Github Actions: Cannot get go standard library version with --lockfile=go.mod

[toddtee]

Hi all,

I am trying to use google/osv-scanner/actions/scanner@main to scan my project's go.mod file for any vulnerable dependencies within a github action workflow. To do this, I am specifying the go.mod as the --lockfile for osv-scanner.

      - name: "Run scanner on new code"
        uses: google/osv-scanner/actions/scanner@main
        with:
          scan-args: |-
            --format=json
            --output=results.json
            --lockfile=go.mod
        continue-on-error: false

The step exits in Github actions with Exit code: 127:

cannot get go standard library version, go might not be installed: exec: "go": executable file not found in $PATH

The entirety of the step output is as follows:

Run google/osv-scanner/actions/scanner@main
  with:
    scan-args: --format=json
  --output=results.json
  --lockfile=go.mod
/usr/bin/docker run --name d556ed201026cc19174d3ba8f4dc76845af5f3_5489b5 --label d556ed --workdir /github/workspace --rm -e "INPUT_SCAN-ARGS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/chat-bot/chat-bot":"/github/workspace" d556ed:201026cc19174d3ba8f4dc76845af5f3  "--format=json
--output=old-results.json
--lockfile=go.mod"
cannot get go standard library version, go might not be installed: exec: "go": executable file not found in $PATH
Scanned /github/workspace/go.mod file and found 3 packages
Exit code: 127

Looking through the code-base for osv-scanner, I can see that when go.mod is provided as the --lockfile, the code will try to enrich the scanner by running go env GOVERSION, which I believe is where the issue lies:

osv-scanner/pkg/osvscanner/optional_enricher.go

Line 13 in f819495

func getGoVersion() (string, error) {

I ran this command in a previous step and it does return a version in the format it is looking for:

Run go env GOVERSION
  go env GOVERSION
  shell: /usr/bin/bash -e {0}
go1.19.5

Please let me know if I am missing anything!

Thanks in advance!

[another-rex]

Thanks for the interest in the Github Action!

Couple of different things happening here:

• The step exits in Github actions with Exit code: 127:

  The 127 exit code is from osv-scanner, however the github action should still be returning successfully with a 0 (The action should have a green tick next to it). Your workflow should still continue like normal.

• The 127 exit code is indeed from the the go binary not being found, though this should not actually be an error but just informational, since it's very unlikely for the same go binary version used to build the binary to be running in the osv-scanner CI. I will update this in the next release of osv-scanner.

• The binary is not found because it is not added in the osv-scanner action Dockerfile (action.Dockerfile), since it doesn't make sense to report vulnerabilities with the osv-scanner's version of Go for your project. (osv-scanner does not catch Go/stdlib vulnerabilities  #453)

• We also recommend using google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main (docs here). The osv-scanner action google/osv-scanner/actions/scanner@main is mostly an implementation detail in osv-scanner-reusable.yml at the moment. We know the reusable workflow is not as flexible as a standalone action, and in the future we want to improve it so it can be more easily used by itself.

If you can't use google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main for some reason, can you describe the workflow you are trying to achieve?

[toddtee]

Thanks @another-rex, super informative. No that makes complete sense. I am just trying to implement a osv-scan as part of pull request checks on a project of mine. I would like the pull request to be blocked from merge if there are any vulnerabilities found (or if that proves to be too harsh, at least report the vulnerabilities in the projects code analysis or in a comment on the PR or something).

I will have a go at utilising google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main and see how it goes. Thanks alot for the help, I am happy to close this one out for the time being as this will get me on my way.

Thanks again for the help.

[another-rex]

Also have a look at google/osv-scanner/.github/workflows/osv-scanner-reusable-pr.yml@main (docs here: https://google.github.io/osv-scanner/github-action/#scans-on-prs), which is designed specifically for checking PRs for new vulnerabilities (it compares the target branch and the PR branch to only alert on new vulns).