Skip to content

fix: self-install govulncheck and gosec via go run#53

Merged
ravinald merged 1 commit into
mainfrom
fix/govulncheck-makefile
May 14, 2026
Merged

fix: self-install govulncheck and gosec via go run#53
ravinald merged 1 commit into
mainfrom
fix/govulncheck-makefile

Conversation

@ravinald
Copy link
Copy Markdown
Owner

@ravinald ravinald commented May 14, 2026

Summary

The security target was calling govulncheck and gosec from $PATH, which broke on admin1.prod.core.scale.internal:

  • govulncheck ./... (as user) → snap-installed v0.0.0-...20240415, built against Go 1.22. Its typechecker is older than our go.mod's go 1.25.10, so it bails with:

    internal error: package "golang.org/x/sys/unix" without types was imported from "github.com/mattn/go-isatty"

  • gosec ./... (under sudo -i) → sudo swaps GOPATH to /root/go. gosec's go/packages loader has no module cache to read from, so:

    No packages found

Fix

Switch both invocations to go run pkg@version:

GOVULNCHECK_VERSION = v1.3.0
GOVULNCHECK         = $(GOCMD) run golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION)
GOSEC_VERSION       = v2.26.1
GOSEC               = $(GOCMD) run github.com/securego/gosec/v2/cmd/gosec@$(GOSEC_VERSION)

Properties:

  • Toolchain follows go.mod. With GOTOOLCHAIN=auto (default), go run downloads the toolchain pinned in go.mod if the local Go is older. The tool's typechecker always matches the module it's scanning.
  • No PATH lottery. Whatever gosec / govulncheck happens to be on PATH (snap, brew, system) is ignored.
  • No sudo footgun. go run resolves modules through the invoking user's normal GOPATH.
  • Explicit semver pins — no implicit floating tags.

Test plan

  • make vuln on darwin/arm64 (Go 1.26.2): downloads govulncheck@v1.3.0, runs, reports findings normally (no internal error).
  • make security runs gosec then govulncheck, both self-installed.
  • make install on admin1 (Go 1.22.2, snap tools): toolchain auto-downloads go1.25.10; gosec + govulncheck build with that and complete cleanly.

@ravinald
fix: self-install govulncheck and gosec via go run
2939df3 
Both tools were relying on whatever was on $PATH:

  govulncheck ./...   # snap-installed v0.0.0 on admin1 (Go 1.22 typechecker)
  gosec ./...         # snap-installed v2.26.1, but sudo flips GOPATH

The snap govulncheck on admin1 fails with "package golang.org/x/sys/unix
without types was imported from github.com/mattn/go-isatty" — its
typechecker is older than our go.mod's go directive (1.25.10), so it
cannot resolve types for the module it is asked to scan.

The snap gosec under sudo -i fails with "No packages found" — sudo
swaps GOPATH to /root/go, leaving go/packages with an empty module
cache to load from.

Switch both targets to "go run pkg@version", which:
  - downloads the toolchain pinned in our go.mod via GOTOOLCHAIN=auto,
    so the typechecker always matches what wifimgr declares;
  - resolves modules through the invoking user's normal GOPATH, so the
    sudo-cache-swap footgun goes away;
  - uses pinned explicit semver tags.

GOVULNCHECK_VERSION = v1.3.0
GOSEC_VERSION       = v2.26.1
@ravinald ravinald force-pushed the fix/govulncheck-makefile branch from 95c1de7 to 2939df3 Compare May 14, 2026 22:26
@ravinald ravinald merged commit 2f86618 into main May 14, 2026
7 checks passed
@ravinald ravinald deleted the fix/govulncheck-makefile branch May 14, 2026 22:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ravinald