Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: govulncheck v1.0.2 doesn't support workspaces anymore #65130

Closed
tinmrn opened this issue Jan 17, 2024 · 8 comments
Closed

x/vuln: govulncheck v1.0.2 doesn't support workspaces anymore #65130

tinmrn opened this issue Jan 17, 2024 · 8 comments
Assignees
@maceonthompson
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Milestone
vuln/unplanned

Comments

@tinmrn
Copy link

tinmrn commented Jan 17, 2024

in a repo with a go.work file:

$ go install golang.org/x/vuln/cmd/govulncheck@v1.0.2 && govulncheck ./...
govulncheck: loading modules: /usr/local/go/bin/go list -m -json -mod=mod all: exit status 1
go: -mod may only be set to readonly when in workspace mode, but it is set to "mod"
        Remove the -mod flag to use the default readonly value,
        or set GOWORK=off to disable workspace mode.

might be since this change https://go.googlesource.com/vuln/+/61b4508dba3bfb2ddc378c5f84bedfa3a544b0b7%5E%21/internal/vulncheck/packages.go

v1.0.1 does not have this problem.

might be related to #65124
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Jan 17, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Jan 17, 2024
@RebeccaMahany RebeccaMahany mentioned this issue Jan 17, 2024
Merged
@zpavlinovic
Copy link
Contributor

Yes, this seems related. We are working on it.

@ldemailly ldemailly mentioned this issue Jan 18, 2024
Closed
@ldemailly
Copy link

I've put a repro in my duplicate #65155 if it helps - any workaround meanwhile? [well I guess I can pin my action to 1.0.1 instead of latest]

@gopherbot
Copy link

Change https://go.dev/cl/556775 mentions this issue: internal/vulncheck: remove -mod=mod flag from LoadModules

@maceonthompson
Copy link

We just merged a hotfix for folks with a go.work file - would you both be able to recreate the same steps with go install golang.org/x/vuln/cmd/govulncheck@master instead of @latest?

A proper/cleaner fix which will also address those using vendor directories will be merged and a new version with the fixes will be tagged and released by Monday.

ldemailly added a commit to fortio/fortiotel that referenced this issue Jan 18, 2024
@ldemailly
use @master to confirm the fix - per golang/go#65130 (comment)
5e706e4
@ldemailly ldemailly mentioned this issue Jan 18, 2024
Merged
@ldemailly
Copy link

@maceonthompson yes it worked, thanks a lot https://github.com/fortio/fortiotel/actions/runs/7576563961/job/20635661749

Run go install golang.org/x/vuln/cmd/govulncheck@master
  
go: downloading golang.org/x/vuln v1.0.3-0.20240118213[5](https://github.com/fortio/fortiotel/actions/runs/7576563961/job/20635661749#step:4:5)44-4b[5](https://github.com/fortio/fortiotel/actions/runs/7576563961/job/20635661749#step:4:6)4a8b0[6](https://github.com/fortio/fortiotel/actions/runs/7576563961/job/20635661749#step:4:7)dd0
go: downloading golang.org/x/mod v0.14.0
go: downloading golang.org/x/tools v0.1[7](https://github.com/fortio/fortiotel/actions/runs/7576563961/job/20635661749#step:4:8).0
go: downloading golang.org/x/sync v0.6.0
Scanning your code and 341 packages across 256 dependent modules for known vulnerabilities...

might be worth making that 1.0.3 though?

github-merge-queue bot pushed a commit to fortio/fortiotel that referenced this issue Jan 18, 2024
@ldemailly
use @master to confirm the fix - per golang/go#65130 (comment) (#189)
c543445
@tinmrn
Copy link
Author

tinmrn commented Jan 19, 2024

current master works, thank you very much

@zpavlinovic zpavlinovic removed their assignment Jan 19, 2024
Merged
@maceonthompson
Copy link

@ldemailly apologies for the delay - 1.0.3 is being tagged currently and we expect it to be released today/tomorrow.

@zpavlinovic
Copy link
Contributor

v1.0.3 tag is available now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
5 participants
@zpavlinovic @tinmrn @ldemailly @gopherbot @maceonthompson