vulndb/govulncheck: surface unreachable vulns

Surface vulnerabilities in imported packages which are not reachable in
the call graph. Additionally we pre-filter vulnerabilities which do not
apply to the versions used, skipping unnecessary analysis.

Change-Id: If845a376406cd079a5f96935f419e6af5eabd76c
Reviewed-on: https://go-review.googlesource.com/c/exp/+/335171
Trust: Roland Shoemaker <roland@golang.org>
Trust: Zvonimir Pavlinovic <zpavlinovic@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
2 files changed
tree: 6b93b7725598b13c277e7beb80662033cce56009
  1. apidiff/
  2. cmd/
  3. ebnf/
  4. ebnflint/
  5. errors/
  6. event/
  7. fsnotify/
  8. inotify/
  9. internal/
  10. io/
  11. jsonrpc2/
  12. mmap/
  13. rand/
  14. shiny/
  15. shootout/
  16. sumdb/
  17. utf8string/
  18. vulndb/
  19. winfsnotify/
  20. .gitattributes
  21. .gitignore
  22. AUTHORS
  23. codereview.cfg
  24. CONTRIBUTING.md
  25. CONTRIBUTORS
  26. go.mod
  27. go.sum
  28. LICENSE
  29. PATENTS
  30. README.md
README.md

exp

PkgGoDev

This subrepository holds experimental and deprecated (in the old directory) packages.

The idea for this subrepository originated as the pkg/exp directory of the main repository, but its presence there made it unavailable to users of the binary downloads of the Go installation. The subrepository has therefore been created to make it possible to go get these packages.

Warning: Packages here are experimental and unreliable. Some may one day be promoted to the main repository or other subrepository, or they may be modified arbitrarily or even disappear altogether.

In short, code in this subrepository is not subject to the Go 1 compatibility promise. (No subrepo is, but the promise is even more likely to be violated by go.exp than the others.)

Caveat emptor.