[BUG] Latest govulncheck breaks action

[srebhan]

Using the latest govulncheck (v0.0.0-20230325131008-9550759f8614) breaks the action (Templum/[email protected]) as the output JSON format changed for govulncheck (likely in this commit).

Config:

name: govulncheck
on:
  push:
    branches:
      - master
  schedule:
    # Trigger every day at 16:00 UTC
    - cron: '0 16 * * *'
jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Scan for Vulnerabilities in Code
        uses: Templum/[email protected]
        with:
          go-version: '1.20'
          vulncheck-version: latest
          package: ./...

Logs:

2023-03-27T12:14:33.7129890Z 12:14PM INF GoEnvironment Details: GOPRIVATE= Go-Arch=amd64 Go-Os=linux Go-Version=go1.20.2
2023-03-27T12:14:33.7130490Z 12:14PM INF Running govulncheck for package ./... in dir /github/workspace
2023-03-27T12:16:01.8559000Z 12:16PM ERR parsing govulncheck output yielded error error="invalid character '{' after top-level value"
2023-03-27T12:16:01.8562263Z 12:16PM ERR Scanning yielded error error="scan failed to produce proper report"
2023-03-27T12:16:10.1737233Z Error: Process completed with exit code 2.

You can find the full output here.

Details:

The output format of govulncheck seemingly changed between golang.org/x/vuln/cmd/govulncheck@fd6b8605e1743f75db7cd8db18cc54c169edef6e (known good) and the current version, likely due to the commit above. Before the output was

{
        "Vulns": null
}

while the output of the latest version looks like this

{
  "preamble": {
    "go_version": "go1.20.2",
    "tool_version": "[email protected]",
    "db": "https://vuln.go.dev",
    "db_last_modified": "2023-03-27T17:34:34Z",
    "query_kind": "Source",
    "callstack_mode": "Compact"
  }
}
{
  "progress": "Scanning your code and 1929 packages across 415 dependent modules for known vulnerabilities..."
}

[Templum]

@srebhan as govulncheck is still experimental such behaviours can be expected, that why in the last release of this action I tried to address this issue by updating the default value of this action to the last known working version.

Hence I suggest you avoid leveraging vulncheck-version: latest for the moment, not specifying it will leverage the default value.

[Templum]

I will look into the latest changes and see how I can adjust the action so it works with the latest version. Thanks for looking into the upstream commits, that's very helpful. Until then I hope the various hints I left on the readme and the release should inform people about that risk. But given vulncheck-version is an optional parameter, I would not expect someone explicitly setting it.

[Templum]

I will revisit the wording and make sure to make it clearer which version is working (removing latest) and further explaining that vulncheck-version should only be used if you want a specific version.

[srebhan]

@Templum I noticed that we should use a defined version and did so. However, I wanted to let you know about the breakage with my findings... :-)

[Templum]

@srebhan sorry seems like I understood that wrong :) Thanks for raising my awareness

[Templum]

@srebhan would you be willing to give #34 a shot and see if there is any unforeseen issue? My smoke test & integration test are passing

[Templum]

Will be included in the next release

[srebhan]

Will try first week of May due to busy time and holidays. :-)

[Templum]

@srebhan I release the change with v0.10.1, please let me know if you encounter any issues,

[srebhan]

@Templum I can confirm this works for us.