[GitHub Action] scan fails on go projects that import C code #1220
Description
When using osv-scanner GitHub action to scan a go project that imports C code - the scan fails.
In example: Scanning the root go.mod file in https://github.com/envoyproxy/gateway fails with:
Failed to run code analysis (govulncheck) on '/app/go.mod' because govulncheck: loading packages:
There are errors with the provided package patterns:
-: # github.com/containers/storage/pkg/unshare
unshare.c:21:10: fatal error: linux/limits.h: No such file or directory
21 | #include <linux/limits.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
/root/go/pkg/mod/github.com/containers/storage@v1.55.0/pkg/unshare/getenv_linux_cgo.go:14:8: could not import C (no metadata for C)
/root/go/pkg/mod/github.com/containers/storage@v1.55.0/drivers/btrfs/btrfs.go:19:8: could not import C (no metadata for C)
-: # github.com/containers/storage/drivers/quota
/root/go/pkg/mod/github.com/containers/storage@v1.55.0/drivers/quota/projectquota_supported.go:18:10: fatal error: linux/fs.h: No such file or directory
18 | #include <linux/fs.h>
| ^~~~~~~~~~~~
compilation terminated.
/root/go/pkg/mod/github.com/containers/storage@v1.55.0/drivers/quota/projectquota_supported.go:42:8: could not import C (no metadata for C)
-: # github.com/containers/storage/pkg/loopback
/root/go/pkg/mod/github.com/containers/storage@v1.55.0/pkg/loopback/loop_wrapper.go:7:10: fatal error: linux/loop.h: No such file or directory
7 | #include <linux/loop.h> // FIXME: present only for defines, maybe we can remove it?
| ^~~~~~~~~~~~~~
compilation terminated.
/root/go/pkg/mod/github.com/containers/storage@v1.55.0/pkg/loopback/loop_wrapper.go:18:8: could not import C (no metadata for C)
/root/go/pkg/mod/github.com/containers/storage@v1.55.0/drivers/copy/copy_linux.go:13:8: could not import C (no metadata for C)
In order to resolve this issue CGO needs to be disabled in GitHub action Dockerfile by adding ENV CGO_ENABLED=0.
See more info here under 'Govulncheck quirks' section.