govulncheck release?

[Benny Siegert]

Hi!

I am wondering if it would be possible to tag a govulncheck (or
/x/vuln) release at some point. I would love to create a govulncheck
package but pkgsrc only has release versions, by policy.

Or is it considered too experimental at this point?

--
Benny

[Julie Qiu]

Hi Benny

Govulncheck is still considered experimental at the moment. We plan to tag a release later this year.

Julie

--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-dev/CAN%2BFjHPkUtft81%2B2NXZKFNRUvch1j4bzZ3JYsq1oBXsHiaA%3DQQ%40mail.gmail.com.

[Victor Lowther]

Well, https://go-review.googlesource.com/c/vuln/+/481295?tab=comments shjould be reverted before that happens.  Our tooling uses -v internally as part of CI to track down exactly where in our codebase we are affected by a vulnerability, and we would rather not read through a blob of JSON to get the stack traces..

[Julie Qiu]

Thanks for letting us know. We reverted the CL for now, and will post to the Go issue tracker for discussing any future updates.

Julie

To view this discussion on the web visit https://groups.google.com/d/msgid/golang-dev/70910854-c0fb-435a-a88b-2d2f4bf51319n%40googlegroups.com.

[Todd Kulesza]

Hi Victor, thanks for reporting this. While we were discussing the intended output for govulncheck, we realized neither the default output nor verbose output show all the locations where a vulnerable symbol is being invoked. I've filed https://github.com/golang/go/issues/59485 against this, and also wanted to ask for a clarification from you: is the value from -v that you see the full call stack leading up to the invocation of the vulnerable symbol, or were you expecting that -v shows all the invocations of the vulnerable symbol (or both)?

Cheers,

Todd