New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGSEGV when using go source analysis #883
Comments
Hmm... it looks like it might be related to: golang/go#65590. For now the workaround would be to disable go call analysis on these projects while we try to fix this:
|
CC @zpavlinovic |
I was able to reproduce the issue with the govulncheck command. It seems the crash happens in Though, I can reproduce the issue on my |
FWIW, we were experiencing the same problem for the Boundary is using 1.22, but our analysis (using the SSA package) was built with 1.21 and was panicing the same way as reported for So it seems the SSA package (latest version and older versions from what I could tell) is not able to analyze code using 1.22 if 1.21 was used to build the analyzer. |
This issue is due to a slight breakage of Go forward-compatibility promises: semantics for loops starting at go1.22 is not compatible with go1.21 and earlier. The only true fix is to rebuild govulncheck with the newer Go versions. govulncheck also reports a more useful error message instead of a crash. More info can be found here. |
@another-rex What do we need to do on the OSV-Scanner side to resolve this? I suppose we need to upgrade to Go 1.22 and re-release? |
When scanning the current HEAD of: https://github.com/kubernetes/dashboard
(1d4897cd8d1c4af8747906c87f11acbb598814b9)
Environment:
osv-scanner version: 1.7.0
OS: NixOS and Debian
go version: go1.21.7 linux/amd64
Output:
The text was updated successfully, but these errors were encountered: