mirror of
https://github.com/imjasonh/govulncheck-action
synced 2026-07-08 00:35:45 +00:00
Add vulnerable example and enhance action features
This commit adds a comprehensive example demonstrating the govulncheck action's capabilities, along with several enhancements to improve the user experience. ## Changes ### Example Setup - Added example/main.go that uses golang.org/x/net v0.0.0-20220906165146-f3363e06e74c (vulnerable version) - Example intentionally calls html.Parse to trigger vulnerability detection - Demonstrates how the action creates annotations on vulnerable code ### Enhanced Annotations - Fixed file path handling when running in subdirectories (e.g., './example') - Added rich context to annotations including: - Vulnerability summaries and CVE numbers - Direct links to Go vulnerability database (pkg.go.dev/vuln) - Fixed version information - Clear indication of which function is vulnerable (e.g., "html.Parse" not "main") - Sorted vulnerabilities by OSV ID for consistent display ### Suggested Fixes - When vulnerable code is actually called, creates notice annotations on go.mod - Shows current vs suggested dependency versions - Lists which specific vulnerabilities have active call sites - Provides actionable upgrade recommendations ### Workflow Summary - Added comprehensive workflow summary using GitHub Actions summary API - Displays vulnerabilities in formatted tables by module - Shows vulnerable code locations organized by file - Includes links to Go vulnerability database entries - Provides clear recommendations for fixing vulnerabilities ### Bug Fixes - Fixed JSON parsing to handle both JSON lines and multi-line JSON formats - Fixed annotation file paths to be relative to repository root - Improved vulnerability function name extraction from trace data - Enhanced OSV detail parsing and storage ## Testing The example workflow demonstrates all features by intentionally using a vulnerable dependency. When run, it will: 1. Detect vulnerabilities in golang.org/x/net 2. Create warning annotations on go.mod and main.go 3. Suggest specific version updates 4. Generate a detailed workflow summary This provides a complete demonstration of the action's vulnerability detection and reporting capabilities.
This commit is contained in:
parent
f6e59d4d11
commit
3a117d24f8
9 changed files with 776 additions and 67 deletions
17
.github/workflows/example.yml
vendored
17
.github/workflows/example.yml
vendored
|
|
@ -25,23 +25,6 @@ jobs:
|
|||
with:
|
||||
working-directory: './example'
|
||||
|
||||
- name: Report vulnerability scan results
|
||||
if: always()
|
||||
run: |
|
||||
echo "## Vulnerability Scan Results"
|
||||
echo "- Vulnerabilities found: ${{ steps.govulncheck.outputs.vulnerabilities-found }}"
|
||||
echo "- Vulnerability count: ${{ steps.govulncheck.outputs.vulnerability-count }}"
|
||||
|
||||
if [ "${{ steps.govulncheck.outputs.vulnerabilities-found }}" == "true" ]; then
|
||||
echo ""
|
||||
echo "⚠️ Security vulnerabilities were detected in the example code."
|
||||
echo "This is expected! The example intentionally uses a vulnerable version of golang.org/x/net"
|
||||
echo "to demonstrate how the action creates annotations."
|
||||
else
|
||||
echo ""
|
||||
echo "✅ No vulnerabilities found (this would be unexpected for the example)."
|
||||
fi
|
||||
|
||||
# Note: We don't fail the workflow here since the example is intentionally vulnerable
|
||||
- name: Demonstrate conditional failure
|
||||
run: |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue