cmd/govulncheck: add hermetic tests for default mode

Add a test that runs the govulncheck binary on a module and vuln DB
that are completely controlled by this module.

- Create a tiny local vuln DB with a couple of vulns.

- In our tests, run govulncheck with the GOVULNDB env var set to
  that DB.

- Define two trivial modules that differ only in the version of
  a dependent module: one version matches a vulnerability in our DB,
  and one does not.

- Create a test that runs govulncheck on each module, and verify
  that the vulnerability is found and the output is what we expect.

Change-Id: Idc053ab3a451375f7a211b4bb24d0ec282d2aaa0
Run-TryBot: Jonathan Amsterdam <>
Reviewed-by: Zvonimir Pavlinovic <>
TryBot-Result: Gopher Robot <>
10 files changed
tree: 0863aac0579c3e988a5a92872f022b3335bff43d
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. internal/
  6. osv/
  7. vulncheck/
  8. .gitignore
  9. all_test.go
  11. checks.bash
  14. go.mod
  15. go.sum
  19. tools_test.go

Go Vulnerability Management

Go Reference

This repository contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

The code in this repository is under active development and not to be considered stable.


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at are distributed under the terms of the CC-BY 4.0 license.