New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vuln/cmd/govulncheck: add quiet output or a cli flag #62315
Comments
There is a -json flag, which causes the tool to emit all its results and errors in a structured form that is easy to parse. But I agree that there ought to be an easier way (e.g. |
I would like to put emphasis on no output at all, just like how these tools behaves:
So |
Out of curiosity, what problems is this causing? |
For me personally it's causing unnecessary output when it's not needed/wanted, for example by spamming logs for automatic runners (wasting space and time needed to shift through the logs or applying work arounds, cutting away the all clear message). That feedback link at the end? I saw it the first time and would now like to stop seeing it for ever (would be better to place that link in the docs instead). Sorry for the negative tone but it's kinda annoying having a tool nagging at you every time. |
In fairness to My disorganized thoughts:
|
The go build system doesn't tell you how many packages it looked at to do its job, and it can sometimes sit there for tens of seconds for a large build from cold. Why is vulncheck different? Is it much slower? I would still prefer that it remain silent by default, and that progress messages be an option. Most of our tools follow the UNIX philosophy and stay silent until there is either a problem or a result. We want our users to routinely assume that Go tools do what they're told, so that if you ask it to scan a given set of packages, it will either do it, or tell you why it was impossible (and exit nonzero). Optional progress messages can be enabled by a -v flag. If it's not too late, I suggest we take that approach. |
I appreciate you guys for taking the time to discuss this, thanks! @timothy-king I think you have some good points, first that it's not a mature tool yet (I keep forgetting it's in About |
Now that I have had a bit more time to organize my thoughts, how about the following:
Package docs https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck already has a (slightly different) feedback url. I think it would be reasonable to include "https://go.dev/s/govulncheck-feedback" in the usage string for now. So the feedback url can be discovered from the package docs. But I think the tool is still not that mature, and I think it is okay to lean towards making feedback easy. |
As mentioned, govulncheck is still in |
Thank you for your time. |
Reopening; I think Tim's plan three notes above is a good one. |
A concrete problem caused by govulncheck's chatty output is that I can't easily run govulncheck from cron because it will email me even if it doesn't find any vulnerabilities. I will have to hack around it with some script that buffers the output and discards it if govulncheck's exit code is 0. I assume running govulncheck from cron will be a common use case so govulncheck should work well with cron by default. |
I don't think that cron or any other integration should rely on the textual output. This is why We've discussed the |
v1.0.4 still outputs text when no vulnerabilities are found:
Integrations with govulncheck need not be complex. I would like to simply get an email once a day if any of my Go modules have vulnerabilities. If I were to use |
What version of Go are you using (
go version
)?Does this issue reproduce at the latest version of golang.org/x/vuln?
Yes (
govulncheck@v1.0.1
as of this time).What did you do?
What did you expect to see?
No output upon "success", like the other go commands.
Proposal
I would like to have silent output by default (kind of like the other go commands) or at least a CLI flag to silence this verbose "success" message.
The text was updated successfully, but these errors were encountered: