- Packaging improvements:
  * Add ExcludeArch: s390 to build with SLE-12. Go is supported on
    s390x but not available on s390.
  * Fix License: BSD-3-Clause, drop incorrect AND Apache-2.0 (forwarded request 1208472 from jfkw)

• Files Changed
• Browse Source

- Update to version 1.1.3:
  * internal/openvex: update handler test
  * LICENSE: update per Google Legal
  * internal/vulncheck: add warning message for ancient binaries
  * all: remove build restrictions requiring go1.18
  * cmd/govulncheck: clarify unsafe/reflection limitations
  * cmd/govulncheck: update docs for old Go binaries
  * internal/openvex: omit vulns with no findings
  * cmd/govulncheck/integration: adjust k8s expectations
  * all: remove skipIfShort
  * all: remove unnecessary test lines for staticcheck
  * internal/vulncheck: avoid recomputing if module is known
  * go.mod: update golang.org/x dependencies
  * internal/buildinfo: add support for ancient Go binaries
  * internal/goversion: comment out a printing line
  * internal/goversion: add package as copy of rsc.io/goversion/version
  * cmd/govulncheck: remove line about go version requirements
  * internal/vulncheck: improve documentation
  * internal/vulncheck: use module info when looking for symbols
  * internal/vulncheck: handle symbols ending with .
  * cmd/govulncheck/integration: make expectation check more robust
  * all: require go1.21
- Packaging improvements:
  * Build PIE with pattern that may become recommended procedure:
    %%ifnarch ppc64 GOFLAGS="-buildmode=pie" %%endif go build
    A go toolchain buildmode default config would be preferable
    but none exist at this time.
  * Update to BuildRequires: golang(API) >= 1.21 matching go.mod
  * Use name macro where applicable to normalize common lines
    across Go app packages. Also makes renaming binary easier when (forwarded request 1188075 from jfkw)

• Files Changed
• Browse Source

- Update to version 1.1.2:
  * internal/osv: add review status
  * vulncheck: update documentation for vex
  * cmd/govulncheck/integration/stackrox-scanner: update expectations
  * cmd/govulncheck/integration/k8s: update expectations
  * internal/govulncheck: add more comments for emitted OSVs
  * go.mod: update golang.org/x dependencies
  * internal/scan: increase telemetry counter for show flag
  * internal/scan: add format and scan level telemetry
  * internal/cmd/govulncheck: remove unnecessary binary dependency
  * cmd/govulncheck/integration: update go in integration tests
  * internal/openvex: add hash for doc ID
  * internal/openvex: add statements to handler
  * internal/openvex: add handler
  * all: remove test that runs govulncheck on govulncheck
  * internal/sarif: fix a typo
  * internal/scan: limit number of binary traces shown
  * cmd/govulncheck: record scan mode telemetry (forwarded request 1179095 from jfkw)

• Files Changed
• Browse Source

- Update to version 1.1.1:
  * all: remove unit tests for staticcheck, unparam, and spellcheck
  * internal/sarif,cmd/govulncheck: publicize sarif
  * internal/vulncheck: load source code for scan symbol mode only
  * all: update golang.org/x/tools
  * internal/vulncheck: emit progress message instead of warning
  * internal/scan: improve textual output for binary traces
  * internal/buildinfo: avoid panic on nil symbol for elf
  * internal/sarif: improve GOMODCACHE relative paths
  * internal/sarif: add version to module info for locations
  * internal/sarif: remove originalURIBaseIds
  * go.mod: update golang.org/x dependencies
  * internal/gosym: preallocate inlined call slice
  * internal/vulncheck: improve progress message for binaries
  * internal/vulncheck: emit fetch db and vuln checking progress messages
  * internal/scan: print progress messages only in verbose mode
  * internal/scan: refactor flag usage in text handler
  * Revert "internal/scan: disallow multiple patterns in source mode"
  * internal/sarif: add missing required Message field
  * internal/scan: disallow multiple patterns in source mode
  * internal/vulncheck: use new improved DeleteSyntheticNodes (forwarded request 1176498 from jfkw)

• Files Changed
• Browse Source

- Update to version 1.1.0:
  * internal/openvex: add vex types
  * internal/sarif: compute relative paths for findings
  * internal/sarif: remove unused field
  * go.mod: update golang.org/x dependencies
  * internal/sarif,internal/scan,internal/traces: clean up tests
  * internal/sarif: add region part of the physical location
  * internal/sarif: add code flows
  * cmd/govulncheck: clean up test
  * cmd/govulncheck: make test case config data
  * cmd/govulncheck: add comment capability to fixups
  * cmd/govulncheck: remove unnecessary fixups
  * cmd/govulncheck: make fixup part of a test case
  * cmd/govulncheck: extract stdlib into special test case
  * cmd/govulncheck: restore parallelism for tests
  * cmd/govulncheck: add nogomod test case
  * cmd/govulncheck: restructure testdata tests
  * cmd/govulncheck: add sarif test for binaries
  * internal/sarif: add stacks
  * internal/sarif: add result message
  * internal/vulncheck: get correctly package for instantiated functions
  * internal/sarif: add result stubs to run object
  * internal/govulncheck: add scan mode to config
  * internal/vulncheck: delete only synthetic nodes not related to generics
  * internal/scan: add more info to validation errors
  * internal/sarif: add rules
  * internal/scan: fix name of the error variable
  * internal/sarif: add handler
  * internal/scan: add sarif flag
  * internal/scan: add types for format, show, mode, and scan flags (forwarded request 1168420 from jfkw)

• Files Changed
• Browse Source

- Update to version 1.0.4:
  * cmd/govulncheck: mask line numbers and columns
  * internal/scan: remove redundant new lines
  * internal/vulncheck: add position for sinks in findings' trace
  * internal/scan: put -show <option> into single quotes
  * internal/buildinfo: do module-level analysis with no PCLN table
  * internal/scan: add a newline after summary
  * internal/test: add more info on GoBuild failures
  * internal/scan: remove extra dot in a comment
  * cmd/govulncheck: fix vendor test
  * internal/vulncheck: refactor a loop with an append
  * cmd/govulncheck: fix stripped bin test
  * cmd/govulncheck: update vendor tests
  * cmd/govulncheck: add more tests and reorganize them
  * internal/vulncheck: add package and module mode for binaries
  * internal/scan: replace Source with Symbol in text output
  * internal/scan: fix error statuses for scan={package|module}
  * internal/scan: add -show verbose flag
  * internal/scan: overhaul text output
  * internal/scan: simplify redundant error checking
  * internal/scan: add scan level to testdata
  * cmd/govulncheck/integration: update expectations for stackrox
  * internal/vulncheck: support osv entries with no pkg info
  * internal/vulncheck: remove redundant symbol check
  * internal/vulncheck: simplify vulnerability detection

- Update to version 1.0.3:
  * internal/scan: add binary extract mode
  * internal/scan, vulncheck: use packages.load for mod info
  * internal/govulncheck: briefly explain streaming JSON

• Files Changed
• Browse Source

- Update to version 1.0.2: (forwarded request 1139543 from jfkw)

• Files Changed
• Browse Source

- Update to version 1.0.1:
  * all: go get golang.org/x/tools@74c255b
  * internal/scan: change the way convert mode works
  * internal/scan: add -version flag
  * internal/vulncheck/internal/gosym: fix typo
  * internal/gosym: update binary mode version parsing
  * internal/scan: refactor to remove redundant code
  * vulncheck/internal/gosym: add support for go versions > 1.20
  * internal/vulncheck/internal/buildinfo: skip failing tests
  * cmd/govulncheck: skip TestCommand in short mode
- _service add setversion to automatically update spec Version (forwarded request 1113318 from jfkw)

• Files Changed
• Browse Source

- Correction of license based on legaldb scan
  Add Apache 2.0 for google/go-cmdtest and
  vendor/github.com/google/renameio (forwarded request 1110619 from lkocman)

• Files Changed
• Browse Source

New package govulncheck version 1.0.0 is a CLI tool to report known CVE vulnerabilities in Go source code and binaries.

• Browse Source