On Tue, Mar 25, 2025 at 1:14 PM Einar Bjarni Halldórsson <[email protected]> wrote: > > Hi, > > I maintain two go ports and I’ve recently started using govulncheck for other > go projects (there’s a > PR to commit govulncheck to ports). > > govulncheck checks all dependencies of a go project against the vulnerability > database at > https://vuln.go.dev/ and warns if your code is calling vulnerable code. > > Would it be advisable to add test code to go projects to always call > govulncheck? It would add > a TEST_DEPENDS on govulncheck (which hasn’t been committed yet) and it calls > the > vuln db at google. > > Thoughts? > > .einar
I'd rather make it an argument of USES=go, something like USES=go:vulncheck This would allow Go ports to opt-in into the feature.
