vgo: add spurious dependency on github.com/miekg/dns v1.0.0

This dependency is vulnerable to GO-2020-0006.
The point of this commit is to serve as a test case for
automated vulnerability scanning of the Go repos.

Using the vgo repo because it contains nothing
important and is not imported by any of our other repos,
which means any report should be limited to x/vgo
and not affect other users.

Even if people did depend on x/vgo, govulncheck would
correctly identify that no code here calls the vulnerable
symbols in github.com/miekg/dns. Only less precise
scanners would suggest that there is a problem.

Change-Id: I97dca1c146b84764e867128710cf262ea6b68276
Reviewed-on: https://go-review.googlesource.com/c/vgo/+/446055
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
diff --git a/go.mod b/go.mod
index 8b211da..6876fe7 100644
--- a/go.mod
+++ b/go.mod
@@ -1 +1,24 @@
+go 1.18
+
 module golang.org/x/vgo
+
+// This dependency is vulnerable to GO-2020-0006.
+// The point of this commit is to serve as a test case for
+// automated vulnerability scanning of the Go repos.
+//
+// Using the tour repo because it contains nothing
+// important and is not imported by any of our other repos,
+// which means any report should be limited to x/tour
+// and not affect other users.
+//
+// Even if people did depend on x/tour, govulncheck would
+// correctly identify that no code here calls the vulnerable
+// symbols in github.com/miekg/dns. Only less precise
+// scanners would suggest that there is a problem.
+require github.com/miekg/dns v1.0.0
+
+require (
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/sys v0.1.0 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..7af1a4f
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,8 @@
+github.com/miekg/dns v1.0.0 h1:DZ3fdvcFXfWew8XOY+33+MqAcCnqDrGsnt3kK8yf4Hg=
+github.com/miekg/dns v1.0.0/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
+golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/vulnerable.go b/vulnerable.go
new file mode 100644
index 0000000..fc22fbc
--- /dev/null
+++ b/vulnerable.go
@@ -0,0 +1,11 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This file exists to keep the github.com/miekg/dns entry in go.mod.
+
+//go:build never
+
+package never
+
+import _ "github.com/miekg/dns"