•  
      request #47191 OSV Scanner should be built with the same Go version than the one used to build apps
    Infos
    #47191
    Thomas Gerbet (tgerbet)
    2026-03-13 09:36
    2026-03-12 18:06
    48919
    Details
    OSV Scanner should be built with the same Go version than the one used to build apps

    If we use an OSV Scanner built on with an older version it can fail to do analysis with govulncheck and throw an error code.

    Example trace:

    Failed to run code analysis (govulncheck) on '<path>/src/additional-packages/tuleap-smokescreen/go.mod' because govulncheck: Loading packages failed, possibly due to a mismatch between the Go version
    used to build govulncheck and the Go version on PATH. Consider rebuilding
    govulncheck with the current Go version.
    
    
    There are errors with the provided package patterns:
    
    /nix/store/kgwkx0l54snkkgzbmg8cw89i1g8v1dqw-go-1.26.0/share/go/src/vendor/golang.org/x/crypto/chacha20poly1305/fips140only_go1.26.go:7:9: file requires newer Go version go1.26 (application built with go1.25)
    -: This application uses version go1.25 of the source-processing packages but runs version go1.26 of 'go list'. It may fail to process source files that rely on newer language features. If so, rebuild the application using a newer version of Go.
    <path>/src/additional-packages/tuleap-smokescreen/main.go:1:1: package requires newer Go version go1.26 (application built with go1.25)
    -: This application uses version go1.25 of the source-processing packages but runs version go1.26 of 'go list'. It may fail to process source files that rely on newer language features. If so, rebuild the application using a newer version of Go.
    
    Dev tools
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2026-03-13
    Attachments
    Empty
    References
    Referenced by request #47191

    Follow-ups