Van: "Einar Bjarni Halldórsson" <ei...@isnic.is> Datum: dinsdag, 25 maart 2025 11:12 Aan: ports@freebsd.org Onderwerp: govulncheck in `make test`
Hi, I maintain two go ports and I’ve recently started using govulncheck for other go projects (there’s a PR to commit govulncheck to ports). govulncheck checks all dependencies of a go project against the vulnerability database at https://vuln.go.dev/ and warns if your code is calling vulnerable code. Would it be advisable to add test code to go projects to always call govulncheck? It would add a TEST_DEPENDS on govulncheck (which hasn’t been committed yet) and it calls the vuln db at google. Thoughts? .einar
I don't think the test code of a port is run very often. E.g. the official package builders don't run it. What I think would be useful is a service that periodically runs govulncheck on all go ports, update a dashboard with the outcome and send a mail to the port maintainer. A bit like https://portsfallout.com/. Regards, Ronald.
