govulncheck$ go version
go version go1.17.9 linux/amd64
$ go1.18.6 version
go version go1.18.6 linux/amd64
我的模块是用 1.18.6 构建和运行的。我govulncheck使用以下命令使用 go 1.18.6 安装:
$ go1.18.6 install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20220913170424-c9fe2ba7ccad
go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
go: downloading golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
但是当我运行govulncheck ./...我的模块时,它报告了针对 Go 1.17.9 的问题。
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 5 known vulnerabilities.
Vulnerability #1: GO-2022-0524
Calling Reader.Read on an archive containing a large number of
concatenated 0-length compressed files can cause a panic due to
stack exhaustion.
Call stacks in your code:
path/omitted/example.go:79:67: example.com/example-project/path/omitted/example.Method calls example.com/vulnerable-dependency/path/omitted/example.Foo.Bar, which eventually calls compress/gzip.Reader.Read
Found in: compress/gzip@go1.17.9
Fixed in: compress/gzip@go1.18.4
More info: https://pkg.go.dev/vuln/GO-2022-0524
(etc)
该示例问题已在我使用的 Go 版本 (1.18.6) 中修复,但由于govulncheck使用的是 1.17.9 而不是 1.18.6,因此没有看到问题得到缓解。
如何使用我想要的 Go 版本运行此工具?