Defending from including OSV/CVE in go dependencies

tldr: If you want to avoid including OSV/CVE in your go.mod/go.sum you can utilize this tool do that. Here is an example of how this is being used in scorecard

I contribute to a project that is primarily focused on supply chain security which is part of Open Source Security Foundation, which is also part of Linux Foundation.

We happened to realize that between version 1.2.0 and 2.0.0 we have included a library that happens to have OSV( This was accidental, and we wanted to check how to avoid this in the future.

The goal was to make this process part of every PR to check to be aware of any new OSV that we could be introducing. We also wanted an option to ignore any pre-existing OSV until we fix them.

So this led to Stunning-tribble takes input as stream and looks for OSV from The stream is based on the format go list -m -f '{{if not (or .Main)}}{{.Path}}@{{.Version}}_{{.Replace}}{{end}}' all. This will provide all the dependencies, including the replace directives.

The tool is specifically built with the idea of not having any external dependency to avoid it having any OSV.

To ignore existing OSV pass them as CSV stunning-tribble GO-2020-0018,GO-2020-0016

Supply chain security is one of the new ways in which lots of attacks are happening