Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: govulncheck integration with go (mod) and GOPROXY #65720

Open
pboguslawski opened this issue Feb 15, 2024 · 3 comments
Open

x/vuln: govulncheck integration with go (mod) and GOPROXY #65720

pboguslawski opened this issue Feb 15, 2024 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@pboguslawski
Copy link

Please consider merging govulncheck cmd/api into go audit (go mod audit?) to avoid separate cmd and allow audit requests to be passed via GOPROXY. This would allow one to use internal proxies like athens for handling dependency audits not just module caching/fetching.

Such solution is now possible in JS world with npm audit + Verdaccio + npm_config_registry env variable.
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Feb 15, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Feb 15, 2024
@thanm thanm added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Feb 15, 2024
@thanm
Copy link
Contributor

thanm commented Feb 15, 2024

@golang/vulndb

@ianthehat
Copy link

The intention was to eventually add a go audit subcommand, but first we needed to experiment with govulncheck and make sure it pulled its weight, and then think about what other features an audit command might want to be able to have, to make sure we allow for them to be added in the future in it's design.
This is unlikely to happen soon.
In the mean time, you can use the -db flag to govulncheck to point it at a vulndb proxy (or an offline copy)

@pboguslawski pboguslawski mentioned this issue Feb 15, 2024
Open
@pboguslawski
Copy link
Author

Thank you for pointing out the offline copy workaround.

In the future would be nice to have env var to specify vulndb address if no -db flag is present. Maybe same GOPROXY for go mod and go audit if possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
4 participants
@ianthehat @pboguslawski @gopherbot @thanm