feat: fix the vulncheck-filter to parse the text format instead

Chris Stockton · Chris Stockton · commit 33c3c81ae704 · 2026-05-11T15:30:23.000-07:00
The existing parser wasn't decoding any values. Once I fixed the
decoding it started printing 64 results. After looking into it I
realized that govulncheck cmd does some additional aggregation. It
turns out that it's non-trivial, rather than try to duplicate that
I just parsed the text output instead.
diff --git a/Makefile b/Makefile
@@ -136,7 +136,7 @@ sec: | $(TOOL_BIN_DIR)/gosec # Check for security vulnerabilities
 		$(CHECK_FILES)
 
 vulncheck: $(TOOL_BIN_DIR)/govulncheck # Check for known vulnerabilities
-	$(TOOL_BIN_DIR)/govulncheck -format json $(CHECK_FILES) | go run ./hack/vulncheck-filter
+	$(TOOL_BIN_DIR)/govulncheck $(CHECK_FILES) | go run ./hack/vulncheck-filter
 
 unused: | $(TOOL_BIN_DIR)/staticcheck # Look for unused code
 	@echo "Unused code:"
diff --git a/hack/vulncheck-filter/main.go b/hack/vulncheck-filter/main.go
@@ -1,61 +1,84 @@
 package main
 
 import (
-	"encoding/json"
+	"bufio"
+	"errors"
 	"fmt"
-	"io"
 	"os"
+	"slices"
+	"strings"
 )
 
 // Vulnerabilities with no upstream fix — remove entries once fixed.
 var ignore = map[string]string{
 	"GO-2026-4518": "pgproto3/v2 DoS, no fix available (EOL). Transitive via pgconn v1 + pop/v6.",
 }
 
-type message struct {
-	Finding *struct {
-		OSV *struct {
-			ID string `json:"id"`
-		} `json:"osv"`
-	} `json:"finding"`
+func main() {
+	if err := run(); err != nil {
+		fmt.Fprintf(os.Stderr, "vulncheck-filter: %v\n", err)
+		os.Exit(1)
+	}
 }
 
-func main() {
-	dec := json.NewDecoder(os.Stdin)
+func run() error {
+	const (
+		stInit = iota
+		stVulnOpen
+	)
 
-	var unignored []string
-	seen := make(map[string]bool)
-	for {
-		var m message
-		if err := dec.Decode(&m); err != nil {
-			if err == io.EOF {
-				break
+	type vuln struct {
+		ID   string `json:"id"`
+		Text string
+	}
+
+	var (
+		cur   vuln
+		vulns []*vuln
+	)
+	st := stInit
+	sc := bufio.NewScanner(os.Stdin)
+	for sc.Scan() {
+		v := sc.Text()
+		switch st {
+		case stInit:
+			if strings.HasPrefix(v, "Vulnerability ") {
+				st = stVulnOpen
+				_, id, ok := strings.Cut(v, ": ")
+				if !ok {
+					return errors.New("no longer able to parse format")
+				}
+				cur = vuln{
+					ID: id,
+				}
+			}
+		case stVulnOpen:
+			cur.Text += v + "\n"
+			if v == "" {
+				st = stInit
+				cpy := cur
+				vulns = append(vulns, &cpy)
 			}
-			// govulncheck JSON stream may contain objects we don't care about; skip decode errors
-			continue
-		}
-		if m.Finding == nil {
-			continue
-		}
-		if m.Finding.OSV == nil {
-			continue
-		}
-		id := m.Finding.OSV.ID
-		if seen[id] {
-			continue
 		}
-		seen[id] = true
-
-		if reason, ok := ignore[id]; ok {
-			fmt.Fprintf(os.Stderr, "ignoring %s: %s\n", id, reason)
-		} else {
-			fmt.Fprintf(os.Stderr, "ERROR: %s (not in ignore list)\n", id)
-			unignored = append(unignored, id)
+	}
+	if err := sc.Err(); err != nil {
+		return err
+	}
+	vulns = slices.DeleteFunc(vulns, func(v *vuln) bool {
+		reason, ok := ignore[v.ID]
+		if ok {
+			fmt.Fprintf(os.Stderr, "ignoring %s: %s\n", v.ID, reason)
 		}
+		return ok
+	})
+	if len(vulns) == 0 {
+		return nil
 	}
 
-	if len(unignored) > 0 {
-		fmt.Fprintf(os.Stderr, "\n%d unignored vulnerability(ies) found\n", len(unignored))
-		os.Exit(1)
+	fmt.Fprintf(os.Stderr, "\n")
+	for idx, vuln := range vulns {
+		msg := "Vulnerability #%d: %v\n%v"
+		fmt.Fprintf(os.Stderr, msg, idx+1, vuln.ID, vuln.Text)
 	}
+	return fmt.Errorf("%d unignored vulnerability(ies) found", len(vulns))
 }
