Re: govulncheck in `make test`

Reply: Einar_Bjarni_Halldórsson : "Re: govulncheck in `make test`"
In reply to: Einar_Bjarni_Halldórsson : "govulncheck in `make test`"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gleb Popov <arrowd_at_freebsd.org>
Date: Tue, 25 Mar 2025 10:15:56 UTC

On Tue, Mar 25, 2025 at 1:14 PM Einar Bjarni Halldórsson <einar@isnic.is> wrote:
>
> Hi,
>
> I maintain two go ports and I’ve recently started using govulncheck for other go projects (there’s a
> PR to commit govulncheck to ports).
>
> govulncheck checks all dependencies of a go project against the vulnerability database at
> https://vuln.go.dev/ and warns if your code is calling vulnerable code.
>
> Would it be advisable to add test code to go projects to always call govulncheck? It would add
> a TEST_DEPENDS on govulncheck (which hasn’t been committed yet) and it calls the
> vuln db at google.
>
> Thoughts?
>
> .einar

I'd rather make it an argument of USES=go, something like USES=go:vulncheck

This would allow Go ports to opt-in into the feature.