feat: upgrade to go v1.20

.github/workflows/checks.yml

@@ -66,7 +66,7 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.47
+          version: v1.54
   go-fmt:
     runs-on: ubuntu-latest
     steps:

.go-version

@@ -1 +1 @@
-1.17.13
+1.20

.golangci.yaml

@@ -21,6 +21,7 @@ linters:
     - wsl              # disagree with, for now
     - ireturn          # disagree with, sort of
     - nonamedreturns   # they have their uses
+    - depguard         # does not make any sense
   presets:
     - bugs
     - comment

Makefile

@@ -21,7 +21,7 @@ test-with-coverage:
 lint:	lint-with-golangci-lint lint-with-go-fmt
 
 lint-with-golangci-lint:
-	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.47.3 run ./... --max-same-issues 0
+	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2 run ./... --max-same-issues 0
 
 lint-with-go-fmt:
 	gofmt -s -d */**.go

go.mod

@@ -1,18 +1,18 @@
 module github.com/g-rath/osv-detector
 
-go 1.17
+go 1.20
 
 require (
 	github.com/BurntSushi/toml v1.0.0
 	github.com/fatih/color v1.13.0
 	github.com/google/go-cmp v0.5.9
-	golang.org/x/mod v0.5.1
+	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
+	golang.org/x/mod v0.12.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
 	github.com/mattn/go-colorable v0.1.9 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
-	golang.org/x/sys v0.1.0 // indirect
-	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 // indirect
+	golang.org/x/sys v0.11.0 // indirect
 )

go.sum

@@ -9,25 +9,15 @@ github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ=
+golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

internal/reporter/reporter.go

@@ -65,7 +65,7 @@ func (r *Reporter) PrintResult(result Result) {
 // stdout as JSON.
 func (r *Reporter) PrintJSONResults() {
 	out, err := json.Marshal(struct {
-		Results interface{} `json:"results"`
+		Results any `json:"results"`
 	}{Results: r.results})
 
 	if err != nil {

main.go

@@ -9,6 +9,7 @@ import (
 	"github.com/g-rath/osv-detector/internal/reporter"
 	"github.com/g-rath/osv-detector/pkg/database"
 	"github.com/g-rath/osv-detector/pkg/lockfile"
+	"golang.org/x/exp/slices"
 	"io"
 	"os"
 	"path/filepath"
@@ -41,16 +42,6 @@ func makeEcosystemDBConfig(ecosystem internal.Ecosystem) database.Config {
 
 type OSVDatabases []database.DB
 
-func contains(items []string, value string) bool {
-	for _, item := range items {
-		if value == item {
-			return true
-		}
-	}
-
-	return false
-}
-
 func (dbs OSVDatabases) transposePkgResults(
 	pkg internal.PackageDetails,
 	ignores []string,
@@ -69,7 +60,7 @@ func (dbs OSVDatabases) transposePkgResults(
 				continue
 			}
 
-			if contains(ignores, vulnerability.ID) {
+			if slices.Contains(ignores, vulnerability.ID) {
 				ignored = append(ignored, vulnerability)
 			} else {
 				vulnerabilities = append(vulnerabilities, vulnerability)
@@ -416,12 +407,12 @@ func (files lockfileAndConfigOrErrs) adjustExtraDatabases(
 
 func parseLockfilePathWithParseAs(lockfilePathWithParseAs string) (string, string) {
 	if !strings.Contains(lockfilePathWithParseAs, ":") {
-		lockfilePathWithParseAs = ":" + lockfilePathWithParseAs
+		return "", lockfilePathWithParseAs
 	}
 
-	splits := strings.SplitN(lockfilePathWithParseAs, ":", 2)
+	parseAs, path, _ := strings.Cut(lockfilePathWithParseAs, ":")
 
-	return splits[0], splits[1]
+	return parseAs, path
 }
 
 func readAllLockfiles(

pkg/database/api-check.go

@@ -59,7 +59,7 @@ func (db APIDB) checkBatch(pkgs []internal.PackageDetails) ([][]ObjectWithID, er
 	}{queries})
 
 	if err != nil {
-		return [][]ObjectWithID{}, fmt.Errorf("%v: %w", ErrAPICouldNotMarshalPayload, err)
+		return [][]ObjectWithID{}, fmt.Errorf("%w: %w", ErrAPICouldNotMarshalPayload, err)
 	}
 
 	req, err := http.NewRequestWithContext(
@@ -70,12 +70,12 @@ func (db APIDB) checkBatch(pkgs []internal.PackageDetails) ([][]ObjectWithID, er
 	)
 
 	if err != nil {
-		return [][]ObjectWithID{}, fmt.Errorf("%v: %w", ErrAPIRequestInvalid, err)
+		return [][]ObjectWithID{}, fmt.Errorf("%w: %w", ErrAPIRequestInvalid, err)
 	}
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return [][]ObjectWithID{}, fmt.Errorf("%v: %w", ErrAPIRequestFailed, err)
+		return [][]ObjectWithID{}, fmt.Errorf("%w: %w", ErrAPIRequestFailed, err)
 	}
 
 	defer resp.Body.Close()
@@ -96,7 +96,7 @@ func (db APIDB) checkBatch(pkgs []internal.PackageDetails) ([][]ObjectWithID, er
 
 	if err != nil {
 		return [][]ObjectWithID{}, fmt.Errorf(
-			"%v (%s %s): %w",
+			"%w (%s %s): %w",
 			ErrAPIUnreadableResponse,
 			resp.Request.Method,
 			resp.Request.URL,
@@ -114,7 +114,7 @@ func (db APIDB) checkBatch(pkgs []internal.PackageDetails) ([][]ObjectWithID, er
 
 	if err != nil {
 		return [][]ObjectWithID{}, fmt.Errorf(
-			"%v (%s %s): %w",
+			"%w (%s %s): %w",
 			ErrAPIResponseNotJSON,
 			resp.Request.Method,
 			resp.Request.URL,

pkg/database/api-fetch.go

@@ -29,12 +29,12 @@ func (db APIDB) Fetch(id string) (OSV, error) {
 	)
 
 	if err != nil {
-		return osv, fmt.Errorf("%v: %w", ErrAPIRequestInvalid, err)
+		return osv, fmt.Errorf("%w: %w", ErrAPIRequestInvalid, err)
 	}
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return osv, fmt.Errorf("%v: %w", ErrAPIRequestFailed, err)
+		return osv, fmt.Errorf("%w: %w", ErrAPIRequestFailed, err)
 	}
 
 	defer resp.Body.Close()
@@ -55,7 +55,7 @@ func (db APIDB) Fetch(id string) (OSV, error) {
 
 	if err != nil {
 		return osv, fmt.Errorf(
-			"%v (%s %s): %w",
+			"%w (%s %s): %w",
 			ErrAPIUnreadableResponse,
 			resp.Request.Method,
 			resp.Request.URL,
@@ -67,7 +67,7 @@ func (db APIDB) Fetch(id string) (OSV, error) {
 
 	if err != nil {
 		return osv, fmt.Errorf(
-			"%v (%s %s): %w",
+			"%w (%s %s): %w",
 			ErrAPIResponseNotJSON,
 			resp.Request.Method,
 			resp.Request.URL,

pkg/database/osv.go

@@ -7,6 +7,7 @@ import (
 	"github.com/g-rath/osv-detector/internal/cachedregexp"
 	"github.com/g-rath/osv-detector/pkg/lockfile"
 	"github.com/g-rath/osv-detector/pkg/semantic"
+	"golang.org/x/exp/slices"
 	"os"
 	"sort"
 	"strings"
@@ -157,16 +158,6 @@ func (vs Versions) MarshalJSON() ([]byte, error) {
 	return out, nil
 }
 
-func (vs Versions) includes(v string) bool {
-	for _, v2 := range vs {
-		if v == v2 {
-			return true
-		}
-	}
-
-	return false
-}
-
 type Affected struct {
 	Package  Package  `json:"package"`
 	Versions Versions `json:"versions"`
@@ -185,19 +176,9 @@ type OSV struct {
 	Affected  []Affected `json:"affected"`
 }
 
-func (osv *OSV) isAliasOfID(id string) bool {
-	for _, alias := range osv.Aliases {
-		if alias == id {
-			return true
-		}
-	}
-
-	return false
-}
-
 func (osv *OSV) isAliasOf(vulnerability OSV) bool {
 	for _, alias := range vulnerability.Aliases {
-		if osv.ID == alias || osv.isAliasOfID(alias) {
+		if osv.ID == alias || slices.Contains(osv.Aliases, alias) {
 			return true
 		}
 	}
@@ -287,7 +268,7 @@ func (osv *OSV) IsAffected(pkg internal.PackageDetails) bool {
 				continue
 			}
 
-			if affected.Versions.includes(pkg.Version) {
+			if slices.Contains(affected.Versions, pkg.Version) {
 				return true
 			}
 

pkg/database/zip.go

@@ -31,10 +31,10 @@ func (db *ZipDB) Identifier() string { return db.identifier }
 
 // Cache stores the OSV database archive for re-use
 type Cache struct {
-	URL  string
-	ETag string
-	Date string
-	Body []byte
+	URL  string `json:"url"`
+	ETag string `json:"etag"`
+	Date string `json:"date"`
+	Body []byte `json:"body"`
 }
 
 var ErrOfflineDatabaseNotFound = errors.New("no offline version of the OSV database is available")

pkg/lockfile/parse-gradle-lock.go

@@ -18,7 +18,7 @@ func parseGradleLine(line string) (PackageDetails, error) {
 	}
 
 	group, artifact, version := parts[0], parts[1], parts[2]
-	version = strings.SplitN(version, "=", 2)[0]
+	version, _, _ = strings.Cut(version, "=")
 
 	return PackageDetails{
 		Name:      fmt.Sprintf("%s:%s", group, artifact),

pkg/lockfile/parse-pnpm-lock.go

@@ -32,7 +32,7 @@ type pnpmLockfileV6 struct {
 	Packages map[string]PnpmLockPackage `yaml:"packages,omitempty"`
 }
 
-func (l *PnpmLockfile) UnmarshalYAML(unmarshal func(interface{}) error) error {
+func (l *PnpmLockfile) UnmarshalYAML(unmarshal func(any) error) error {
 	var lockfileV6 pnpmLockfileV6
 
 	if err := unmarshal(&lockfileV6); err != nil {
@@ -98,7 +98,7 @@ func extractPnpmPackageNameAndVersion(dependencyPath string) (string, string) {
 
 	// peer dependencies in v5 lockfiles are attached to the end of the version
 	// with an "_", so we always want the first element if an "_" is present
-	version = strings.Split(version, "_")[0]
+	version, _, _ = strings.Cut(version, "_")
 
 	return name, version
 }

pkg/lockfile/parse-pubspec-lock.go

@@ -15,7 +15,7 @@ type PubspecLockDescription struct {
 
 var _ yaml.Unmarshaler = &PubspecLockDescription{}
 
-func (pld *PubspecLockDescription) UnmarshalYAML(unmarshal func(interface{}) error) error {
+func (pld *PubspecLockDescription) UnmarshalYAML(unmarshal func(any) error) error {
 	var m struct {
 		Name string `yaml:"name"`
 		URL  string `yaml:"url"`

pkg/lockfile/parse-yarn-lock.go

@@ -53,7 +53,7 @@ func extractYarnPackageName(str string) string {
 		str = strings.TrimPrefix(str, "@")
 	}
 
-	name := strings.SplitN(str, "@", 2)[0]
+	name, _, _ := strings.Cut(str, "@")
 
 	if isScoped {
 		name = "@" + name