Skip to content

gosec v2.12.0 gives "error obtaining VCS status: exit status 128" #827

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jooseppi-luna opened this issue Jun 27, 2022 · 3 comments
Closed

gosec v2.12.0 gives "error obtaining VCS status: exit status 128" #827

jooseppi-luna opened this issue Jun 27, 2022 · 3 comments

Comments

@jooseppi-luna
Copy link

Summary

We have a bunch of repositories where the gosec action for GitHub Actions started failing with the following error when gosec v2.12.0 came out:

Results:
Golang errors in file: []:
  > [line 0 : column 0] - error obtaining VCS status: exit status 128
	Use -buildvcs=false to disable VCS stamping.

This is in a GitHub-hosted Ubuntu 20.04 runner. I have been unable to reproduce this behavior locally in both Ubuntu 20.04 and RHEL 8.5 setups (using the same go version as Github, 1.17.11). Here are things I have tried to troubleshoot this behavior:
- Confirmed that all the failures line up with the release of gosec v2.12.0
- Attempt to grab gosec v2.11.0 to confirm that this is a 2.12.0 issue, but I was unable to get it to pull anything but the latest image. I did set the branch to securego/[email protected] instead of securego/gosec@master, but even though it is checking out the v2.11.0 branch of gosec, docker is still pulling the latest image (which is 2.12.0).
- Run gosec locally in RHEL 8.5 and Ubuntu 20.04, unable to reproduce issue -- gosec passes just fine.
- Attempt to pass in -buildvcs=false argument both in makefile and to gosec with the -tags argument, no luck either way. Tried the following with gosec: -exclude=G304 -tags buildvcs=false ./... and -exclude=G304 -tags -buildvcs=false ./...

Here is a link to a failing action: https://github.com/dell/csi-powerflex/actions/runs/2557813877

Steps to reproduce the behavior

Trigger these actions: https://github.com/dell/csi-powerflex/actions/runs/2557813877

gosec version

v2.12.0

Go version (output of 'go version')

v1.17.11

Operating system / Environment

GitHub Actions runner/Ubuntu 20.04

Expected behavior

gosec action passes

Actual behavior

gosec action fails with the following:

Results:
Golang errors in file: []:
  > [line 0 : column 0] - error obtaining VCS status: exit status 128
	Use -buildvcs=false to disable VCS stamping.
@ccojocar
Copy link
Member

ccojocar commented Jul 6, 2022

I think this was introduced by the Go compiler/parser which is used by gosec. Please have a look at golang/go#51253. We can't do much about it on gosec side therefore I am going to close this issue. Thanks for reporting.

@ccojocar ccojocar closed this as completed Jul 6, 2022
@magodo
Copy link

magodo commented Sep 25, 2023

@ccojocar I've observed the same issue after the 2.17.0. Is there any workaround for this?

@magodo
Copy link

magodo commented Sep 5, 2024

Update: I made this work by using the env GOFLAGS:

  gosec:
    name: gosec
    runs-on: ubuntu-latest
    env:
      GOFLAGS: '-buildvcs=false'
    steps:
      - name: Checkout Source
        uses: actions/checkout@v3

      - name: Run Gosec Security Scanner
        uses: securego/[email protected]
        with:
          args: './...'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ccojocar @magodo @jooseppi-luna