govulncheck in `make test`

Reply: Gleb Popov : "Re: govulncheck in `make test`"
Reply: Ronald Klop : "Re: govulncheck in `make test`"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Einar_Bjarni_Halldórsson <einar_at_isnic.is>
Date: Tue, 25 Mar 2025 10:12:45 UTC

Hi,

I maintain two go ports and I’ve recently started using govulncheck for other go projects (there’s a
PR to commit govulncheck to ports).

govulncheck checks all dependencies of a go project against the vulnerability database at
https://vuln.go.dev/ and warns if your code is calling vulnerable code.

Would it be advisable to add test code to go projects to always call govulncheck? It would add
a TEST_DEPENDS on govulncheck (which hasn’t been committed yet) and it calls the
vuln db at google.

Thoughts?

.einar