x/vuln: feature request: govulncheck needs a (-f json) format option to output valid JSON for CI/CD tools to make decisions on the fly

[GeorgeDavis-TriumphTech]

What version of Go are you using (go version)?

$ go version
go version go1.20.4 linux/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

Yes, I installed it using go install golang.org/x/vuln/cmd/govulncheck@latest. govulncheck does not have a govulncheck -v command to confirm.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/go/src/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build817421039=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ govulncheck -json ./... > govuln-output.json
{
  "config": {
    "version": "govulncheck@v0.0.0",
    "data_source": "https://vuln.go.dev",
    "last_modified": "2023-05-11T18:59:56Z",
    "go_version": "go1.20.4"
  }
}
{
  "progress": {
    "message": "Scanning your code and 266 packages across 30 dependent modules for known vulnerabilities..."
  }
}

What did you expect to see?

A full output of the govulncheck -json ./... command with the vulnerabilities listed in proper JSON format.

What did you see instead?

Bunch of JSON objects serialized to stdout with interrupts such that the > could not write complete output to file. I tried other options to write the complete file using 2>&1 | tee, still no luck.

[GeorgeDavis-TriumphTech]

I need the -json output so that my DevOps tools can read the output using jq and give a short summary within the CI/CD pipeline.

[heschi]

cc @golang/vulndb

[seankhliao]

I don't think there's a bug here? this is the proper way of streaming json events, each event is its own json object, separated by newlines

[seankhliao]

This is consistent with go list -json and go test -json

[GeorgeDavis-TriumphTech]

@seankhliao I see the consistency with go list and go test.

What is the best way to write the output of govulncheck -json to a file?

[GeorgeDavis-TriumphTech]

cc @golang/vulndb, @heschi Could you please help me find a response for the last request? Thank you.

[heschi]

Unlike many projects, the Go project does not use GitHub Issues for general discussion or asking questions. Please see https://github.com/golang/go/wiki/Questions for places to ask questions.

[GeorgeDavis-TriumphTech]

@heschi govulncheck does not work for DevOps and CI/CD use cases if I cannot parse streaming data into a JSON file and run jq on it to summarize the findings. To me and several folks like me who are doing the same thing, it is an issue.

govulncheck -json might not be the JSON output format that I thought it was but the feature required here is to be able to write valid JSON into a file.

If not an issue, please consider this a feature request. I will modify the issue to reflect feature request.

[GeorgeDavis-TriumphTech]

Much like #59552.

@julieqiu Could you please share your comments on this feature request?

[ianthehat]

govulncheck does produce json that jq can cope with as a stream of json objects, and it writes that json to stdout in a completely normal fashion.
I do not think there is any way that govulncheck could be preventing you from writing it's stdout to a file.
I am not sure what the problem you are having is, the problem as explained in your original post seems to work just fine for me, so without more information I do not believe that it is an issue with govulncheck itself.

$ govulncheck -json ./... > govuln-output.json
$ jq .config.scanner_name govuln-output.json
"govulncheck"
null

While we and the community is normally happy to help with these kinds of problems the issue tracker is not where we have those kinds of conversations.
If you find that there really is a bug in govulncheck that needs fixing, then please re-open this issue with more complete reproduction details.
Thanks.

[GeorgeDavis-TriumphTech]

When we run govulncheck --help, it does say -json output JSON, it could be made clear that it is not valid JSON but streaming json events.

george@Georges-MBP goapi % govulncheck --help       
Govulncheck is a tool for finding known vulnerabilities.

Usage:
...
  -json
    	output JSON
...
...

For details, see https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck.

[GeorgeDavis-TriumphTech]

@ianthehat I will try govulncheck -json ./... > govuln-output.json again. Thank you.

[seankhliao]

The output is valid json.
If you need a single json document, search for something like "jq stream to array"

[GeorgeDavis-TriumphTech]

@ianthehat @seankhliao Thank you for your comments. This is how I am running the command @ianthehat provided, on Docker interactive (golang:latest). Notice the JSON output is cut halfway.

I just noticed it works fine when running directly on macOS (zsh/go version 1.19.4).

george@Georges-MBP goapi % docker run -it -v .:/go/src golang:latest /bin/sh
# cd /go/src
# go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.1.0
go: downloading golang.org/x/mod v0.10.0
go: downloading golang.org/x/tools v0.8.1-0.20230421161920-b9619ee54b47
go: downloading golang.org/x/sync v0.1.0
go: downloading golang.org/x/sys v0.7.0
# govulncheck -json ./... > govuln-output.json
# cat govuln-output.json
{
  "config": {
    "version": "govulncheck@v0.0.0",
    "data_source": "https://vuln.go.dev",
    "last_modified": "2023-05-18T20:38:56Z",
    "go_version": "go1.20.4"
  }
}
{
  "progress": {
    "message": "Scanning your code and 265 packages across 30 dependent modules for known vulnerabilities..."
  }
}
# go version
go version go1.20.4 linux/arm64
# uname -a
Linux 155009661e9a 5.15.49-linuxkit #1 SMP PREEMPT Tue Sep 13 07:51:32 UTC 2022 aarch64 GNU/Linux
# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
# 

[GeorgeDavis-TriumphTech]

Trying to get to the bottom of the issue, I tried govulncheck -json ./... > govuln-output.json in multiple Go versions, on macOS.

go1.19.[4-7] - Works by displaying full JSON. Starting go1.19.[8-9] - Only prints config and progress JSON events and stops writing to file. I also tried go1.20.4 (latest) - Only prints config and progress JSON events and stops writing to file

[ianthehat]

Again, the issue tracker is not where we have these conversations. I will reply this one last time, please move this conversation somewhere else if you wish to continue it.

If it only prints config and progress, it is because it found no vulnerabilities that affect your code. The report will vary with the go version, because that changes the version of the stdlib, which changes the vulnerabilies that affect it. Nothing is cut off, everything seems to be working exactly as expected.