Fail closed on malformed govulncheck output

.core/TODO.md

@@ -1 +0,0 @@
-- @bug pkg/lint/vulncheck.go:113 — govulncheck JSON parsing silently skips malformed lines, so bad tool output can still look like a clean pass.

pkg/lint/vulncheck.go

@@ -111,7 +111,7 @@ func ParseVulnCheckJSON(stdout, stderr string) (*VulnResult, error) {
 
 		var msg govulncheckMessage
 		if err := json.Unmarshal([]byte(line), &msg); err != nil {
-			continue
+			return nil, coreerr.E("ParseVulnCheckJSON", "invalid govulncheck JSON output", err)
 		}
 
 		if msg.Config != nil {

pkg/lint/vulncheck_test.go

@@ -43,11 +43,8 @@ also not json
 {"finding":{"osv":"GO-2024-5678","trace":[{"package":"example.com/dep","function":"Fn"}]}}
 `
 	result, err := ParseVulnCheckJSON(stdout, "")
-	require.NoError(t, err)
-	assert.Equal(t, "example.com/app", result.Module)
-	require.Len(t, result.Findings, 1)
-	assert.Equal(t, "GO-2024-5678", result.Findings[0].ID)
-	assert.Equal(t, "Test vuln", result.Findings[0].Description)
+	require.Error(t, err)
+	assert.Nil(t, result)
 }
 
 func TestParseVulnCheckJSON_Empty(t *testing.T) {