x/vuln: Vulnerability with Go 1.22 but I'm using 1.21.8

[o-lee]

Currently after running a govulncheck on my project, it shows I'm affected by 2 vulnerabilities (GO-2024-2598 and GO-2024-2599) that affects go1.22. The issue is I'm using 1.21.8 which is not affected. Is there any way for govulncheck not to flag these as vulnerabilities?

[seankhliao]

please fill out the bug report template.
and prefer to use text not images.

[o-lee]

please fill out the bug report template. and prefer to use text not images.

Do you mind pointing me to the bug template? When I click on Open for x/vulndb bugs or feature requests from here, it opens a new issue without a template.

[seankhliao]

https://github.com/golang/go/issues/new?assignees=&labels=vulncheck+or+vulndb&projects=&template=04-vuln.yml&title=x%2Fvuln%3A+issue+title

[zpavlinovic]

Is there a new issue for this? Reproduction steps would be really helpful here.

[timothy-king]

As an alternative to a reproducer steps, you can also provide the information about the packages we likely need to understand this. For similar go1.21 to go1.22 issues, what I needed was the contents of go env, go version -m vulncheck and the internal go list commands used by go/packages. FYI you can print the go list commands by running vulncheck with GOPACKAGESDEBUG=true and then running those commands it prints out manually from the same directory and piping this into a file.

This will reveal a lot about the package structure of your code. So if this is sensitive, you may want to share those as files outside of this issue.

[gopherbot]

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)