govulncheck broken

[mcandre]

Description:

govulncheck stopped working, but only in GitHub Actions.

Action version:

5

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:

1.26.1 and 1.26.2

Repro steps:

govulncheck -scan package ./...

Expected behavior:

govulncheck generates a scan report of any CVE's found in a project containing a toplevel go.mod file.

Actual behavior:

govulncheck aborts, unable to scan Go projects.

This change happened in recent weeks. Suspect the action provisioning code may have broken govulncheck.

Able to scan on a local Mac just fine. But CI/CD is suddenly hosed, across a dozen Go repos.

[priya-kinthali]

Hello @mcandre👋,
Thank you for reporting this issue. We will investigate it and get back to you as soon as we have some feedback.

[priya-kinthali]

Hello @mcandre👋,
To help us investigate the govulncheck failure, could you please provide a link to a public repository with a workflow that reproduces the issue or a minimal GitHub Actions workflow file that demonstrates the problem. Thanks in advance!

[mcandre]

All of my Go projects on GitHub.

https://github.com/mcandre/buttery

[v-jitenderpalsingh]

Hello @mcandre,
After investigating the failing workflows, it appears that the govulncheck command is being invoked without a package pattern and according to govulncheck documentation the govulncheck command should have a package pattern.

To resolve this, please update your workflow files by changing govulncheck to govulncheck ./...

This change should be applied to all workflows that invoke govulncheck. We hope this helps, please let us know if the issue persists after making the update!