vgo: add spurious dependency on v1.0.0

This dependency is vulnerable to GO-2020-0006.
The point of this commit is to serve as a test case for
automated vulnerability scanning of the Go repos.

Using the vgo repo because it contains nothing
important and is not imported by any of our other repos,
which means any report should be limited to x/vgo
and not affect other users.

Even if people did depend on x/vgo, govulncheck would
correctly identify that no code here calls the vulnerable
symbols in Only less precise
scanners would suggest that there is a problem.

Change-Id: I97dca1c146b84764e867128710cf262ea6b68276
Reviewed-by: Roland Shoemaker <>
Auto-Submit: Russ Cox <>
3 files changed
tree: 1ee504d3b4b1d7d3eff3123effef5af2ec32bddf
  1. vendor/
  2. codereview.cfg
  4. go.mod
  5. go.sum
  7. main.go
  8. patch.txt
  11. update.bash
  12. vulnerable.go

Versioned Go Command (vgo)

This repository holds a standalone implementation of a version-aware go command, allowing users with a Go 1.10 toolchain to use the new Go 1.11 module support.

The code in this repo is auto-generated from and should behave exactly like the Go 1.11 go command, with two changes:

  • It behaves as if the GO111MODULE variable defaults to on.
  • When using a Go 1.10 toolchain, go vet during go test is disabled.


Use go get -u

You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches


Please file bugs in the main Go issue tracker,, and put the prefix x/vgo: in the issue title, or cmd/go: if you have confirmed that the same bug is present in the Go 1.11 module support.

Thank you.