From db8be72a60914fd9bc72b127b3cd85be4b125f6f Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Wed, 7 Sep 2022 15:21:15 +0200
Subject: [PATCH 01/12] init vuncheck linter

---
 go.mod                         |  4 +-
 go.sum                         |  7 ++-
 pkg/config/linters_settings.go |  5 ++
 pkg/golinters/vulncheck.go     | 84 ++++++++++++++++++++++++++++++++++
 pkg/lint/lintersdb/manager.go  |  7 +++
 5 files changed, 105 insertions(+), 2 deletions(-)
 create mode 100644 pkg/golinters/vulncheck.go

diff --git a/go.mod b/go.mod
index a9a44d009b96..6d00c2f3c0d2 100644
--- a/go.mod
+++ b/go.mod
@@ -113,7 +113,9 @@ require (
 	github.com/ykadowak/zerologlint v0.1.1
 	gitlab.com/bosi/decorder v0.2.3
 	go.tmz.dev/musttag v0.6.0
+	golang.org/x/net v0.9.0
 	golang.org/x/tools v0.8.0
+	golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39
 	gopkg.in/yaml.v3 v3.0.1
 	honnef.co/go/tools v0.4.3
 	mvdan.cc/gofumpt v0.5.0
@@ -187,7 +189,7 @@ require (
 	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
diff --git a/go.sum b/go.sum
index fbf7a3e3d398..06cd382886a4 100644
--- a/go.sum
+++ b/go.sum
@@ -105,6 +105,7 @@ github.com/chavacava/garif v0.0.0-20230227094218-b8c73b2037b8/go.mod h1:gakxgyXa
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -691,6 +692,7 @@ golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -798,8 +800,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -874,6 +877,8 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y=
 golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
+golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39 h1:501+NfNjDh4IT4HOzdeezTOFD7njtY49aXJN1oY3E1s=
+golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
index 9386b4631e19..2ef051192e04 100644
--- a/pkg/config/linters_settings.go
+++ b/pkg/config/linters_settings.go
@@ -224,6 +224,7 @@ type LintersSettings struct {
 	Whitespace       WhitespaceSettings
 	Wrapcheck        WrapcheckSettings
 	WSL              WSLSettings
+	Vulncheck        VulncheckSettings
 
 	Custom map[string]CustomLinterSettings
 }
@@ -744,6 +745,10 @@ type VarnamelenSettings struct {
 	IgnoreDecls        []string `mapstructure:"ignore-decls"`
 }
 
+type VulncheckSettings struct {
+	VulnDatabase []string `mapstructure:"vuln-database"`
+}
+
 type WhitespaceSettings struct {
 	MultiIf   bool `mapstructure:"multi-if"`
 	MultiFunc bool `mapstructure:"multi-func"`
diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go
new file mode 100644
index 000000000000..346fb73e577c
--- /dev/null
+++ b/pkg/golinters/vulncheck.go
@@ -0,0 +1,84 @@
+package golinters
+
+import (
+	"sync"
+
+	"golang.org/x/net/context"
+	"golang.org/x/tools/go/analysis"
+	"golang.org/x/vuln/client"
+	"golang.org/x/vuln/vulncheck"
+
+	"github.com/golangci/golangci-lint/pkg/config"
+	"github.com/golangci/golangci-lint/pkg/golinters/goanalysis"
+	"github.com/golangci/golangci-lint/pkg/lint/linter"
+	"github.com/golangci/golangci-lint/pkg/result"
+)
+
+const (
+	vulncheckName = "vulncheck"
+	vulncheckDoc  = "Package vulncheck detects uses of known vulnerabilities in Go programs."
+)
+
+func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
+	var mu sync.Mutex
+	var resIssues []goanalysis.Issue
+
+	var analyzer = &analysis.Analyzer{
+		Name: vulncheckName,
+		Doc:  vulncheckDoc,
+		Run:  goanalysis.DummyRun,
+	}
+
+	return goanalysis.NewLinter(
+		"vulncheck",
+		"Package vulncheck detects uses of known vulnerabilities in Go programs.",
+		[]*analysis.Analyzer{analyzer},
+		nil,
+	).WithContextSetter(func(lintCtx *linter.Context) {
+		analyzer.Run = func(pass *analysis.Pass) (interface{}, error) {
+			issues, err := vulncheckRun(lintCtx, pass, settings)
+
+			if err != nil {
+				return nil, err
+			}
+
+			mu.Lock()
+			resIssues = append(resIssues, issues...)
+			mu.Unlock()
+
+			return nil, nil
+		}
+	}).WithIssuesReporter(func(*linter.Context) []goanalysis.Issue {
+		return resIssues
+	})
+}
+
+func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config.VulncheckSettings) ([]goanalysis.Issue, error) {
+	dbs := []string{"https://vuln.go.dev"}
+	if len(settings.VulnDatabase) > 0 {
+		dbs = settings.VulnDatabase
+	}
+	dbClient, err := client.NewClient(dbs, client.Options{})
+	if err != nil {
+		return nil, err
+	}
+
+	vcfg := &vulncheck.Config{Client: dbClient, SourceGoVersion: lintCtx.Cfg.Run.Go}
+	vpkgs := vulncheck.Convert(lintCtx.Packages)
+	ctx := context.Background()
+
+	r, err := vulncheck.Source(ctx, vpkgs, vcfg)
+	if err != nil {
+		return nil, err
+	}
+
+	issues := make([]goanalysis.Issue, len(r.Vulns))
+
+	for _, vuln := range r.Vulns {
+		issues = append(issues, goanalysis.NewIssue(&result.Issue{
+			Text: vuln.OSV.ID,
+		}, pass))
+	}
+
+	return issues, nil
+}
diff --git a/pkg/lint/lintersdb/manager.go b/pkg/lint/lintersdb/manager.go
index ffe10721cf43..428a35f22d9e 100644
--- a/pkg/lint/lintersdb/manager.go
+++ b/pkg/lint/lintersdb/manager.go
@@ -178,6 +178,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		whitespaceCfg       *config.WhitespaceSettings
 		wrapcheckCfg        *config.WrapcheckSettings
 		wslCfg              *config.WSLSettings
+		vulncheckCfg        *config.VulncheckSettings
 	)
 
 	if m.cfg != nil {
@@ -258,6 +259,7 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		whitespaceCfg = &m.cfg.LintersSettings.Whitespace
 		wrapcheckCfg = &m.cfg.LintersSettings.Wrapcheck
 		wslCfg = &m.cfg.LintersSettings.WSL
+		vulncheckCfg = &m.cfg.LintersSettings.Vulncheck
 
 		if govetCfg != nil {
 			govetCfg.Go = m.cfg.Run.Go
@@ -897,6 +899,11 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 			WithPresets(linter.PresetBugs).
 			WithLoadForGoAnalysis().
 			WithURL("https://github.com/ykadowak/zerologlint"),
+
+		linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)).
+			WithSince("v1.53.0").
+			WithPresets(linter.PresetModule).
+			WithURL("https://vuln.go.dev/"),
 	}
 
 	enabledByDefault := map[string]bool{

From dc80ef0ddb2f091bf4c8ec145bf0d10b9228facf Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Thu, 15 Sep 2022 16:13:13 +0200
Subject: [PATCH 02/12] set slice capacity instead of length

---
 pkg/golinters/vulncheck.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go
index 346fb73e577c..48eda3851829 100644
--- a/pkg/golinters/vulncheck.go
+++ b/pkg/golinters/vulncheck.go
@@ -23,7 +23,7 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
 	var mu sync.Mutex
 	var resIssues []goanalysis.Issue
 
-	var analyzer = &analysis.Analyzer{
+	analyzer := &analysis.Analyzer{
 		Name: vulncheckName,
 		Doc:  vulncheckDoc,
 		Run:  goanalysis.DummyRun,
@@ -37,7 +37,6 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
 	).WithContextSetter(func(lintCtx *linter.Context) {
 		analyzer.Run = func(pass *analysis.Pass) (interface{}, error) {
 			issues, err := vulncheckRun(lintCtx, pass, settings)
-
 			if err != nil {
 				return nil, err
 			}
@@ -72,7 +71,7 @@ func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config
 		return nil, err
 	}
 
-	issues := make([]goanalysis.Issue, len(r.Vulns))
+	issues := make([]goanalysis.Issue, 0, len(r.Vulns))
 
 	for _, vuln := range r.Vulns {
 		issues = append(issues, goanalysis.NewIssue(&result.Issue{

From 7f14758821b5e516e0ec0d70b9b1afecba44092d Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Thu, 15 Sep 2022 16:51:32 +0200
Subject: [PATCH 03/12] improvu vuln output

---
 pkg/golinters/vulncheck.go | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go
index 48eda3851829..65d58f9c929f 100644
--- a/pkg/golinters/vulncheck.go
+++ b/pkg/golinters/vulncheck.go
@@ -1,6 +1,8 @@
 package golinters
 
 import (
+	"fmt"
+	"strings"
 	"sync"
 
 	"golang.org/x/net/context"
@@ -71,13 +73,34 @@ func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config
 		return nil, err
 	}
 
+	imports := vulncheck.ImportChains(r)
 	issues := make([]goanalysis.Issue, 0, len(r.Vulns))
 
-	for _, vuln := range r.Vulns {
+	for idx, vuln := range r.Vulns {
 		issues = append(issues, goanalysis.NewIssue(&result.Issue{
-			Text: vuln.OSV.ID,
+			Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImorts(imports[vuln])),
 		}, pass))
 	}
 
 	return issues, nil
 }
+
+func writeImorts(imports []vulncheck.ImportChain) string {
+	var s strings.Builder
+	for _, i := range imports {
+		indent := 0
+		for _, pkg := range i {
+			s.WriteString(fmt.Sprintf("%s|_ %s", strings.Repeat(" ", indent), pkg.Name))
+		}
+	}
+
+	return s.String()
+}
+
+func writeVulnerability(idx int, id, details, imports string) string {
+	return fmt.Sprintf(`Vulnerability #%d: %s
+%s
+%s
+  More info: https://pkg.go.dev/vuln/%s
+`, idx, id, details, imports, id)
+}

From 69500baa683319e5a4b8d4f5f630f6a8680258b2 Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Sat, 10 Dec 2022 12:13:08 +0100
Subject: [PATCH 04/12] fix typo

---
 pkg/golinters/vulncheck.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go
index 65d58f9c929f..62c852d197a2 100644
--- a/pkg/golinters/vulncheck.go
+++ b/pkg/golinters/vulncheck.go
@@ -78,14 +78,14 @@ func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config
 
 	for idx, vuln := range r.Vulns {
 		issues = append(issues, goanalysis.NewIssue(&result.Issue{
-			Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImorts(imports[vuln])),
+			Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImports(imports[vuln])),
 		}, pass))
 	}
 
 	return issues, nil
 }
 
-func writeImorts(imports []vulncheck.ImportChain) string {
+func writeImports(imports []vulncheck.ImportChain) string {
 	var s strings.Builder
 	for _, i := range imports {
 		indent := 0

From 6d86e2dd8cd340bfa0a0f8f7f64cdf3b50b8e4b6 Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Sat, 10 Dec 2022 12:13:49 +0100
Subject: [PATCH 05/12] add vulncheck to reference

---
 .golangci.reference.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.golangci.reference.yml b/.golangci.reference.yml
index 37324b856153..1d5b5dee4448 100644
--- a/.golangci.reference.yml
+++ b/.golangci.reference.yml
@@ -1944,6 +1944,9 @@ linters-settings:
       - T any
       - m map[string]int
 
+  vulncheck:
+    vuln-database: [https://vuln.go.dev]
+
   whitespace:
     # Enforces newlines (or comments) after every multi-line if statement.
     # Default: false
@@ -2159,6 +2162,7 @@ linters:
     - usestdlibvars
     - varcheck
     - varnamelen
+    - vulncheck
     - wastedassign
     - whitespace
     - wrapcheck
@@ -2272,6 +2276,7 @@ linters:
     - usestdlibvars
     - varcheck
     - varnamelen
+    - vulncheck
     - wastedassign
     - whitespace
     - wrapcheck

From 3654c76eff472a9023bd25f2501cb72b03b1eeb6 Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Sat, 10 Dec 2022 12:14:07 +0100
Subject: [PATCH 06/12] add vulncheck failing testcase

---
 test/linters_test.go                 | 1 +
 test/testdata/vulncheck/go.mod       | 7 +++++++
 test/testdata/vulncheck/vulncheck.go | 7 +++++++
 3 files changed, 15 insertions(+)
 create mode 100644 test/testdata/vulncheck/go.mod
 create mode 100644 test/testdata/vulncheck/vulncheck.go

diff --git a/test/linters_test.go b/test/linters_test.go
index dd130db3e7db..d519b2ac0f4f 100644
--- a/test/linters_test.go
+++ b/test/linters_test.go
@@ -32,6 +32,7 @@ func TestSourcesFromTestdataSubDir(t *testing.T) {
 		"loggercheck",
 		"ginkgolinter",
 		"zerologlint",
+		"vulncheck",
 	}
 
 	for _, dir := range subDirs {
diff --git a/test/testdata/vulncheck/go.mod b/test/testdata/vulncheck/go.mod
new file mode 100644
index 000000000000..3b96339713df
--- /dev/null
+++ b/test/testdata/vulncheck/go.mod
@@ -0,0 +1,7 @@
+module vulncheck
+
+go 1.19
+
+require (
+	golang.org/x/text/languag v0.37.0
+)
diff --git a/test/testdata/vulncheck/vulncheck.go b/test/testdata/vulncheck/vulncheck.go
new file mode 100644
index 000000000000..32f1391f5859
--- /dev/null
+++ b/test/testdata/vulncheck/vulncheck.go
@@ -0,0 +1,7 @@
+package vulncheck
+
+import "golang.org/x/text/language"
+
+func testvuln() {
+	_ = language.MustParseRegion("US")
+}

From 0c74e27a4207dbed6ef502fe92bd1cd1b060b0b8 Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Sat, 10 Dec 2022 12:16:06 +0100
Subject: [PATCH 07/12] fix failing test vulncheck

---
 test/testdata/vulncheck/go.mod | 4 +---
 test/testdata/vulncheck/go.sum | 2 ++
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 test/testdata/vulncheck/go.sum

diff --git a/test/testdata/vulncheck/go.mod b/test/testdata/vulncheck/go.mod
index 3b96339713df..53b79c11c515 100644
--- a/test/testdata/vulncheck/go.mod
+++ b/test/testdata/vulncheck/go.mod
@@ -2,6 +2,4 @@ module vulncheck
 
 go 1.19
 
-require (
-	golang.org/x/text/languag v0.37.0
-)
+require golang.org/x/text v0.3.7
diff --git a/test/testdata/vulncheck/go.sum b/test/testdata/vulncheck/go.sum
new file mode 100644
index 000000000000..1f78e039072f
--- /dev/null
+++ b/test/testdata/vulncheck/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=

From 127d2be23236103850152434a7396564396845ff Mon Sep 17 00:00:00 2001
From: Florent Viel <luxifer666@gmail.com>
Date: Sun, 11 Dec 2022 10:37:07 +0100
Subject: [PATCH 08/12] add test args for vulncheck test case

---
 test/testdata/vulncheck/vulncheck.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/test/testdata/vulncheck/vulncheck.go b/test/testdata/vulncheck/vulncheck.go
index 32f1391f5859..0b0aecc7a93f 100644
--- a/test/testdata/vulncheck/vulncheck.go
+++ b/test/testdata/vulncheck/vulncheck.go
@@ -1,7 +1,13 @@
+//golangcitest:args -Evulncheck
 package vulncheck
 
-import "golang.org/x/text/language"
+import (
+	"fmt"
 
-func testvuln() {
-	_ = language.MustParseRegion("US")
+	"golang.org/x/text/language"
+)
+
+func ParseRegion() {
+	us := language.MustParseRegion("US")
+	fmt.Println(us)
 }

From 48bcbcb6970bfee9502e65758d99ce2a42068bdc Mon Sep 17 00:00:00 2001
From: Craig Rodrigues <rodrigc@crodrigues.org>
Date: Sat, 1 Jul 2023 15:02:41 -0700
Subject: [PATCH 09/12] Replace interface{} with any

---
 pkg/golinters/vulncheck.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go
index 62c852d197a2..13b34068fc0f 100644
--- a/pkg/golinters/vulncheck.go
+++ b/pkg/golinters/vulncheck.go
@@ -37,7 +37,7 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
 		[]*analysis.Analyzer{analyzer},
 		nil,
 	).WithContextSetter(func(lintCtx *linter.Context) {
-		analyzer.Run = func(pass *analysis.Pass) (interface{}, error) {
+		analyzer.Run = func(pass *analysis.Pass) (any, error) {
 			issues, err := vulncheckRun(lintCtx, pass, settings)
 			if err != nil {
 				return nil, err

From 3386b9c46551ce3a92b93d7500fa8eeddd974bbf Mon Sep 17 00:00:00 2001
From: Craig Rodrigues <rodrigc@crodrigues.org>
Date: Sat, 1 Jul 2023 15:47:48 -0700
Subject: [PATCH 10/12] Update go/vuln dependency

---
 go.mod | 4 ++--
 go.sum | 9 ++++-----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/go.mod b/go.mod
index aeb8dfa5a2ad..ca6c68835a95 100644
--- a/go.mod
+++ b/go.mod
@@ -119,12 +119,12 @@ require (
 	golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea
 	golang.org/x/net v0.11.0
 	golang.org/x/tools v0.10.0
-	golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39
+	golang.org/x/vuln v0.2.0
 	gopkg.in/yaml.v3 v3.0.1
 	honnef.co/go/tools v0.4.3
 	mvdan.cc/gofumpt v0.5.0
 	mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed
-	mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d
+	mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8
 )
 
 require (
diff --git a/go.sum b/go.sum
index acff1d758b37..5f0a858f95dd 100644
--- a/go.sum
+++ b/go.sum
@@ -107,7 +107,6 @@ github.com/chavacava/garif v0.0.0-20230227094218-b8c73b2037b8/go.mod h1:gakxgyXa
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -880,8 +879,8 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
 golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
-golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39 h1:501+NfNjDh4IT4HOzdeezTOFD7njtY49aXJN1oY3E1s=
-golang.org/x/vuln v0.0.0-20220902211423-27dd78d2ca39/go.mod h1:7tDfEDtOLlzHQRi4Yzfg5seVBSvouUIjyPzBx4q5CxQ=
+golang.org/x/vuln v0.2.0 h1:Dlz47lW0pvPHU7tnb10S8vbMn9GnV2B6eyT7Tem5XBI=
+golang.org/x/vuln v0.2.0/go.mod h1:V0eyhHwaAaHrt42J9bgrN6rd12f6GU4T0Lu0ex2wDg4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1011,8 +1010,8 @@ mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wp
 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b h1:DxJ5nJdkhDlLok9K6qO+5290kphDJbHOQO1DFFFTeBo=
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
-mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d h1:3rvTIIM22r9pvXk+q3swxUQAQOxksVMGK7sml4nG57w=
-mvdan.cc/unparam v0.0.0-20221223090309-7455f1af531d/go.mod h1:IeHQjmn6TOD+e4Z3RFiZMMsLVL+A96Nvptar8Fj71is=
+mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8 h1:VuJo4Mt0EVPychre4fNlDWDuE5AjXtPJpRUWqZDQhaI=
+mvdan.cc/unparam v0.0.0-20230312165513-e84e2d14e3b8/go.mod h1:Oh/d7dEtzsNHGOq1Cdv8aMm3KdKhVvPbRQcM8WFpBR8=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

From 2d64977573d2fdcd1aee39d83d192a72aadb32e1 Mon Sep 17 00:00:00 2001
From: Craig Rodrigues <rodrigc@crodrigues.org>
Date: Sat, 1 Jul 2023 17:05:07 -0700
Subject: [PATCH 11/12] Fix pkg/lint/lintersdb/manager.go

---
 pkg/lint/lintersdb/manager.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/pkg/lint/lintersdb/manager.go b/pkg/lint/lintersdb/manager.go
index b16991690b87..921e4390dbb2 100644
--- a/pkg/lint/lintersdb/manager.go
+++ b/pkg/lint/lintersdb/manager.go
@@ -138,10 +138,10 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		usestdlibvars       *config.UseStdlibVarsSettings
 		varcheckCfg         *config.VarCheckSettings
 		varnamelenCfg       *config.VarnamelenSettings
+		vulncheckCfg        *config.VulncheckSettings
 		whitespaceCfg       *config.WhitespaceSettings
 		wrapcheckCfg        *config.WrapcheckSettings
 		wslCfg              *config.WSLSettings
-		vulncheckCfg        *config.VulncheckSettings
 	)
 
 	if m.cfg != nil {
@@ -219,10 +219,10 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 		usestdlibvars = &m.cfg.LintersSettings.UseStdlibVars
 		varcheckCfg = &m.cfg.LintersSettings.Varcheck
 		varnamelenCfg = &m.cfg.LintersSettings.Varnamelen
+		vulncheckCfg = &m.cfg.LintersSettings.Vulncheck
 		whitespaceCfg = &m.cfg.LintersSettings.Whitespace
 		wrapcheckCfg = &m.cfg.LintersSettings.Wrapcheck
 		wslCfg = &m.cfg.LintersSettings.WSL
-		vulncheckCfg = &m.cfg.LintersSettings.Vulncheck
 
 		if govetCfg != nil {
 			govetCfg.Go = m.cfg.Run.Go
@@ -853,6 +853,11 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 			WithLoadForGoAnalysis().
 			WithURL("https://github.com/blizzy78/varnamelen"),
 
+		linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)).
+			WithSince("v1.53.0").
+			WithPresets(linter.PresetModule).
+			WithURL("https://vuln.go.dev/"),
+
 		linter.NewConfig(golinters.NewWastedAssign()).
 			WithSince("v1.38.0").
 			WithPresets(linter.PresetStyle).
@@ -882,11 +887,6 @@ func (m Manager) GetAllSupportedLinterConfigs() []*linter.Config {
 			WithLoadForGoAnalysis().
 			WithURL("https://github.com/ykadowak/zerologlint"),
 
-		linter.NewConfig(golinters.NewVulncheck(vulncheckCfg)).
-			WithSince("v1.53.0").
-			WithPresets(linter.PresetModule).
-			WithURL("https://vuln.go.dev/"),
-
 		// nolintlint must be last because it looks at the results of all the previous linters for unused nolint directives
 		linter.NewConfig(golinters.NewNoLintLint(noLintLintCfg)).
 			WithSince("v1.26.0").

From cd2e05e597b98a0e932fa7f4f245e885cb77f668 Mon Sep 17 00:00:00 2001
From: Craig Rodrigues <rodrigc@crodrigues.org>
Date: Fri, 8 Sep 2023 07:24:18 -0700
Subject: [PATCH 12/12] Update

---
 pkg/config/linters_settings.go       |  2 +-
 pkg/golinters/vulncheck.go           | 79 ++++++++++------------------
 test/linters_test.go                 |  1 +
 test/testdata/vulncheck/vulncheck.go |  2 +-
 4 files changed, 32 insertions(+), 52 deletions(-)

diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
index 1a970108f186..cb2c33a4e0ab 100644
--- a/pkg/config/linters_settings.go
+++ b/pkg/config/linters_settings.go
@@ -224,10 +224,10 @@ type LintersSettings struct {
 	UseStdlibVars    UseStdlibVarsSettings
 	Varcheck         VarCheckSettings
 	Varnamelen       VarnamelenSettings
+	Vulncheck        VulncheckSettings
 	Whitespace       WhitespaceSettings
 	Wrapcheck        WrapcheckSettings
 	WSL              WSLSettings
-	Vulncheck        VulncheckSettings
 
 	Custom map[string]CustomLinterSettings
 }
diff --git a/pkg/golinters/vulncheck.go b/pkg/golinters/vulncheck.go
index 13b34068fc0f..278ded0103ba 100644
--- a/pkg/golinters/vulncheck.go
+++ b/pkg/golinters/vulncheck.go
@@ -1,14 +1,13 @@
 package golinters
 
 import (
-	"fmt"
-	"strings"
+	"bytes"
+	"path/filepath"
 	"sync"
 
 	"golang.org/x/net/context"
 	"golang.org/x/tools/go/analysis"
-	"golang.org/x/vuln/client"
-	"golang.org/x/vuln/vulncheck"
+	"golang.org/x/vuln/scan"
 
 	"github.com/golangci/golangci-lint/pkg/config"
 	"github.com/golangci/golangci-lint/pkg/golinters/goanalysis"
@@ -18,7 +17,7 @@ import (
 
 const (
 	vulncheckName = "vulncheck"
-	vulncheckDoc  = "Package vulncheck detects uses of known vulnerabilities in Go programs."
+	vulncheckDoc  = "vulncheck detects uses of known vulnerabilities in Go programs."
 )
 
 func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
@@ -32,8 +31,8 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
 	}
 
 	return goanalysis.NewLinter(
-		"vulncheck",
-		"Package vulncheck detects uses of known vulnerabilities in Go programs.",
+		vulncheckName,
+		vulncheckDoc,
 		[]*analysis.Analyzer{analyzer},
 		nil,
 	).WithContextSetter(func(lintCtx *linter.Context) {
@@ -54,53 +53,33 @@ func NewVulncheck(settings *config.VulncheckSettings) *goanalysis.Linter {
 	})
 }
 
-func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, settings *config.VulncheckSettings) ([]goanalysis.Issue, error) {
-	dbs := []string{"https://vuln.go.dev"}
-	if len(settings.VulnDatabase) > 0 {
-		dbs = settings.VulnDatabase
-	}
-	dbClient, err := client.NewClient(dbs, client.Options{})
-	if err != nil {
-		return nil, err
-	}
+func vulncheckRun(lintCtx *linter.Context, pass *analysis.Pass, _ *config.VulncheckSettings) ([]goanalysis.Issue, error) {
+	files := getFileNames(pass)
 
-	vcfg := &vulncheck.Config{Client: dbClient, SourceGoVersion: lintCtx.Cfg.Run.Go}
-	vpkgs := vulncheck.Convert(lintCtx.Packages)
 	ctx := context.Background()
-
-	r, err := vulncheck.Source(ctx, vpkgs, vcfg)
-	if err != nil {
-		return nil, err
-	}
-
-	imports := vulncheck.ImportChains(r)
-	issues := make([]goanalysis.Issue, 0, len(r.Vulns))
-
-	for idx, vuln := range r.Vulns {
+	lintCtx.Log.Errorf("%v\n", files)
+
+	issues := []goanalysis.Issue{}
+	for _, file := range files {
+		lintCtx.Log.Errorf("%s %s %s %s\n", "-json", "-C", filepath.Dir(file), ".")
+		cmd := scan.Command(ctx, "-json", "-C", filepath.Dir(file), ".")
+		buf := &bytes.Buffer{}
+		cmd.Stderr = buf
+		cmd.Stdout = buf
+		err := cmd.Start()
+		if err != nil {
+			return issues, err
+		}
+		err = cmd.Wait()
+		if err != nil {
+			return issues, err
+		}
 		issues = append(issues, goanalysis.NewIssue(&result.Issue{
-			Text: writeVulnerability(idx, vuln.OSV.ID, vuln.OSV.Details, writeImports(imports[vuln])),
-		}, pass))
+			Text:       buf.String(),
+			FromLinter: vulncheckName},
+			pass))
 	}
 
+	lintCtx.Log.Errorf("%v\n", issues)
 	return issues, nil
 }
-
-func writeImports(imports []vulncheck.ImportChain) string {
-	var s strings.Builder
-	for _, i := range imports {
-		indent := 0
-		for _, pkg := range i {
-			s.WriteString(fmt.Sprintf("%s|_ %s", strings.Repeat(" ", indent), pkg.Name))
-		}
-	}
-
-	return s.String()
-}
-
-func writeVulnerability(idx int, id, details, imports string) string {
-	return fmt.Sprintf(`Vulnerability #%d: %s
-%s
-%s
-  More info: https://pkg.go.dev/vuln/%s
-`, idx, id, details, imports, id)
-}
diff --git a/test/linters_test.go b/test/linters_test.go
index d519b2ac0f4f..1f2de5df1bfc 100644
--- a/test/linters_test.go
+++ b/test/linters_test.go
@@ -69,6 +69,7 @@ func testSourcesFromDir(t *testing.T, dir string) {
 			rel, err := filepath.Rel(dir, source)
 			require.NoError(t, err)
 
+			log.Warnf("TESTING: [%v] [%v] [%v] [%v]", subTest, log, binPath, rel)
 			testOneSource(subTest, log, binPath, rel)
 		})
 	}
diff --git a/test/testdata/vulncheck/vulncheck.go b/test/testdata/vulncheck/vulncheck.go
index 0b0aecc7a93f..573515250e0c 100644
--- a/test/testdata/vulncheck/vulncheck.go
+++ b/test/testdata/vulncheck/vulncheck.go
@@ -1,4 +1,4 @@
-//golangcitest:args -Evulncheck
+//golangcitest:args --disable-all -Evulncheck .
 package vulncheck
 
 import (