found here.

If you want to add a sub-command like in https://go.dev/cl/423615, this will have to go through a proposal process.

Is there anything you'd like to have that govulncheck does not support?

I was not aware of the existence of govulncheck prior to making this proposal/pull request, but natively supporting module auditing within Go is still an important feature. If go mod audit is missing features in comparison to govulncheck, then those features should be added (i.e. call graph traversal, which I see as a much better implementation of this rather than checking go.sum).

The goal of govulncheck is to develop a tool which can be eventually be rolled into the standard Go toolchain, it is being developed as a separate tool, for now, so that we can gain UX knowledge before directly integrating it.

I think it's clear from the above that something like this will happen in the future, but the open PR and this proposal to support it isn't there yet.

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc should this be active or retracted?

This proposal has been declined as infeasible.
— rsc for the proposal review group