Skip to content

chore: add ScanGoModVersion = false to osv-scanner.toml once MegaLinter ships osv-scanner ≥ 2.4.0 #545

Description

@kehoecj

Context

OSV Scanner v2.4.0 (released 2026-06-18) added a ScanGoModVersion config option that defaults to disabled. This prevents the scanner from treating the go directive in go.mod as a vulnerability signal for Go stdlib CVEs — which is the correct behavior since the directive specifies minimum language version, not the actual toolchain used to compile.

MegaLinter v9.6.0 (latest as of 2026-07-16) still ships osv-scanner 2.3.8 via Alpine packages, which always scans the go.mod version with no way to disable it. This forces us to:

  1. Keep go.mod pinned to whatever version MegaLinter's container has
  2. Maintain ignore entries for stdlib CVEs that don't apply to our compiled binary

Action

Once MegaLinter ships a version with osv-scanner ≥ 2.4.0:

  1. Add to osv-scanner.toml:
    ScanGoModVersion = false
  2. Remove all [[IgnoredVulns]] entries for Go stdlib CVEs (GO-2026-4970, GO-2026-5856, and any others accumulated)
  3. Bump go.mod to the latest Go patch version without worrying about scanner compatibility

How to check

MegaLinter pins osv-scanner via Alpine packages:

ARG REPOSITORY_OSV_SCANNER_VERSION=2.3.8-r1

Watch for MegaLinter releases where this bumps to ≥ 2.4.0, or check:

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions