Skip to content

GODRIVER-2540 Run govulncheck in CI builds. #2136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 25, 2025
Merged

GODRIVER-2540 Run govulncheck in CI builds. #2136

merged 1 commit into from
Jul 25, 2025

Conversation

matthewdale
Copy link
Collaborator

GODRIVER-2540

Summary

Run govulncheck using Go 1.24.5 in CI builds.

Background & Motivation

govulncheck is a dependency vulnerability checker that can check if a Go project actually imports the vulnerable package from an impacted module. If a dependency has a CVE filed against it, but only a subset of packages in the module are vulnerable and the scanned Go project doesn't import the vulnerable package, govulncheck will report no vulnerability.

@matthewdale matthewdale requested a review from a team as a code owner July 24, 2025 04:48
@matthewdale matthewdale requested a review from qingyang-hu July 24, 2025 04:48
@matthewdale matthewdale force-pushed the godriver2540-govulncheck branch from 6b552c7 to 72bb4c4 Compare July 24, 2025 04:54
@mongodb-drivers-pr-bot mongodb-drivers-pr-bot bot added the review-priority-low Low Priority PR for Review: within 3 business days label Jul 24, 2025
@mongodb-drivers-pr-bot
Copy link
Contributor

API Change Report

No changes found!

@matthewdale matthewdale merged commit d6f7f63 into mongodb:master Jul 25, 2025
29 of 33 checks passed
prestonvasquez pushed a commit to prestonvasquez/mongo-go-driver that referenced this pull request Jul 31, 2025
@matthewdale @prestonvasquez
GODRIVER-2540 Run govulncheck in CI builds. (mongodb#2136)
1b11849
alcaeus added a commit that referenced this pull request Aug 5, 2025
@alcaeus
Resolve conflicts in master
49d4409 
* master: (65 commits)
  Replace all uses of 'interface{}' with 'any' in the bson package. (#2138)
  GODRIVER-3473 Short-cicruit cursor.next() on invalid timeouts (#2135)
  GODRIVER-3622 Automatically retry some test tasks. (#2147)
  Replace all uses of 'interface{}' with 'any' in the repo docs. (#2142)
  GODRIVER-3102: Perf comparison (#2134)
  GODRIVER-3587 Use raw bytes in valueReader (#2120)
  Replace all uses of 'interface{}' with 'any' in the internal/ packages. (#2140)
  Replace all uses of 'interface{}' with 'any' in the x/ packages. (#2137)
  GODRIVER-2016 Unskip all Transactions unified spec tests. (#2132)
  GODRIVER-2540 Run govulncheck in CI builds. (#2136)
  GODRIVER-3549 Update Client BulkWrite prose tests. (#2131)
  Add guidelines for contributing features to the Go Driver (#2125)
  Bump alcaeus/automatic-merge-up-action from 1.0.0 to 1.0.1 in the actions group (#2126)
  Add wrappedMsgOnly to mongo.MarshalError and mongo.MongocryptError.
  Bump testdata/specifications from `db69351` to `6689929`
  fix wiremessage oob in case of intmin (#2076)
  GODRIVER-3399: PoolClearedError should have TransientTransactionError label appended to it (#2114)
  PR feedback.
  Prevent integration tests from running when testing with -short
  Skip AWS Test if no URI (#2102)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qingyang-hu qingyang-hu qingyang-hu approved these changes

Assignees

No one assigned

Labels

review-priority-low Low Priority PR for Review: within 3 business days

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthewdale @qingyang-hu