This action uses govulncheck to perform a scan of the code, afterwards it will parse the output and transform it into an Sarif Report, which will be uploaded to Github using the code-scanning API.
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Is your feature request related to a problem? Please describe.
A user can, by accident, leverage a go-version that is not a valid docker tag. Which causes the action to fail silently at the moment.
This needs to be handled in such a way, that the action at least no longer fails silently.
Hello,
I have included this to my CI pipelines and have encountered the following error:
ERR Upload of Sarif Report GitHub yielded error error="POST https://api.github.com/repos/<org>/<repo>/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning.
Would it be possible to add an option to add the SARIF report to step outputs and opt-out from uploading the report?
Setting a Baseline
Logs:
2:13PM INF GoEnvironment Details: GOPRIVATE=github.com/Templum/private-lib Go-Arch=amd64 Go-Os=linux Go-Version=go1.20
2:13PM INF Running govulncheck for package ./... in dir /github/workspace
2:14PM ERR parsing govulncheck output yielded error error="json: cannot unmarshal array into Go value of type types.Result"
2:14PM ERR Scanning yielded error error="scan failed to produce proper report"
Bug Description
It appears that within the last release from yesterday some changes to the JSON format where performed.
By observing the action's logs, apparently there's a difference in golang version between GOLANG_VERSION=XXX and GoEnvironment Details: [...] Go-Version=goYYY
This is an issue as it's impossible at the moment to test the code with the same version used in the repo itself, as the action param go-version seems to be ignored.
Latest go v1.19.3 is always used, and this cause the tool not to detect some actual vulnerabilities.
Using the latest govulncheck (v0.0.0-20230325131008-9550759f8614) breaks the action (Templum/[email protected]) as the output JSON format changed for govulncheck (likely in this commit).
name: govulncheck
on:
push:
branches:
- master
schedule:
# Trigger every day at 16:00 UTC
- cron: '0 16 * * *'
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for Vulnerabilities in Code
uses: Templum/[email protected]
with:
go-version: '1.20'
vulncheck-version: latest
package: ./...2023-03-27T12:14:33.7129890Z 12:14PM INF GoEnvironment Details: GOPRIVATE= Go-Arch=amd64 Go-Os=linux Go-Version=go1.20.2
2023-03-27T12:14:33.7130490Z 12:14PM INF Running govulncheck for package ./... in dir /github/workspace
2023-03-27T12:16:01.8559000Z 12:16PM ERR parsing govulncheck output yielded error error="invalid character '{' after top-level value"
2023-03-27T12:16:01.8562263Z 12:16PM ERR Scanning yielded error error="scan failed to produce proper report"
2023-03-27T12:16:10.1737233Z Error: Process completed with exit code 2.
You can find the full output here.
The output format of govulncheck seemingly changed between golang.org/x/vuln/cmd/govulncheck@fd6b8605e1743f75db7cd8db18cc54c169edef6e (known good) and the current version, likely due to the commit above. Before the output was
{
"Vulns": null
}while the output of the latest version looks like this
{
"preamble": {
"go_version": "go1.20.2",
"tool_version": "[email protected]",
"db": "https://vuln.go.dev",
"db_last_modified": "2023-03-27T17:34:34Z",
"query_kind": "Source",
"callstack_mode": "Compact"
}
}
{
"progress": "Scanning your code and 1929 packages across 415 dependent modules for known vulnerabilities..."
}Is your feature request related to a problem? Please describe.
Enhance Error detection so that errors linked to go.mod not having the correct version will fail the execution and display an actionable error message.
Additional context
golang/go#65751
Potential Error Message:
govulncheck: loading packages: err: exit status 1: stderr: go: go.mod requires go >= 1.xx.xx (running go 1.xx.x)
Setting a Baseline
Since we upgraded to Templum/[email protected] and go v1.20.5 we are no longer able to run the GH action because of the following error:
---> Running in 84a3b3070f60
can't load package: package golang.org/x/vuln/cmd/[email protected]: cannot find package "golang.org/x/vuln/cmd/[email protected]" in any of:
/usr/src/go/src/pkg/golang.org/x/vuln/cmd/[email protected] (from $GOROOT)
/go/src/golang.org/x/vuln/cmd/[email protected] (from $GOPATH)
The command '/bin/sh -c go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION' returned a non-zero code: 1
Error: Process completed with exit code 1.
Which version of the Action are you using: <v0.10.1>
How does your configuration look like:
name: Security CI
on: [push, pull_request]
jobs:
govuln:
name: Run govuln check and Publish
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Running govulncheck
uses: Templum/[email protected]
continue-on-error: true
env:
DEBUG: "true"
with:
go-version: 1.20
package: ./...
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on-vuln: true
- name: Upload govulncheck report
uses: actions/upload-artifact@v3
with:
name: raw-report
path: raw-report.json
Logs:
Please share the output of the action, preferably turning the Action into Debug mode. This can be done by specifying an env called DEBUG and setting it to true.
##[debug]Evaluating condition for step: 'Running govulncheck'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Running govulncheck
##[debug]Loading inputs
##[debug]Evaluating: secrets.GITHUB_TOKEN
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'GITHUB_TOKEN'
##[debug]=> '***'
##[debug]Result: '***'
##[debug]Loading env
Run Templum/[email protected]
##[debug]Evaluating condition for step: 'run'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: run
##[debug]Loading inputs
##[debug]Evaluating: format('docker build --build-arg GOLANG_VERSION={0} --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION={1} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH', inputs.go-version, inputs.vulncheck-version)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> 'docker build --build-arg GOLANG_VERSION={0} --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION={1} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'go-version'
##[debug]..=> '1.[2](https://github.com/maticnetwork/heimdall/actions/runs/5528064150/jobs/10084470818#step:3:2)'
##[debug]..Evaluating Index:
##[debug]....Evaluating inputs:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'vulncheck-version'
##[debug]..=> 'v0.0.0-20230331150530-a42f9910daf3'
##[debug]=> 'docker build --build-arg GOLANG_VERSION=1.2 --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION=v0.0.0-20230331150530-a42f9910daf3 -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH'
##[debug]Result: 'docker build --build-arg GOLANG_VERSION=1.2 --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION=v0.0.0-20230331150530-a42f9910daf3 -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH'
##[debug]Loading env
Run docker build --build-arg GOLANG_VERSION=1.2 --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION=v0.0.0-20230331150530-a42f9910daf3 -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH
##[debug]/usr/bin/bash --noprofile --norc -e -o pipefail /home/runner/work/_temp/dac4ab51-3578-4dd7-aa39-b46fe084e3cd.sh
Sending build context to Docker daemon 266.2kB
Step 1/17 : ARG GOLANG_VERSION=1.19
Step 2/17 : FROM golang:1.20 as builder
1.20: Pulling from library/golang
d52e4f012db1: Pulling fs layer
7dd206bea61f: Pulling fs layer
2320f9be4a9c: Pulling fs layer
543c0c50a70d: Pulling fs layer
d4fb2f15aec7: Pulling fs layer
c7f954b24574: Pulling fs layer
543c0c50a70d: Waiting
d4fb2f15aec7: Waiting
c7f954b24574: Waiting
7dd206bea61f: Verifying Checksum
7dd206bea61f: Download complete
d52e4f012db1: Verifying Checksum
d52e4f012db1: Download complete
2320f9be4a9c: Verifying Checksum
2320f9be4a9c: Download complete
c7f954b24574: Verifying Checksum
c7f954b24574: Download complete
543c0c50a70d: Verifying Checksum
543c0c50a70d: Download complete
d4fb2f15aec7: Verifying Checksum
d4fb2f15aec7: Download complete
d52e4f012db1: Pull complete
7dd206bea61f: Pull complete
2320f9be4a9c: Pull complete
543c0c50a70d: Pull complete
d4fb2f15aec7: Pull complete
c7f954b24574: Pull complete
Digest: sha256:8e5a0067e6b387263a01d06b91ef1a983f90e9638564f6e25392fd2695f7ab6c
Status: Downloaded newer image for golang:1.20
---> e69c1df674bc
Step 3/17 : WORKDIR /go/src/github.com/Templum/govulncheck-action/
---> Running in d272fd559ee1
Removing intermediate container d272fd559ee1
---> ff6ea4e39396
Step 4/17 : ENV GO111MODULE=on
---> Running in 5766de844850
Removing intermediate container 5766de844850
---> 501060f75ec6
Step 5/17 : COPY go.mod go.sum ./
---> cdec34b4e99f
Step 6/17 : RUN go mod download
---> Running in ee996f897dfc
Removing intermediate container ee996f897dfc
---> 0959d9bd1fb2
Step 7/17 : COPY . .
---> d5a02ae6808f
Step 8/17 : RUN CGO_ENABLED=0 go build -ldflags="-w -s" -v -o action .
---> Running in 883a3c7adcf6
internal/unsafeheader
internal/goarch
internal/cpu
internal/abi
internal/coverage/rtcov
internal/goexperiment
internal/goos
internal/bytealg
runtime/internal/atomic
runtime/internal/math
runtime/internal/sys
runtime/internal/syscall
internal/race
sync/atomic
runtime
unicode
unicode/utf8
internal/itoa
math/bits
math
encoding
unicode/utf16
crypto/internal/alias
crypto/subtle
crypto/internal/boring/sig
vendor/golang.org/x/crypto/cryptobyte/asn1
image/color
container/list
internal/nettrace
vendor/golang.org/x/crypto/internal/alias
internal/reflectlite
sync
internal/godebug
internal/testlog
math/rand
internal/singleflight
internal/intern
errors
sort
io
internal/oserror
syscall
bytes
path
internal/safefilepath
strings
strconv
time
internal/syscall/execenv
internal/syscall/unix
bufio
reflect
context
io/fs
internal/poll
os
path/filepath
internal/fmtsort
fmt
os/exec
github.com/Templum/govulncheck-action/pkg/action
encoding/binary
compress/flate
hash
hash/crc32
encoding/base64
encoding/json
compress/gzip
go/token
golang.org/x/mod/semver
regexp/syntax
crypto
crypto/cipher
regexp
crypto/internal/boring
crypto/hmac
crypto/sha1
crypto/sha256
golang.org/x/vuln/internal/semver
golang.org/x/vuln/osv
github.com/Templum/govulncheck-action/pkg/types
crypto/sha512
encoding/hex
net/url
math/big
github.com/google/go-querystring/query
crypto/internal/randutil
golang.org/x/crypto/openpgp/errors
golang.org/x/crypto/openpgp/armor
compress/bzip2
hash/adler32
compress/zlib
crypto/aes
crypto/des
crypto/internal/edwards25519/field
crypto/internal/bigmod
crypto/internal/boring/bbig
crypto/rand
crypto/dsa
crypto/rsa
crypto/internal/nistec/fiat
embed
encoding/asn1
vendor/golang.org/x/crypto/cryptobyte
crypto/md5
crypto/internal/nistec
golang.org/x/crypto/cast5
golang.org/x/crypto/openpgp/elgamal
golang.org/x/crypto/openpgp/s2k
image
crypto/ecdh
crypto/elliptic
image/internal/imageutil
image/jpeg
crypto/ecdsa
io/ioutil
mime
golang.org/x/crypto/openpgp/packet
crypto/internal/edwards25519
crypto/ed25519
crypto/rc4
crypto/x509/pkix
encoding/pem
vendor/golang.org/x/net/dns/dnsmessage
golang.org/x/crypto/openpgp
net/netip
vendor/golang.org/x/crypto/chacha20
vendor/golang.org/x/crypto/internal/poly1305
net
vendor/golang.org/x/sys/cpu
vendor/golang.org/x/crypto/chacha20poly1305
vendor/golang.org/x/crypto/hkdf
vendor/golang.org/x/text/transform
log
vendor/golang.org/x/text/unicode/bidi
vendor/golang.org/x/text/secure/bidirule
vendor/golang.org/x/text/unicode/norm
vendor/golang.org/x/net/idna
crypto/x509
net/textproto
vendor/golang.org/x/net/http/httpguts
vendor/golang.org/x/net/http/httpproxy
vendor/golang.org/x/net/http2/hpack
mime/quotedprintable
mime/multipart
crypto/tls
net/http/internal
net/http/internal/ascii
golang.org/x/sys/unix
net/http/httptrace
net/http
github.com/mattn/go-isatty
github.com/mattn/go-colorable
github.com/rs/zerolog/internal/json
github.com/rs/zerolog
github.com/owenrumney/go-sarif/v2/sarif
github.com/Templum/govulncheck-action/pkg/sarif
github.com/Templum/govulncheck-action/pkg/vulncheck
golang.org/x/oauth2/internal
github.com/google/go-github/v47/github
golang.org/x/oauth2
github.com/Templum/govulncheck-action/pkg/github
github.com/Templum/govulncheck-action
Removing intermediate container 883a3c7adcf6
---> 9c3d9f4ff910
Step 9/17 : FROM golang:$GOLANG_VERSION
1.2: Pulling from library/golang
Image docker.io/library/golang:1.2 uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
a3ed95caeb02: Pulling fs layer
5d3df020ecd3: Pulling fs layer
067b95d26410: Pulling fs layer
9f482ce8050c: Pulling fs layer
75f31ee85880: Pulling fs layer
8d69f242035f: Pulling fs layer
cd80c24f4996: Pulling fs layer
9f482ce8050c: Waiting
75f31ee85880: Waiting
8d69f242035f: Waiting
cd80c24f4996: Waiting
a3ed95caeb02: Verifying Checksum
a3ed95caeb02: Download complete
a3ed95caeb02: Pull complete
9f482ce8050c: Verifying Checksum
9f482ce8050c: Download complete
5d3df020ecd3: Verifying Checksum
5d3df020ecd3: Download complete
8d69f242035f: Verifying Checksum
8d69f242035f: Download complete
75f31ee85880: Verifying Checksum
75f31ee85880: Download complete
067b95d26410: Verifying Checksum
067b95d26410: Download complete
cd80c24f4996: Verifying Checksum
cd80c24f4996: Download complete
5d3df020ecd3: Pull complete
067b95d26410: Pull complete
9f482ce8050c: Pull complete
75f31ee85880: Pull complete
8d69f242035f: Pull complete
cd80c24f4996: Pull complete
Digest: sha256:d6b13df58f0156b21f25a23fa74de59489de5336d2c1290ac00611868203e52d
Status: Downloaded newer image for golang:1.2
---> 75d4257dd26f
Step 10/17 : ARG VULNCHECK_VERSION=v0.1.0
---> Running in fe090aabbcca
Removing intermediate container fe090aabbcca
---> 506b9acfdc7b
Step 11/17 : RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION
---> Running in 84a3b3070f60
can't load package: package golang.org/x/vuln/cmd/[email protected]: cannot find package "golang.org/x/vuln/cmd/[email protected]" in any of:
/usr/src/go/src/pkg/golang.org/x/vuln/cmd/[email protected] (from $GOROOT)
/go/src/golang.org/x/vuln/cmd/[email protected] (from $GOPATH)
The command '/bin/sh -c go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION' returned a non-zero code: 1
Error: Process completed with exit code 1.
##[debug]Finished: run
##[debug]Evaluating condition for step: 'run'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> false
##[debug]Result: false
##[debug]Finishing: Running govulncheck
When running this on the my pipeline, I get the total number of vulnerabilities but not detailed logs, which makes impossible for me to understand which vulnerability I should fix
Run docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=*** -e STRICT=false -e PACKAGE=./... -e SKIP_UPLOAD=false -e GITHUB_REPOSITORY=*** -e GITHUB_REF=*** -e GITHUB_SHA=*** templum/govulncheck-action:local
docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=*** -e STRICT=false -e PACKAGE=./... -e SKIP_UPLOAD=false -e GITHUB_REPOSITORY=*** -e GITHUB_REF=*** -e GITHUB_SHA=*** templum/govulncheck-action:local
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
5:50PM INF GoEnvironment Details: Go-Arch=amd64 Go-Os=linux Go-Version=go1.19.3
5:50PM INF Running govulncheck for package ./... in dir /github/workspace
5:51PM INF Successfully scanned project
5:51PM INF Conversion yielded following stats Call Sites=0 Vulnerabilities=1
5:51PM INF Preparing Report for upload to Github Commit=*** Ref=***
5:51PM INF Report was uploaded to GitHub sarif_id=***
5:51PM INF Successfully uploaded Sarif Report to Github, it will be available after processing
Is there a way to get the govuln output at pipeline runtime, such as (for example)
Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerabilities.
Vulnerability #1: GO-2022-1095
Due to unsanitized NUL values, attackers may be able to
maliciously set environment variables on Windows. In
syscall.StartProcess and os/exec.Cmd, invalid environment
[...]
I wanted to add Govulncheck to our security scanning and have the vulnerabilities output to the scan results, but they are not showing up as expected. I am running this within Github and came across no errors when CodeQL was running.
When running the scan locally, I get 4 vulnerabilities. I.e
Scanning for dependencies with known vulnerabilities...
Found 4 known vulnerabilities.
Vulnerability #1: GO-2022-0524
Calling Reader.Read on an archive containing a large number of
concatenated 0-length compressed files can cause a panic due to
stack exhaustion.
Call stacks in your code:
pkg/keycloak/client.go:263:30: github.com/aaa-ncnu/mem-join-service/pkg/keycloak.Client.VerifyToken calls io/ioutil.ReadAll, which eventually calls compress/gzip.Reader.Read
Found in: compress/[email protected]
Fixed in: compress/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0524
But when the scan finishes, it doesn't report on these vulnerabilties.
I have added the following to the bottom of my codeql config
- name: Golang Vulncheck
uses: Templum/[email protected]
The task finishes successfully with the following:
Running govulncheck for package ./... in dir /github/workspace
Successfully parsed report
Converted Report to Sarif format
Preparing Report for commit b31c5397a6c5ba55f1c7159679c3cdc130090077 on ref refs/pull/78/merge
Successfully uploaded Report to Github it received ID 15d3a094-32ca-11ed-80[22](https://github.com/aaa-ncnu/mem-join-service/actions/runs/3039702339/jobs/4894928655#step:7:23)-63891b3c3dea
Successfully processed uploaded vulncheck report to Github
And the report is blank, I would expect that 4 vulnerabilities show up right?
Also I checked and verified this is the same output that github's api has as well:
{
"processing_status": "complete",
"errors": null,
"analyses_url": "https://api.github.com/repos/x/y/code-scanning/analyses?sarif_id=15d3a094-32ca-11ed-8022-63891b3c3dea"
}
Setting a Baseline
Cannot run the action, it fails to load package and run).
Which version of the Action are you using: 0.10.0 / latest
How does your configuration look like:
govulncheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan for Vulnerabilities in Code
uses: Templum/[email protected]
with:
go-version: 1.20
vulncheck-version: latest
package: ./...
fail-on-vuln: trueLogs:
Step 1/17 : ARG GOLANG_VERSION=1.19
Step 2/17 : FROM golang:1.20 as builder
1.[20](https://github.com/2beens/...): Pulling from library/golang
b0248cf3e63c: Pulling fs layer
127e97b4daf7: Pulling fs layer
0336c50c9f69: Pulling fs layer
1b89f3c7f7da: Pulling fs layer
079116d1299c: Pulling fs layer
28b9642b2654: Pulling fs layer
94ffa0dd0d53: Pulling fs layer
079116d1299c: Waiting
28b9642b2654: Waiting
94ffa0dd0d53: Waiting
1b89f3c7f7da: Waiting
127e97b4daf7: Verifying Checksum
127e97b4daf7: Download complete
0336c50c9f69: Verifying Checksum
0336c50c9f69: Download complete
b0248cf3e63c: Verifying Checksum
b0248cf3e63c: Download complete
1b89f3c7f7da: Verifying Checksum
1b89f3c7f7da: Download complete
94ffa0dd0d53: Verifying Checksum
94ffa0dd0d53: Download complete
079116d1299c: Verifying Checksum
079116d1299c: Download complete
28b9642b2654: Verifying Checksum
28b9642b2654: Download complete
b0248cf3e63c: Pull complete
127e97b4daf7: Pull complete
0336c50c9f69: Pull complete
net/netip
vendor/golang.org/x/crypto/chacha20
net
vendor/golang.org/x/crypto/internal/poly1305
vendor/golang.org/x/sys/cpu
vendor/golang.org/x/crypto/chacha20poly1305
vendor/golang.org/x/crypto/hkdf
vendor/golang.org/x/text/transform
log
vendor/golang.org/x/text/unicode/bidi
vendor/golang.org/x/text/secure/bidirule
vendor/golang.org/x/text/unicode/norm
vendor/golang.org/x/net/idna
crypto/x509
net/textproto
vendor/golang.org/x/net/http/httpguts
vendor/golang.org/x/net/http/httpproxy
vendor/golang.org/x/net/http2/hpack
mime/quotedprintable
mime/multipart
net/http/internal
net/http/internal/ascii
crypto/tls
golang.org/x/sys/unix
github.com/mattn/go-isatty
github.com/mattn/go-colorable
github.com/rs/zerolog/internal/json
github.com/rs/zerolog
net/http/httptrace
net/http
github.com/owenrumney/go-sarif/v2/sarif
github.com/Templum/govulncheck-action/pkg/sarif
github.com/Templum/govulncheck-action/pkg/vulncheck
golang.org/x/oauth2/internal
github.com/google/go-github/v47/github
golang.org/x/oauth2
github.com/Templum/govulncheck-action/pkg/github
github.com/Templum/govulncheck-action
Removing intermediate container 5089cdcc36c6
---> 0916bbc14c79
Step 9/17 : FROM golang:$GOLANG_VERSION
1.2: Pulling from library/golang
Image docker.io/library/golang:1.2 uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
a3ed95caeb02: Pulling fs layer
5d3df020ecd3: Pulling fs layer
067b95d26410: Pulling fs layer
9f482ce8050c: Pulling fs layer
75f31ee85880: Pulling fs layer
8d69f242035f: Pulling fs layer
cd80c24f4996: Pulling fs layer
9f482ce8050c: Waiting
75f31ee85880: Waiting
8d69f242035f: Waiting
cd80c24f4996: Waiting
a3ed95caeb02: Verifying Checksum
a3ed95caeb02: Download complete
a3ed95caeb02: Pull complete
9f482ce8050c: Verifying Checksum
9f482ce8050c: Download complete
5d3df020ecd3: Verifying Checksum
5d3df020ecd3: Download complete
067b95d26410: Verifying Checksum
067b95d26410: Download complete
8d69f242035f: Verifying Checksum
8d69f242035f: Download complete
cd80c24f4996: Verifying Checksum
cd80c24f4996: Download complete
75f31ee85880: Verifying Checksum
75f31ee85880: Download complete
5d3df020ecd3: Pull complete
067b95d26410: Pull complete
9f482ce8050c: Pull complete
75f31ee85880: Pull complete
8d69f242035f: Pull complete
cd80c24f4996: Pull complete
Digest: sha256:d6b13df58f0156b[21](https://github.com/2beens/serj-tubin-com/actions/runs/4718649116/jobs/8368485652#step:3:23)f25a[23](https://github.com/2beens/serj-tubin-com/actions/runs/4718649116/jobs/8368485652#step:3:25)fa74de59489de5336d2c1290ac00611868203e52d
Status: Downloaded newer image for golang:1.2
---> 75d4[25](https://github.com/2beens/serj-tubin-com/actions/runs/4718649116/jobs/8368485652#step:3:27)7dd[26](https://github.com/2beens/serj-tubin-com/actions/runs/4718649116/jobs/8368485652#step:3:28)f
Step 10/17 : ARG VULNCHECK_VERSION=latest
---> Running in 1a64d4a4650b
Removing intermediate container 1a64d4a4650b
---> 12afe05462ee
Step 11/17 : RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION
---> Running in b04c9d08be[31](https://github.com/2beens/serj-tubin-com/actions/runs/4718649116/jobs/8368485652#step:3:33)
can't load package: package golang.org/x/vuln/cmd/govulncheck@latest: cannot find package "golang.org/x/vuln/cmd/govulncheck@latest" in any of:
/usr/src/go/src/pkg/golang.org/x/vuln/cmd/govulncheck@latest (from $GOROOT)
/go/src/golang.org/x/vuln/cmd/govulncheck@latest (from $GOPATH)
The command '/bin/sh -c go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION' returned a non-zero code: 1
Error: Process completed with exit code 1.
Bug Description
Trying to run the vulncheck GH action, but fails to load necessary packages to start the run, please check the description above, or let me know if more details are needed.
I tried with different options too, but whatever I chose, the result is the same.
Screenshots
If applicable, add screenshots to help explain your problem.
govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.
For this repo with no vulnerabilities the following error is printed out from the action:
ERR Scanning yielded error error="scan failed to produce proper report".
steps:
- uses: actions/checkout@v3
- uses: Templum/[email protected]Would it be possible to check the action behavior for a clean repo?
Is your feature request related to a problem? Please describe.
Right now only the pulling of publicly available dependencies is supported. However, if the code uses libraries that are private and not publicly available, it fails.
Describe the solution you'd like
Enhance the action in such a way, users can provide GOPRIVATE if needed and are able to configure git so it's possible to pull the required packages.
Additional context
Article on usage of Private Modules
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.