add vulncheck as a linter #3199
Conversation
|
Hey, thank you for opening your first Pull Request ! |
|
|
|
I'm feeling silly to ask, but could you please fix the typo in the subject of the PR so that it would be easier to search? |
|
@luxifer Thank you for having made this an integrated linter 💯 🚀 |
|
I made some changes on the MR if you want to check 😉 |
|
It would be nice to have:
P.S: I'm not an official maintainer, those are just a nice-to-have list. Otherwise, LGTM! |
Don't do that, please. |
|
I will see how I can fake the vuln database to have test cases |
you don't need to fake, you just have to create a file with a vulnerability |
|
In order for a pull request adding a linter to be reviewed, the linter and the PR must follow some requirements. Pull Request Description
Linter
The Linter Tests Inside Golangci-lint
|
|
I will take the time to review that checklist and make the proper changes |
|
@luxifer Do you have time to push this vulncheck linter forward? This is very handy |
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
This is temporary while golangci/golangci-lint#3094 is being worked on here: golangci/golangci-lint#3199
|
Hi! I wish you all a happy new year! If anyone can take a look at my PR an why I can't run my testcases. I'm a bit stuck here. |
|
Any progress here, @luxifer? Is it ready to release on the next golangci-lint cycle? |
I will rebase my PR but I still have issues running test cases for my new linter. I'll try to work on it this weekend. |
There was a problem hiding this comment.
After a bit of investigation, I made the test run.
Although found by the official govulncheck command, no vulnerability is detected using the linter. I'm clueless as to why.
diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go
index 62c852d1..ed3df51b 100644
--- a/pkg/golinters/vulncheck.go
+++ b/pkg/golinters/vulncheck.go
@@ -51,7 +51,7 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
}
}).WithIssuesReporter(func(*linter.Context) []goanalysis.Issue {
return resIssues
- })
+ }).WithLoadMode(goanalysis.LoadModeSyntax)
}
func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config.VulncheckSettings) ([]goanalysis.Issue, error) {
diff --git a/pkg/lint/lintersdb/manager.go b/pkg/lint/lintersdb/manager.go
index 0042628a..94e92e36 100644
--- a/pkg/lint/lintersdb/manager.go
+++ b/pkg/lint/lintersdb/manager.go
@@ -883,6 +883,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)).
WithSince("v1.50.2").
WithPresets(linter.PresetModule).
+ WithLoadForGoAnalysis().
WithURL("https://vuln.go.dev/"),
}
|
Do you need any help on this? @luxifer I can give a hand on this if you add me as collaborator to your fork. |
you don't need to be a collaborator, you can just open PR on the fork. |
|
Any progress here? I gave it another shot — still clueless as to why it's not working properly. See #3199 (review) |
|
I see that in the |
|
With the current implem I'm facing the following issue running the tests: |
|
How should we move forward on this? Almost one year has passed... |
|
Based on the reaction on #3094 (comment) I will close this PR. |
|
@ldez I understand some of the reasoning behind your decision and respect it, Although govulncheck detects vulnerabilities, as an end-user, I view this as an alternate form of "linting", or "pre-compilation checks". For this reason, I view it as appropriate to add to golangci-lint, as an optional linter that the end-user would have to enable. Although the vulnerability database is outside, it would be nice to have govulncheck available for use inside golangci-lint. I took the work that @luxifer started, and made another PR: #4074 |
Related to #3094