19 files changed, 264 insertions, 0 deletions
diff --git a/security/govulncheck/Makefile b/security/govulncheck/Makefile
new file mode 100644
index 000000000000..421e87f037bf
--- /dev/null
+++ b/security/govulncheck/Makefile
@@ -0,0 +1,37 @@
+PORTNAME=	govulncheck
+DISTVERSIONPREFIX=	v
+DISTVERSION=	1.1.4
+CATEGORIES=	security
+
+MAINTAINER=	einar@isnic.is
+COMMENT=	Database client and tools for the Go vulnerability database
+WWW=		https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
+
+LICENSE=	BSD3CLAUSE
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+USES=		go:modules,run
+
+GO_MODULE=	golang.org/x/vuln
+GO_TARGET=	./cmd/govulncheck
+
+PLIST_FILES=	bin/govulncheck
+
+post-patch:
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/scan/util.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/all_test.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/scan/run.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/test/packages.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/test/testenv.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/testenv/testenv.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/internal/vulncheck/packages.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/telemetry/internal/configstore/download.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/telemetry/internal/telemetry/dir.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/go/packages/packagestest/export.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/gcimporter/exportdata.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/gocommand/invoke.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/goroot/importcfg.go
+	@${REINPLACE_CMD} -e 's|%%GO_CMD%%|${GO_CMD}|g' ${WRKSRC}/vendor/golang.org/x/tools/internal/testenv/testenv.go
+
+.include <bsd.port.mk>
diff --git a/security/govulncheck/distinfo b/security/govulncheck/distinfo
new file mode 100644
index 000000000000..ab0dd596680a
--- /dev/null
+++ b/security/govulncheck/distinfo
@@ -0,0 +1,5 @@
+TIMESTAMP = 1742556049
+SHA256 (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.mod) = 40e5fa329adbfd7dad2476465ba340d2531b4d33640b82c81c34ac90f36cbd2a
+SIZE (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.mod) = 387
+SHA256 (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.zip) = 115ff76fba8f73b27106eb2e59e3f30696f4f7faaeed55471b5b65c3994b503d
+SIZE (go/security_govulncheck/govulncheck-v1.1.4/v1.1.4.zip) = 853384
diff --git a/security/govulncheck/files/patch-all__test.go b/security/govulncheck/files/patch-all__test.go
new file mode 100644
index 000000000000..e6186df4baba
--- /dev/null
+++ b/security/govulncheck/files/patch-all__test.go
@@ -0,0 +1,11 @@
+--- all_test.go.orig	2025-05-08 09:17:55 UTC
++++ all_test.go
+@@ -84,7 +84,7 @@ func rungo(t *testing.T, args ...string) {
+ 	t.Helper()
+ 	testenv.NeedsGoBuild(t)
+ 
+-	cmd := exec.Command("go", args...)
++	cmd := exec.Command("%%GO_CMD%%", args...)
+ 	if output, err := cmd.CombinedOutput(); err != nil {
+ 		if ee := (*exec.ExitError)(nil); errors.As(err, &ee) && len(ee.Stderr) > 0 {
+ 			t.Fatalf("%v: %v\n%s", cmd, err, ee.Stderr)
diff --git a/security/govulncheck/files/patch-internal_buildinfo_additions__scan__test.go b/security/govulncheck/files/patch-internal_buildinfo_additions__scan__test.go
new file mode 100644
index 000000000000..8de5b3027e68
--- /dev/null
+++ b/security/govulncheck/files/patch-internal_buildinfo_additions__scan__test.go
@@ -0,0 +1,11 @@
+--- internal/buildinfo/additions_scan_test.go.orig	2025-05-08 09:20:20 UTC
++++ internal/buildinfo/additions_scan_test.go
+@@ -145,7 +145,7 @@ func Vuln() {
+ 			})
+ 			defer e.Cleanup()
+ 
+-			cmd := exec.Command("go", "build", "-o", "entry")
++			cmd := exec.Command("%%GO_CMD%%", "build", "-o", "entry")
+ 			cmd.Dir = e.Config.Dir
+ 			cmd.Env = e.Config.Env
+ 			out, err := cmd.CombinedOutput()
diff --git a/security/govulncheck/files/patch-internal_scan_run.go b/security/govulncheck/files/patch-internal_scan_run.go
new file mode 100644
index 000000000000..4af9d3301b41
--- /dev/null
+++ b/security/govulncheck/files/patch-internal_scan_run.go
@@ -0,0 +1,11 @@
+--- internal/scan/run.go.orig	2025-05-08 09:21:10 UTC
++++ internal/scan/run.go
+@@ -87,7 +87,7 @@ func prepareConfig(ctx context.Context, cfg *config, c
+ 			}
+ 		}
+ 		if cfg.GoVersion == "" {
+-			if out, err := exec.Command("go", "env", "GOVERSION").Output(); err == nil {
++			if out, err := exec.Command("%%GO_CMD%%", "env", "GOVERSION").Output(); err == nil {
+ 				cfg.GoVersion = strings.TrimSpace(string(out))
+ 			}
+ 		}
diff --git a/security/govulncheck/files/patch-internal_scan_util.go b/security/govulncheck/files/patch-internal_scan_util.go
new file mode 100644
index 000000000000..607c11164eed
--- /dev/null
+++ b/security/govulncheck/files/patch-internal_scan_util.go
@@ -0,0 +1,11 @@
+--- internal/scan/util.go.orig	1979-11-30 00:00:00 UTC
++++ internal/scan/util.go
+@@ -50,7 +50,7 @@ func gomodExists(dir string) bool {
+ }
+ 
+ func gomodExists(dir string) bool {
+-	cmd := exec.Command("go", "env", "GOMOD")
++	cmd := exec.Command("%%GO_CMD%%", "env", "GOMOD")
+ 	cmd.Dir = dir
+ 	out, err := cmd.Output()
+ 	output := strings.TrimSpace(string(out))
diff --git a/security/govulncheck/files/patch-internal_test_packages.go b/security/govulncheck/files/patch-internal_test_packages.go
new file mode 100644
index 000000000000..3cc85bdd22a6
--- /dev/null
+++ b/security/govulncheck/files/patch-internal_test_packages.go
@@ -0,0 +1,11 @@
+--- internal/test/packages.go.orig	2025-05-08 09:19:24 UTC
++++ internal/test/packages.go
+@@ -13,7 +13,7 @@ func VerifyImports(t *testing.T, allowed ...string) {
+ )
+ 
+ func VerifyImports(t *testing.T, allowed ...string) {
+-	if _, err := exec.LookPath("go"); err != nil {
++	if _, err := exec.LookPath("%%GO_CMD%%"); err != nil {
+ 		t.Skipf("skipping: %v", err)
+ 	}
+ 	cfg := &packages.Config{Mode: packages.NeedImports | packages.NeedDeps}
diff --git a/security/govulncheck/files/patch-internal_test_testenv.go b/security/govulncheck/files/patch-internal_test_testenv.go
new file mode 100644
index 000000000000..f28ee2f16524
--- /dev/null
+++ b/security/govulncheck/files/patch-internal_test_testenv.go
@@ -0,0 +1,11 @@
+--- internal/test/testenv.go.orig	2025-05-08 09:18:33 UTC
++++ internal/test/testenv.go
+@@ -14,7 +14,7 @@ func NeedsGoEnv(t testing.TB) {
+ func NeedsGoEnv(t testing.TB) {
+ 	t.Helper()
+ 
+-	if _, err := exec.LookPath("go"); err != nil {
++	if _, err := exec.LookPath("%%GO_CMD%%"); err != nil {
+ 		t.Skip("skipping test: can't run go env")
+ 	}
+ }
diff --git a/security/govulncheck/files/patch-internal_testenv_testenv.go b/security/govulncheck/files/patch-internal_testenv_testenv.go
new file mode 100644
index 000000000000..634a4a23fe50
--- /dev/null
+++ b/security/govulncheck/files/patch-internal_testenv_testenv.go
@@ -0,0 +1,11 @@
+--- internal/testenv/testenv.go.orig	2025-05-08 09:21:55 UTC
++++ internal/testenv/testenv.go
+@@ -100,7 +100,7 @@ func NeedsGoBuild(t testing.TB) {
+ 		if err := os.WriteFile(mainGo, []byte("package main\nfunc main() {}\n"), 0644); err != nil {
+ 			t.Fatal(err)
+ 		}
+-		cmd := exec.Command("go", "build", "-o", os.DevNull, mainGo)
++		cmd := exec.Command("%%GO_CMD%%", "build", "-o", os.DevNull, mainGo)
+ 		cmd.Dir = dir
+ 		if err := cmd.Run(); err != nil {
+ 			goBuildErr = fmt.Errorf("%v: %v", cmd, err)
diff --git a/security/govulncheck/files/patch-internal_vulncheck_packages.go b/security/govulncheck/files/patch-internal_vulncheck_packages.go
new file mode 100644
index 000000000000..d9e7038ebc9c
--- /dev/null
+++ b/security/govulncheck/files/patch-internal_vulncheck_packages.go
@@ -0,0 +1,11 @@
+--- internal/vulncheck/packages.go.orig	2025-05-08 09:26:39 UTC
++++ internal/vulncheck/packages.go
+@@ -34,7 +34,7 @@ func NewPackageGraph(goVersion string) *PackageGraph {
+ 	}
+ 
+ 	goRoot := ""
+-	if out, err := exec.Command("go", "env", "GOROOT").Output(); err == nil {
++	if out, err := exec.Command("%%GO_CMD%%", "env", "GOROOT").Output(); err == nil {
+ 		goRoot = strings.TrimSpace(string(out))
+ 	}
+ 	stdlibModule := &packages.Module{
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_configstore_download.go b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_configstore_download.go
new file mode 100644
index 000000000000..19f5c34ba0cc
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_configstore_download.go
@@ -0,0 +1,11 @@
+--- vendor/golang.org/x/telemetry/internal/configstore/download.go.orig	2025-05-08 09:35:28 UTC
++++ vendor/golang.org/x/telemetry/internal/configstore/download.go
+@@ -36,7 +36,7 @@ func Download(version string, envOverlay []string) (*t
+ 	}
+ 	modVer := ModulePath + "@" + version
+ 	var stdout, stderr bytes.Buffer
+-	cmd := exec.Command("go", "mod", "download", "-json", modVer)
++	cmd := exec.Command("%%GO_CMD%%", "mod", "download", "-json", modVer)
+ 	cmd.Env = append(os.Environ(), envOverlay...)
+ 	cmd.Stdout = &stdout
+ 	cmd.Stderr = &stderr
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_telemetry_dir.go b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_telemetry_dir.go
new file mode 100644
index 000000000000..b8ea9e633a94
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_telemetry_internal_telemetry_dir.go
@@ -0,0 +1,11 @@
+--- vendor/golang.org/x/telemetry/internal/telemetry/dir.go.orig	2025-05-08 09:35:02 UTC
++++ vendor/golang.org/x/telemetry/internal/telemetry/dir.go
+@@ -52,7 +52,7 @@ func init() {
+ 	if err != nil {
+ 		return
+ 	}
+-	Default = NewDir(filepath.Join(cfgDir, "go", "telemetry"))
++	Default = NewDir(filepath.Join(cfgDir, "%%GO_CMD%%", "telemetry"))
+ }
+ 
+ func (d Dir) Dir() string {
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_gcexportdata_gcexportdata.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_gcexportdata_gcexportdata.go
new file mode 100644
index 000000000000..4dcb9c703a59
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_gcexportdata_gcexportdata.go
@@ -0,0 +1,11 @@
+--- vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go.orig	2025-05-08 09:27:42 UTC
++++ vendor/golang.org/x/tools/go/gcexportdata/gcexportdata.go
+@@ -87,7 +87,7 @@ func Find(importPath, srcDir string) (filename, path s
+ // Deprecated: Use the higher-level API in golang.org/x/tools/go/packages,
+ // which is more efficient.
+ func Find(importPath, srcDir string) (filename, path string) {
+-	cmd := exec.Command("go", "list", "-json", "-export", "--", importPath)
++	cmd := exec.Command("%%GO_CMD%%", "list", "-json", "-export", "--", importPath)
+ 	cmd.Dir = srcDir
+ 	out, err := cmd.Output()
+ 	if err != nil {
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_packages_packagestest_export.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_packages_packagestest_export.go
new file mode 100644
index 000000000000..86b3c18a17ed
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_go_packages_packagestest_export.go
@@ -0,0 +1,11 @@
+--- vendor/golang.org/x/tools/go/packages/packagestest/export.go.orig	2025-05-08 09:28:42 UTC
++++ vendor/golang.org/x/tools/go/packages/packagestest/export.go
+@@ -37,7 +37,7 @@ the 'go list' command on the specified modules:
+ 		})
+ 		defer e.Cleanup()
+ 
+-		cmd := exec.Command("go", "list", "gopher.example/...")
++		cmd := exec.Command("%%GO_CMD%%", "list", "gopher.example/...")
+ 		cmd.Dir = e.Config.Dir
+ 		cmd.Env = e.Config.Env
+ 		out, err := cmd.Output()
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gcimporter_exportdata.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gcimporter_exportdata.go
new file mode 100644
index 000000000000..64a057ceea2d
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gcimporter_exportdata.go
@@ -0,0 +1,11 @@
+--- vendor/golang.org/x/tools/internal/gcimporter/exportdata.go.orig	2025-05-08 09:32:45 UTC
++++ vendor/golang.org/x/tools/internal/gcimporter/exportdata.go
+@@ -392,7 +392,7 @@ func lookupGorootExport(pkgDir string) (string, error)
+ 		)
+ 		f, _ = exportMap.LoadOrStore(pkgDir, func() (string, error) {
+ 			listOnce.Do(func() {
+-				cmd := exec.Command(filepath.Join(build.Default.GOROOT, "bin", "go"), "list", "-export", "-f", "{{.Export}}", pkgDir)
++				cmd := exec.Command(filepath.Join(build.Default.GOROOT, "bin", "%%GO_CMD%%"), "list", "-export", "-f", "{{.Export}}", pkgDir)
+ 				cmd.Dir = build.Default.GOROOT
+ 				cmd.Env = append(os.Environ(), "PWD="+cmd.Dir, "GOROOT="+build.Default.GOROOT)
+ 				var output []byte
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gocommand_invoke.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gocommand_invoke.go
new file mode 100644
index 000000000000..447c512d1811
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_gocommand_invoke.go
@@ -0,0 +1,11 @@
+--- vendor/golang.org/x/tools/internal/gocommand/invoke.go.orig	2025-05-08 09:34:03 UTC
++++ vendor/golang.org/x/tools/internal/gocommand/invoke.go
+@@ -245,7 +245,7 @@ func (i *Invocation) run(ctx context.Context, stdout, 
+ 		appendOverlayFlag()
+ 		goArgs = append(goArgs, i.Args...)
+ 	}
+-	cmd := exec.Command("go", goArgs...)
++	cmd := exec.Command("%%GO_CMD%%", goArgs...)
+ 	cmd.Stdout = stdout
+ 	cmd.Stderr = stderr
+ 
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_goroot_importcfg.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_goroot_importcfg.go
new file mode 100644
index 000000000000..92a3260e8b51
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_goroot_importcfg.go
@@ -0,0 +1,11 @@
+--- vendor/golang.org/x/tools/internal/goroot/importcfg.go.orig	2025-05-08 09:33:18 UTC
++++ vendor/golang.org/x/tools/internal/goroot/importcfg.go
+@@ -47,7 +47,7 @@ func PkgfileMap() (map[string]string, error) {
+ func PkgfileMap() (map[string]string, error) {
+ 	once.Do(func() {
+ 		m := make(map[string]string)
+-		output, err := exec.Command("go", "list", "-export", "-e", "-f", "{{.ImportPath}} {{.Export}}", "std", "cmd").Output()
++		output, err := exec.Command("%%GO_CMD%%", "list", "-export", "-e", "-f", "{{.ImportPath}} {{.Export}}", "std", "cmd").Output()
+ 		if err != nil {
+ 			stdlibPkgfileErr = err
+ 		}
diff --git a/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_testenv_testenv.go b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_testenv_testenv.go
new file mode 100644
index 000000000000..3c8c09262b38
--- /dev/null
+++ b/security/govulncheck/files/patch-vendor_golang.org_x_tools_internal_testenv_testenv.go
@@ -0,0 +1,38 @@
+--- vendor/golang.org/x/tools/internal/testenv/testenv.go.orig	2025-05-08 09:30:00 UTC
++++ vendor/golang.org/x/tools/internal/testenv/testenv.go
+@@ -115,7 +115,7 @@ func HasTool(tool string) error {
+ 				checkGoBuild.err = err
+ 				return
+ 			}
+-			cmd := exec.Command("go", "build", "-o", os.DevNull, mainGo)
++			cmd := exec.Command("%%GO_CMD%%", "build", "-o", os.DevNull, mainGo)
+ 			cmd.Dir = dir
+ 			if out, err := cmd.CombinedOutput(); err != nil {
+ 				if len(out) > 0 {
+@@ -145,7 +145,7 @@ func cgoEnabled(bypassEnvironment bool) (bool, error) 
+ }
+ 
+ func cgoEnabled(bypassEnvironment bool) (bool, error) {
+-	cmd := exec.Command("go", "env", "CGO_ENABLED")
++	cmd := exec.Command("%%GO_CMD%%", "env", "CGO_ENABLED")
+ 	if bypassEnvironment {
+ 		cmd.Env = append(append([]string(nil), os.Environ()...), "CGO_ENABLED=")
+ 	}
+@@ -444,7 +444,7 @@ func findGOROOT() (string, error) {
+ 			return
+ 		}
+ 
+-		cmd := exec.Command("go", "env", "GOROOT")
++		cmd := exec.Command("%%GO_CMD%%", "env", "GOROOT")
+ 		out, err := cmd.Output()
+ 		if err != nil {
+ 			gorootErr = fmt.Errorf("%v: %v", cmd, err)
+@@ -480,7 +480,7 @@ func NeedsLocalXTools(t testing.TB) {
+ 
+ 	NeedsTool(t, "go")
+ 
+-	cmd := Command(t, "go", "list", "-f", "{{with .Replace}}{{.Dir}}{{end}}", "-m", "golang.org/x/tools")
++	cmd := Command(t, "%%GO_CMD%%", "list", "-f", "{{with .Replace}}{{.Dir}}{{end}}", "-m", "golang.org/x/tools")
+ 	out, err := cmd.Output()
+ 	if err != nil {
+ 		if ee, ok := err.(*exec.ExitError); ok && len(ee.Stderr) > 0 {
diff --git a/security/govulncheck/pkg-descr b/security/govulncheck/pkg-descr
new file mode 100644
index 000000000000..5759881efc1c
--- /dev/null
+++ b/security/govulncheck/pkg-descr
@@ -0,0 +1,19 @@
+Govulncheck reports known vulnerabilities that affect Go code.
+It uses static analysis of source code or a binary's symbol table
+to narrow down reports to only those that could affect the
+application.
+
+By default, govulncheck makes requests to the Go vulnerability
+database at https://vuln.go.dev. Requests to the vulnerability
+database contain only module paths with vulnerabilities already
+known to the database, not code or other properties of your
+program. See https://vuln.go.dev/privacy.html for more.
+Use the -db flag to specify a different database, which must
+implement the specification at https://go.dev/security/vuln/database.
+
+Govulncheck looks for vulnerabilities in Go programs using a specific
+build configuration. For analyzing source code, that configuration is
+the Go version specified by the "go" command found on the PATH. For
+binaries, the build configuration is the one used to build the binary.
+Note that different build configurations may have different known
+vulnerabilities.