我正试图使用govulncheck tool扫描我的围棋模块中的漏洞.按照"Managing Go installations" page上的说明,我安装了两个GO版本:1.17.9和1.18.6:
$ go version
go version go1.17.9 linux/amd64
$ go1.18.6 version
go version go1.18.6 linux/amd64
我的模块是使用1.18.6构建和运行的.我使用GO 1.18.6使用以下命令安装了govulncheck:
$ go1.18.6 install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20220913170424-c9fe2ba7ccad
go: downloading golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4
go: downloading golang.org/x/tools v0.1.13-0.20220803210227-8b9a1fbdf5c3
go: downloading golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
但当我对我的模块运行govulncheck ./...时,它报告了GO 1.17.9的问题.
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 5 known vulnerabilities.
Vulnerability #1: GO-2022-0524
Calling Reader.Read on an archive containing a large number of
concatenated 0-length compressed files can cause a panic due to
stack exhaustion.
Call stacks in your code:
path/omitted/example.go:79:67: example.com/example-project/path/omitted/example.Method calls example.com/vulnerable-dependency/path/omitted/example.Foo.Bar, which eventually calls compress/gzip.Reader.Read
Found in: compress/gzip@go1.17.9
Fixed in: compress/gzip@go1.18.4
More info: https://pkg.go.dev/vuln/GO-2022-0524
(etc)
这个示例问题已经在我使用的Go版本(1.18.6)中修复了,但是由于govulncheck使用的是1.17.9而不是1.18.6,它没有看到问题得到缓解.
如何使用我想要的Go版本运行此工具?