## Problem
The govulncheck action was incorrectly reporting "no vulnerabilities found" even when
vulnerabilities were present. This was happening because govulncheck outputs pretty-printed
JSON (multi-line format) rather than JSON lines format.
## Root Cause
The parser had a logic bug where it would set `parsedAsJsonLines = true` whenever it
encountered ANY valid JSON line, including trivial ones like `{`. This prevented the
multi-line JSON parser from ever running, causing all findings to be missed.
## Solution
Changed the parser to only skip multi-line parsing if it actually found meaningful data
(OSV details or findings) in JSON lines format. Now it correctly falls back to multi-line
JSON parsing when needed.
## Additional Changes
Updated the example workflow to fail if no vulnerabilities are detected, since we know
the example code contains vulnerabilities. This serves as a regression test to ensure
the parser continues to work correctly.
## Testing
- Verified the parser now correctly identifies 8 vulnerabilities in the example code
- The action now properly reports vulnerabilities instead of false negatives
- CI checks are now working correctly
- Example workflow now fails if the parser bug resurfaces
This is a critical bug fix that prevents false "no vulnerabilities" reports.
Signed-off-by: Jason Hall <jason@chainguard.dev>
This commit adds a comprehensive example demonstrating the govulncheck action's capabilities, along with several enhancements to improve the user experience.
## Changes
### Example Setup
- Added example/main.go that uses golang.org/x/net v0.0.0-20220906165146-f3363e06e74c (vulnerable version)
- Example intentionally calls html.Parse to trigger vulnerability detection
- Demonstrates how the action creates annotations on vulnerable code
### Enhanced Annotations
- Fixed file path handling when running in subdirectories (e.g., './example')
- Added rich context to annotations including:
- Vulnerability summaries and CVE numbers
- Direct links to Go vulnerability database (pkg.go.dev/vuln)
- Fixed version information
- Clear indication of which function is vulnerable (e.g., "html.Parse" not "main")
- Sorted vulnerabilities by OSV ID for consistent display
### Suggested Fixes
- When vulnerable code is actually called, creates notice annotations on go.mod
- Shows current vs suggested dependency versions
- Lists which specific vulnerabilities have active call sites
- Provides actionable upgrade recommendations
### Workflow Summary
- Added comprehensive workflow summary using GitHub Actions summary API
- Displays vulnerabilities in formatted tables by module
- Shows vulnerable code locations organized by file
- Includes links to Go vulnerability database entries
- Provides clear recommendations for fixing vulnerabilities
### Bug Fixes
- Fixed JSON parsing to handle both JSON lines and multi-line JSON formats
- Fixed annotation file paths to be relative to repository root
- Improved vulnerability function name extraction from trace data
- Enhanced OSV detail parsing and storage
## Testing
The example workflow demonstrates all features by intentionally using a vulnerable dependency. When run, it will:
1. Detect vulnerabilities in golang.org/x/net
2. Create warning annotations on go.mod and main.go
3. Suggest specific version updates
4. Generate a detailed workflow summary
This provides a complete demonstration of the action's vulnerability detection and reporting capabilities.
- Updated example to use golang.org/x/net v0.30.0 (latest version)
- Modified example code to demonstrate vulnerability detection
- Improved govulncheck installation check to skip if already installed
- Enhanced local testing capabilities with run-local.js script
- Fixed parser to handle both JSON lines and multi-line JSON formats
- Added comprehensive logging for debugging annotation creation
This commit fixes the parser to handle both JSON lines and multi-line JSON
formats from govulncheck, and adds tools for local testing:
- Updated parser to detect and handle both JSON lines and pretty-printed JSON
- Added logic to skip govulncheck installation if already present
- Created run-local.js for testing the action locally without GitHub Actions
- Added test:local npm script for easy local testing
- Changed example to use a version of golang.org/x/net with known vulnerabilities
The parser now correctly identifies 14 vulnerabilities in the example,
including ones that trace to the html.Parse call in main.go.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This action runs govulncheck on Go projects and creates GitHub annotations
for vulnerabilities found in dependencies and code paths.
Features:
- Automated vulnerability scanning with govulncheck
- Smart annotations on go.mod for vulnerable dependencies
- Annotations on source code lines that call vulnerable functions
- Configurable working directory
- Output variables for vulnerability detection
The implementation includes:
- Modular architecture with separate concerns (execution, parsing, annotation)
- Comprehensive test suite with 100% function coverage
- Example vulnerable Go module for demonstration
- GitHub workflow example
- Full documentation
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>