Go version warnings based on go.mod are misleading (go directive is not the actual toolchain) #2438
Description
OSV-Scanner currently appears to use the go version in go.mod to emit Go-version-related warnings and/or make decisions.
However, the go directive is a minimum language version for the module, not the actual Go toolchain used to build or run the project. Many projects intentionally keep the go directive lower than their real toolchain version for compatibility.
This becomes more confusing starting with Go 1.26: go mod init will default the go directive to a version behind the toolchain (e.g. using Go 1.26.x creates go 1.25.0, and 1.26 pre-releases may create an even lower version). As a result, warnings based only on go.mod can be incorrect by design.
Why this is a problem:
- The
godirective is not the toolchain version. - The
toolchaindirective is optional and may be missing. - Many repos intentionally keep
golower than the actual toolchain they use in CI/build.
Expected behavior:
- Do not emit warnings or make vulnerability-related decisions based only on the
godirective ingo.mod. - If the actual toolchain version is required, use an explicit source (for example: user input, CI/build configuration, or another reliable runtime/build signal). Otherwise, avoid toolchain-version assumptions.
Actual behavior:
- Warnings are emitted using the
goversion ingo.mod, which can be intentionally old and may not match the real toolchain.
Example:
module example.com/foo
go 1.24
The project may actually build with Go 1.26, but warnings are based on 1.24.
Impact:
This can cause false warnings and confusion for users.