From fb307db6908050f89a8793af023116d3d11a6eca Mon Sep 17 00:00:00 2001 From: Snider Date: Thu, 16 Apr 2026 06:49:40 +0100 Subject: [PATCH] Fail closed on malformed govulncheck output --- .core/TODO.md | 1 - pkg/lint/vulncheck.go | 2 +- pkg/lint/vulncheck_test.go | 7 ++----- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.core/TODO.md b/.core/TODO.md index 1fea8a9..e69de29 100644 --- a/.core/TODO.md +++ b/.core/TODO.md @@ -1 +0,0 @@ -- @bug pkg/lint/vulncheck.go:113 — govulncheck JSON parsing silently skips malformed lines, so bad tool output can still look like a clean pass. diff --git a/pkg/lint/vulncheck.go b/pkg/lint/vulncheck.go index 907f3d9..eed3a02 100644 --- a/pkg/lint/vulncheck.go +++ b/pkg/lint/vulncheck.go @@ -111,7 +111,7 @@ func ParseVulnCheckJSON(stdout, stderr string) (*VulnResult, error) { var msg govulncheckMessage if err := json.Unmarshal([]byte(line), &msg); err != nil { - continue + return nil, coreerr.E("ParseVulnCheckJSON", "invalid govulncheck JSON output", err) } if msg.Config != nil { diff --git a/pkg/lint/vulncheck_test.go b/pkg/lint/vulncheck_test.go index a706d67..d530ab7 100644 --- a/pkg/lint/vulncheck_test.go +++ b/pkg/lint/vulncheck_test.go @@ -43,11 +43,8 @@ also not json {"finding":{"osv":"GO-2024-5678","trace":[{"package":"example.com/dep","function":"Fn"}]}} ` result, err := ParseVulnCheckJSON(stdout, "") - require.NoError(t, err) - assert.Equal(t, "example.com/app", result.Module) - require.Len(t, result.Findings, 1) - assert.Equal(t, "GO-2024-5678", result.Findings[0].ID) - assert.Equal(t, "Test vuln", result.Findings[0].Description) + require.Error(t, err) + assert.Nil(t, result) } func TestParseVulnCheckJSON_Empty(t *testing.T) {