mirror of https://github.com/golang/go.git
fc039936a9
Vulnerabilities associated with a module should be suppressed after the module is updated. Previously, we checked whether the module version in go.mod 'require' matches the FoundVersion reported by the vulncheck. However, we realized that we cannot always assume the module version in require is the actually used module version (due to how minimal version selection works, and how exclude/replace affects). Instead check whether the module version is newer or equals to the suggested fixed version and if this go.mod require is newer, assume that the user updated the module already and suppress diagnostics about the module. This is not perfect but a heuristic to reduce confusion from the stale vulncheck report right after applying the quick fixes and upgrading modules. Change-Id: I40f4c3e70b19af3f6edd98f30de3ccb7a6bd7498 Reviewed-on: https://go-review.googlesource.com/c/tools/+/450277 Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com> gopls-CI: kokoro <noreply+kokoro@google.com> Reviewed-by: Suzy Mueller <suzmue@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Robert Findley <rfindley@google.com> |
||
|---|---|---|
| .. | ||
| coverage | ||
| govulncheck | ||
| hooks | ||
| lsp | ||
| regtest | ||
| robustio | ||
| span | ||
| vulncheck | ||
| migrate.sh | ||