Zvonimir

What does the Go standard tooling tell you? Does it produce a warning? I am asking as I have a problem reproducing this.

Thanks for the very detailed reproduction instructions! The fix should now be in. At the very least, I was able to follow reproduction steps without them resulting in an error/panic:...

Should we just effectively copy text from [here](https://pkg.go.dev/cmd/go#hdr-Compile_and_install_packages_and_dependencies) ``` govulncheck is installed in the directory named by the GOBIN environment variable, which defaults to $GOPATH/bin or $HOME/go/bin if the GOPATH...

The Go Vulnerability Database has designated this GO-2023-1737 (https://pkg.go.dev/vuln/GO-2023-1737) and CVE-2023-29401. To add a fixed version or otherwise update this report, you can reopen and comment on https://github.com/golang/vulndb/issues/1737.

Is there a plan for this fix to be merged in?

An open question about SARIF support for Github code scanning is how to present witness call stacks. AFAIK, the dependency code cannot be annotated and parts of the call stack...

It is supposed to be a separate command that govulncheck-action will call. It won't be part of govulncheck command. The question is how to create Sarif output so it makes...

Should be addressed by https://go-review.git.corp.google.com/c/vuln/+/562215

It seems this is a bug in the ssa dependency. Could you provide steps to reproduce this?

Seems it happens on darwin exclusively AFAIKT. @H0llyW00dzZ's issue happens on windows with govulncheck v1.0.1, but not with v1.0.4