request #47191 OSV Scanner should be built with the same Go version than the one used to build apps

Infos

Artifact ID#47191

Submitted byThomas Gerbet (tgerbet)

Last Modified On2026-03-13 09:36

Submitted on2026-03-12 18:06

Rank48919

Details

Summary *

OSV Scanner should be built with the same Go version than the one used to build apps

Original Submission

If we use an OSV Scanner built on with an older version it can fail to do analysis with govulncheck and throw an error code.

Example trace:

Failed to run code analysis (govulncheck) on '<path>/src/additional-packages/tuleap-smokescreen/go.mod' because govulncheck: Loading packages failed, possibly due to a mismatch between the Go version
used to build govulncheck and the Go version on PATH. Consider rebuilding
govulncheck with the current Go version.


There are errors with the provided package patterns:

/nix/store/kgwkx0l54snkkgzbmg8cw89i1g8v1dqw-go-1.26.0/share/go/src/vendor/golang.org/x/crypto/chacha20poly1305/fips140only_go1.26.go:7:9: file requires newer Go version go1.26 (application built with go1.25)
-: This application uses version go1.25 of the source-processing packages but runs version go1.26 of 'go list'. It may fail to process source files that rely on newer language features. If so, rebuild the application using a newer version of Go.
<path>/src/additional-packages/tuleap-smokescreen/main.go:1:1: package requires newer Go version go1.26 (application built with go1.25)
-: This application uses version go1.25 of the source-processing packages but runs version go1.26 of 'go list'. It may fail to process source files that rely on newer language features. If so, rebuild the application using a newer version of Go.

CategoryDev tools

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?