vulncheck: return the module list

As a convenience, have vulncheck return the list of modules it found
in the binary or source.

When vulcheck is run on source, this information duplicates information
in the requires graph, although in a simpler form.

When it is run on a binary, the requires graph is nil, so this
information is new.

The list of modules and their versions can be found in other ways in
both cases, but it would require duplicating work that vulncheck
already does.

This list will be used by the govulncheck command to display the
versions currently in use.

Change-Id: I35fe10a456ca7d5265340314a2aba402e648af10
Run-TryBot: Jonathan Amsterdam <>
TryBot-Result: Gopher Robot <>
Reviewed-by: Zvonimir Pavlinovic <>
6 files changed
tree: f56886e24f9a52359fbc3013a3439b4f2a0c132d
  1. client/
  2. cmd/
  3. devtools/
  4. doc/
  5. internal/
  6. osv/
  7. vulncheck/
  8. .gitignore
  9. all_test.go
  11. checks.bash
  14. go.mod
  15. go.sum
  19. tools_test.go

Go Vulnerability Management

Go Reference

This repository contains the following:

  • Package client: a client for interacting with the Go vulnerability database
  • Package vulncheck: an API for detecting vulnerabilities in Go packages
  • Command govulncheck: a CLI for detecting vulnerabilities in Go packages

The code in this repository is under active development and not to be considered stable.


Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Database entries available at are distributed under the terms of the CC-BY 4.0 license.