From 8770fe3d3740a9380a290ee81bb0c1cac6c61414 Mon Sep 17 00:00:00 2001 From: Alano Terblanche <18033717+Benehiko@users.noreply.github.com> Date: Fri, 19 Jun 2026 15:25:47 +0200 Subject: [PATCH 1/2] ci: pin govulncheck to v1.3.0 to avoid generics panic govulncheck v1.4.0 (pulled by @latest) panics with "ForEachElement called on type containing *types.TypeParam" when scanning the repo's generic code, which fails the "known vulnerabilities" check. v1.3.0 is the last release before the regression and scans the modules cleanly (the remaining advisories are all package/module-level with 0 call-reachable symbols, so the gate passes). Pin via a GOVULNCHECK_VERSION build arg, mirroring the GOMODGUARD_VERSION pattern, so it is easy to bump once a fix ships upstream. See https://github.com/golang/go/issues/80059 Co-Authored-By: Claude Opus 4.8 (1M context) --- Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 639b44a5..acff8512 100644 --- a/Dockerfile +++ b/Dockerfile @@ -111,10 +111,14 @@ RUN --mount=type=bind,target=.,ro \ EOT FROM golang AS govulncheck +# Pinned: govulncheck v1.4.0 panics ("ForEachElement called on type containing +# *types.TypeParam") when scanning generic code; v1.3.0 is the last good release. +# See https://github.com/golang/go/issues/80059. Bump once a fix ships. +ARG GOVULNCHECK_VERSION=v1.3.0 RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=tmpfs,target=/go/src/ \ - go install "golang.org/x/vuln/cmd/govulncheck@latest" \ + go install "golang.org/x/vuln/cmd/govulncheck@${GOVULNCHECK_VERSION}" \ && govulncheck -version FROM golang AS do-govulncheck From 5a66a2b668776db480199936fa23f8c041a5088d Mon Sep 17 00:00:00 2001 From: Alano Terblanche <18033717+Benehiko@users.noreply.github.com> Date: Fri, 19 Jun 2026 15:38:39 +0200 Subject: [PATCH 2/2] ci: pin govulncheck by commit SHA and document the v1.4.0 panic root cause Switch the govulncheck pin from the v1.3.0 tag to its immutable commit SHA (golang/vuln 0782b76014f15f24e22a438f30f308df42899ba1; Go resolves it back to v1.3.0). Root cause of the v1.4.0 failure: v1.4.0 bumped golang.org/x/tools v0.44.0 -> v0.46.0. v0.46.0 added generic-method support to go/ssa, but its RuntimeTypes guard is incomplete. A closure defined inside a method of a generic type inherits the parent's typeparams but NOT its recvtypeparams, so go/ssa/emit.go's hasTypeParams() guard returns false and a still-parameterized MakeInterface operand (e.g. *box[N]) is recorded in makeInterfaceTypes. cha.CallGraph -> ssautil.AllFunctions -> Program.RuntimeTypes -> typesinternal.ForEachElement then panics on the bare *types.TypeParam. v1.3.0 uses x/tools v0.44.0 (pre-generic-methods) and never reaches that path. No fix has shipped yet: golang/vuln master == the broken v1.4.0 tag, and x/tools master element.go is unchanged from v0.46.0. Tracking: golang/go#80055 (x/tools root cause, Go1.27 milestone, fix CL go.dev/cl/792260) and golang/go#80059 (govulncheck report). Bump once the fix lands and golang/vuln picks it up. Verified locally: do-govulncheck (linux/arm64) resolves the SHA to govulncheck@v1.3.0, scans all modules with no panic, exit 0. Co-Authored-By: Claude Opus 4.8 (1M context) --- Dockerfile | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index acff8512..f0c88b95 100644 --- a/Dockerfile +++ b/Dockerfile @@ -111,10 +111,16 @@ RUN --mount=type=bind,target=.,ro \ EOT FROM golang AS govulncheck -# Pinned: govulncheck v1.4.0 panics ("ForEachElement called on type containing -# *types.TypeParam") when scanning generic code; v1.3.0 is the last good release. -# See https://github.com/golang/go/issues/80059. Bump once a fix ships. -ARG GOVULNCHECK_VERSION=v1.3.0 +# Pinned to the golang/vuln v1.3.0 commit (SHA, not the mutable tag). govulncheck +# v1.4.0 bumped golang.org/x/tools to v0.46.0, whose new generic-method SSA +# support has an incomplete RuntimeTypes guard: a parameterized type boxed in a +# closure inside a generic method reaches typesinternal.ForEachElement still +# uninstantiated and panics ("ForEachElement called on type containing +# *types.TypeParam"). v1.3.0 uses x/tools v0.44.0 (pre-regression) and scans +# cleanly. Root cause: golang/go#80055 (fix CL go.dev/cl/792260, not yet +# released); govulncheck-facing report: golang/go#80059. Go resolves @ to a +# pseudo-version. Bump once x/tools ships the fix and golang/vuln picks it up. +ARG GOVULNCHECK_VERSION=0782b76014f15f24e22a438f30f308df42899ba1 RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=tmpfs,target=/go/src/ \