Govulncheck may scans the wrong go version's standard library
57 views
Skip to first unread message
Benjamin Wang
Jan 30, 2026, 6:49:28 AM (yesterday) Jan 30
to golang-nuts
I bumped go version from 1.24.11 to 1.24.12 (see https://github.com/etcd-io/etcd/pull/21218), and in one of the workflow checks runs commands below,
$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck -show verbose ./...
But it scanned go1.25.5's standard library (see message blow). (I guess it's because the workflow environment has go version 1.25.5 by default; but not sure about this, since the environment is out of my control). Accordingly it successfully identified the known CVEs. I expect it scans the go1.24.12's standard library and no CVE detected.
"Govulncheck scanned the following 55 modules and the go1.25.5 standard library:"
Interestingly, I also bumped go from 1.24.11 to 1.24.12 for other etcd branches (see example https://github.com/etcd-io/etcd/pull/21217),
and govulncheck scanned the expected go version (1.24.12)'s standard lib.
"Govulncheck scanned the following 13 modules and the go1.24.12 standard library:"
Any help is apprecated.
Benjamin
$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck -show verbose ./...
But it scanned go1.25.5's standard library (see message blow). (I guess it's because the workflow environment has go version 1.25.5 by default; but not sure about this, since the environment is out of my control). Accordingly it successfully identified the known CVEs. I expect it scans the go1.24.12's standard library and no CVE detected.
"Govulncheck scanned the following 55 modules and the go1.25.5 standard library:"
Interestingly, I also bumped go from 1.24.11 to 1.24.12 for other etcd branches (see example https://github.com/etcd-io/etcd/pull/21217),
and govulncheck scanned the expected go version (1.24.12)'s standard lib.
"Govulncheck scanned the following 13 modules and the go1.24.12 standard library:"
Any help is apprecated.
Benjamin
Benjamin Wang
Jan 30, 2026, 11:54:08 AM (yesterday) Jan 30
to golang-nuts
Resolved by setting the correct `GOTOOLCHAIN` value. Sorry for the noise.
Benjamin
Reply all
Reply to author
Forward
0 new messages