1
0
Fork 0
mirror of https://github.com/imjasonh/govulncheck-action synced 2026-07-15 12:46:35 +00:00
Commit graph

8 commits

Author SHA1 Message Date
c4a3cd53b0 build: migrate to ESM and esbuild
Updates the project to use ESM modules and replaces ncc with esbuild. This fixes build failures caused by newer @actions/core versions which use strict ESM exports that ncc cannot resolve.

Also updates tests to use ESM and dependency injection.

Signed-off-by: Jason Hall <imjasonh@gmail.com>
2026-02-21 02:54:49 -05:00
Jason Hall
24718a7114
Detect and fail on missing go.sum dependencies
Previously, if go.sum was out of date or missing, govulncheck would fail
to analyze the code but the action would report "no vulnerabilities found"
which is misleading and dangerous.

This change:
- Detects specific error patterns in govulncheck stderr that indicate
  missing dependencies (missing go.sum entry, could not import, invalid package name)
- Throws a clear error message telling users to run 'go mod tidy'
- Prevents false "no vulnerabilities" reports when govulncheck can't analyze the code

Added tests to verify the behavior for both missing go.sum and import errors.

Fixes the issue where vulnerabilities could be missed due to dependency problems.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-07 02:08:43 -04:00
Jason Hall
3a117d24f8
Add vulnerable example and enhance action features
This commit adds a comprehensive example demonstrating the govulncheck action's capabilities, along with several enhancements to improve the user experience.

## Changes

### Example Setup
- Added example/main.go that uses golang.org/x/net v0.0.0-20220906165146-f3363e06e74c (vulnerable version)
- Example intentionally calls html.Parse to trigger vulnerability detection
- Demonstrates how the action creates annotations on vulnerable code

### Enhanced Annotations
- Fixed file path handling when running in subdirectories (e.g., './example')
- Added rich context to annotations including:
  - Vulnerability summaries and CVE numbers
  - Direct links to Go vulnerability database (pkg.go.dev/vuln)
  - Fixed version information
  - Clear indication of which function is vulnerable (e.g., "html.Parse" not "main")
- Sorted vulnerabilities by OSV ID for consistent display

### Suggested Fixes
- When vulnerable code is actually called, creates notice annotations on go.mod
- Shows current vs suggested dependency versions
- Lists which specific vulnerabilities have active call sites
- Provides actionable upgrade recommendations

### Workflow Summary
- Added comprehensive workflow summary using GitHub Actions summary API
- Displays vulnerabilities in formatted tables by module
- Shows vulnerable code locations organized by file
- Includes links to Go vulnerability database entries
- Provides clear recommendations for fixing vulnerabilities

### Bug Fixes
- Fixed JSON parsing to handle both JSON lines and multi-line JSON formats
- Fixed annotation file paths to be relative to repository root
- Improved vulnerability function name extraction from trace data
- Enhanced OSV detail parsing and storage

## Testing
The example workflow demonstrates all features by intentionally using a vulnerable dependency. When run, it will:
1. Detect vulnerabilities in golang.org/x/net
2. Create warning annotations on go.mod and main.go
3. Suggest specific version updates
4. Generate a detailed workflow summary

This provides a complete demonstration of the action's vulnerability detection and reporting capabilities.
2025-06-07 00:58:11 -04:00
Jason Hall
f6e59d4d11
Update example to use latest golang.org/x/net and improve local testing
- Updated example to use golang.org/x/net v0.30.0 (latest version)
- Modified example code to demonstrate vulnerability detection
- Improved govulncheck installation check to skip if already installed
- Enhanced local testing capabilities with run-local.js script
- Fixed parser to handle both JSON lines and multi-line JSON formats
- Added comprehensive logging for debugging annotation creation
2025-06-07 00:19:52 -04:00
Jason Hall
bee00060a0
Add detailed logging and fix GitHub Actions annotation format
This commit adds comprehensive logging to help debug why annotations weren't
appearing in the GitHub Actions UI:

- Added logging for raw govulncheck output
- Added logging in the parser to show what vulnerabilities are found
- Added logging in the annotator to show when annotations are created
- Fixed the annotation format to use the correct property names (file, startLine, endLine)
- Updated tests to match the new annotation format

The annotations should now properly appear in pull requests and workflow runs.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-06 23:58:11 -04:00
Jason Hall
b664b3889e
Fix example go.mod syntax and add debug logging 2025-06-06 23:53:13 -04:00
Jason Hall
9658881ffa
Fix working-directory handling to always run govulncheck on ./...
The action was incorrectly passing the working-directory value as an argument
to govulncheck. This fix ensures that:

- The action changes into the specified working-directory
- govulncheck always runs on './...' from within that directory
- Annotations use relative paths from the working directory

This matches the expected behavior where working-directory controls where
govulncheck runs, but govulncheck itself always scans the entire module
tree from that location.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-06 23:50:57 -04:00
Jason Hall
39e329ab61
Initial implementation of govulncheck GitHub Action
This action runs govulncheck on Go projects and creates GitHub annotations
for vulnerabilities found in dependencies and code paths.

Features:
- Automated vulnerability scanning with govulncheck
- Smart annotations on go.mod for vulnerable dependencies
- Annotations on source code lines that call vulnerable functions
- Configurable working directory
- Output variables for vulnerability detection

The implementation includes:
- Modular architecture with separate concerns (execution, parsing, annotation)
- Comprehensive test suite with 100% function coverage
- Example vulnerable Go module for demonstration
- GitHub workflow example
- Full documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-06 23:41:03 -04:00