Govulncheck

JSON vulnerability report generated by govulncheck tool, using a command like govulncheck -json . >> report.json

Govulncheck Scanner V2#

A second scan type, Govulncheck Scanner V2, is available for the streaming JSON format (govulncheck -format json ./...). It addresses several limitations of the original parser:

• It iterates the finding records instead of the osv advisory definitions, so advisories that are present in the vulnerability database stream but do not apply to the scanned code are no longer imported (this previously inflated the finding count).

• The Go vulnerability database does not publish CVSS scores, so severity is derived from govulncheck’s reachability level, kept separate per tier:

  • symbol (the vulnerable symbol is called) → High
  • package (the vulnerable package is imported) → Low
  • module (the vulnerable module is required) → Info

  Use the Minimum Severity import option (e.g. High) to keep only the reachable findings, matching the default govulncheck ./... output.

• One finding is produced per (advisory, module) pair so multi-module advisories map to the correct vulnerable components.

The original Govulncheck Scanner parser is unchanged and remains available.

Sample Scan Data#

Sample Govulncheck scans can be found here.

Default Deduplication Hashcode Fields#

By default, DefectDojo identifies duplicate Findings using these hashcode fields:

• title
• cwe
• line
• file path
• description