govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
Vulnerability #1: GO-2022-0969
HTTP/2 server connections can hang forever waiting for a clean
shutdown that was preempted by a fatal error. This condition can
be exploited by a malicious client to cause a denial of service.
Found in: golang.org/x/net/http2@v0.0.0-20220805013720-a33c5aa5df48
Fixed in: golang.org/x/net/http2@v0.0.0-20220906165146-f3363e06e74c
More info: https://pkg.go.dev/vuln/GO-2022-0969
You can have your package report current vuln status on pkg.go.dev which would be nice.
I'm not sure - have not tried it myself on any of my repos. The article I linked shows, as an example, the standard go text package reporting its own version history with vuln tags. text package versions - golang.org/x/text - Go Packages
I just had a quick look at that one myself, but looks to me like it only runs the tool and reports the github action status success/failed - i.e. some missing pieces..? There was also a different action, https://github.com/marketplace/actions/golang-vulncheck, which is quite different, but not sure if that is more complete.
vulncheck project is also soliciting feedback .. I filled in their form and linked to our discussion here. I would hope/expect that eventually it would play nicely with CI tooling like Github Actions etc. as well as the pkg.go.dev site and maybe let us put a badge on our repos
In the mean time; we could run the check on the rclone code as part of the ci? To "red flag" the build should any vulnerabilities be found, e.g. in a PR. It should be as simple as adding the following steps (or use any of the ready-made actions), maybe to the existing lint job:
- name: Get govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: govulncheck ./...
