internal/worker: add modules mode to govulncheck pipeline

This is accomplished by using the newest version of govulncheck. The
tool now produces streaming JSON where it emits findings at every level
of precision (module, package, symbol) as it does work.

We thus collect all findings produced by govulncheck and convert them to
Vuln structure right before we save it rows. This simplifies matters. The
ecosystem metrics handler for govulncheck JSON is now trivial. The code
operates on govulncheck.Findings and lets vulnsForMode do the conversion
to Vuln in a single (last) step. Vuln also does not need Called field.

Change-Id: I73651a91b2707d9afd1e667ea4cedb371e763c73
Reviewed-by: Maceo Thompson <>
LUCI-TryBot-Result: Go LUCI <>
Reviewed-by: Jonathan Amsterdam <>
TryBot-Result: Gopher Robot <>
Run-TryBot: Zvonimir Pavlinovic <>
9 files changed
tree: f1f629e2c8a00a10edb44d02590b03d08fbd4c65
  1. cmd/
  2. deploy/
  3. devtools/
  4. internal/
  5. terraform/
  6. .dockerignore
  7. .gitignore
  8. all_test.go
  9. checks.bash
  10. config.json.commented
  12. go.mod
  13. go.sum
  15. Makefile
  18. tools.go


This repository contains code that serves

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the time repository is located at Prefix your issue with “x/pkgsite-metrics:” in the subject line, so it is easy to find.