README
¶
vulnfix consumes govulncheck -json output and applies dependency fixes to a Go module.
It is designed for a simple workflow:
- run
govulncheck -json - pipe the output to
vulnfix - let
vulnfixupdate vulnerable modules and tidy the module graph
Install
go install github.com/hamba/vulnfix@latest
Usage
govulncheck -json ./... | vulnfix
Run in a different module directory:
govulncheck -json ./... | vulnfix -C /path/to/module
You can also apply fixes from a saved report:
vulnfix < govulncheck-report.json
Optionally write a Markdown CVE report:
govulncheck -json ./... | vulnfix -o report.md
How It Works
vulnfix parses the govulncheck -json output and collects the minimum fixed
version for each vulnerable module. It then runs go get <module>@<version> for
each affected dependency and follows up with go mod tidy to keep the module
graph clean.
Special pseudo-modules are handled automatically:
| Module | Action |
|---|---|
stdlib |
Updates the go directive via go get go@<version> |
toolchain |
Updates the toolchain directive via go get toolchain@<version> |
| everything else | Regular go get <module>@<version> |
Documentation
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package govulncheck reads the JSON output produced by govulncheck -json and extracts the minimum fixed version for each vulnerable module.
|
Package govulncheck reads the JSON output produced by govulncheck -json and extracts the minimum fixed version for each vulnerable module. |
|
Package modfix upgrades vulnerable Go module dependencies to their minimum fixed versions using the go toolchain.
|
Package modfix upgrades vulnerable Go module dependencies to their minimum fixed versions using the go toolchain. |
|
Package report renders a Markdown vulnerability report from a map of module fixes.
|
Package report renders a Markdown vulnerability report from a map of module fixes. |
Click to show internal directories.
Click to hide internal directories.