feat: Update govulncheck integration and enable CGO there (#1478)

#1443 

This will solve the above issue, but let's not close it until the
release is out.

The disabling CGO env flag can be removed as it seems like govulncheck
will successfully analyse CGO projects, just not actually do analysis on
the C parts.

The comment about: 
> This still leaves govulncheck enabled for non C related calls.

It is only partially true, as if the C parts are required to compile the
application, if CGO is disabled, it cannot compile successfully.

We'll need to cherrypick this change into `main` after this is merged.

cmd/osv-scanner/__snapshots__/main_test.snap

@@ -816,29 +816,48 @@ Scanned <rootdir>/fixtures/locks-requirements/requirements-dev.txt file and foun
 Scanned <rootdir>/fixtures/locks-requirements/requirements.prod.txt file and found 1 package
 Scanned <rootdir>/fixtures/locks-requirements/requirements.txt file and found 3 packages
 Scanned <rootdir>/fixtures/locks-requirements/the_requirements_for_test.txt file and found 1 package
-+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+
-| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE                                            |
-+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+
-| https://osv.dev/PYSEC-2022-190      | 9.8  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-2gwj-7jmv-h26r |      |           |         |         |                                                   |
-| https://osv.dev/PYSEC-2022-1        | 8.7  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-53qw-q765-4fww |      |           |         |         |                                                   |
-| https://osv.dev/PYSEC-2022-20       | 8.7  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-6cw3-g6wv-c2xv |      |           |         |         |                                                   |
-| https://osv.dev/PYSEC-2022-2        | 8.7  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-8c5j-9r9f-c6w8 |      |           |         |         |                                                   |
-| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/PYSEC-2022-19       | 6.1  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-95rw-fx8r-36v6 |      |           |         |         |                                                   |
-| https://osv.dev/PYSEC-2022-3        | 6.9  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-jrh2-hc4r-7jwx |      |           |         |         |                                                   |
-| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/PYSEC-2021-439      | 7.3  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-v6rh-hp5x-86rv |      |           |         |         |                                                   |
-| https://osv.dev/PYSEC-2022-191      | 9.8  | PyPI      | django  | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
-| https://osv.dev/GHSA-w24h-v9qh-8gxj |      |           |         |         |                                                   |
-| https://osv.dev/PYSEC-2020-73       |      | PyPI      | pandas  | 0.23.4  | fixtures/locks-requirements/requirements.txt      |
-+-------------------------------------+------+-----------+---------+---------+---------------------------------------------------+
++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+
+| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE    | VERSION | SOURCE                                            |
++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+
+| https://osv.dev/PYSEC-2018-66       | 8.7  | PyPI      | flask      | 0.0.0   | fixtures/locks-requirements/my-requirements.txt   |
+| https://osv.dev/GHSA-562c-5r94-xh97 |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2019-179      | 8.7  | PyPI      | flask      | 0.0.0   | fixtures/locks-requirements/my-requirements.txt   |
+| https://osv.dev/GHSA-5wv5-4vpf-pj6m |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2023-62       | 8.7  | PyPI      | flask      | 0.0.0   | fixtures/locks-requirements/my-requirements.txt   |
+| https://osv.dev/GHSA-m2qf-hxjv-5gpq |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2024-48       | 5.3  | PyPI      | black      | 0.0.0   | fixtures/locks-requirements/requirements-dev.txt  |
+| https://osv.dev/GHSA-fj7x-q9j7-g6q6 |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2022-190      | 9.8  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-2gwj-7jmv-h26r |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2022-1        | 8.7  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-53qw-q765-4fww |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2022-20       | 8.7  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-6cw3-g6wv-c2xv |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2022-2        | 8.7  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-8c5j-9r9f-c6w8 |      |           |            |         |                                                   |
+| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/PYSEC-2022-19       | 6.1  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-95rw-fx8r-36v6 |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2022-3        | 6.9  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-jrh2-hc4r-7jwx |      |           |            |         |                                                   |
+| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/PYSEC-2021-439      | 7.3  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-v6rh-hp5x-86rv |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2022-191      | 9.8  | PyPI      | django     | 2.2.24  | fixtures/locks-requirements/requirements.prod.txt |
+| https://osv.dev/GHSA-w24h-v9qh-8gxj |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2018-66       | 8.7  | PyPI      | flask      | 0.0.0   | fixtures/locks-requirements/requirements.txt      |
+| https://osv.dev/GHSA-562c-5r94-xh97 |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2019-179      | 8.7  | PyPI      | flask      | 0.0.0   | fixtures/locks-requirements/requirements.txt      |
+| https://osv.dev/GHSA-5wv5-4vpf-pj6m |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2023-62       | 8.7  | PyPI      | flask      | 0.0.0   | fixtures/locks-requirements/requirements.txt      |
+| https://osv.dev/GHSA-m2qf-hxjv-5gpq |      |           |            |         |                                                   |
+| https://osv.dev/GHSA-84pr-m4jr-85g5 | 5.3  | PyPI      | flask-cors | 0.0.0   | fixtures/locks-requirements/requirements.txt      |
+| https://osv.dev/PYSEC-2024-71       | 8.7  | PyPI      | flask-cors | 0.0.0   | fixtures/locks-requirements/requirements.txt      |
+| https://osv.dev/GHSA-hxwh-jpp2-84pm |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2020-43       | 8.7  | PyPI      | flask-cors | 0.0.0   | fixtures/locks-requirements/requirements.txt      |
+| https://osv.dev/GHSA-xc3p-ff3m-f46v |      |           |            |         |                                                   |
+| https://osv.dev/PYSEC-2020-73       |      | PyPI      | pandas     | 0.23.4  | fixtures/locks-requirements/requirements.txt      |
++-------------------------------------+------+-----------+------------+---------+---------------------------------------------------+
 
 ---
 

go.mod

@@ -35,7 +35,7 @@ require (
 	golang.org/x/net v0.33.0
 	golang.org/x/sync v0.10.0
 	golang.org/x/term v0.27.0
-	golang.org/x/vuln v1.0.4
+	golang.org/x/vuln v1.1.3
 	google.golang.org/grpc v1.69.0
 	google.golang.org/protobuf v1.35.2
 	gopkg.in/ini.v1 v1.67.0
@@ -101,6 +101,7 @@ require (
 	github.com/yuin/goldmark-emoji v1.0.3 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/tools v0.27.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect

go.sum

@@ -310,6 +310,8 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
+golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -334,8 +336,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o=
 golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q=
-golang.org/x/vuln v1.0.4 h1:SP0mPeg2PmGCu03V+61EcQiOjmpri2XijexKdzv8Z1I=
-golang.org/x/vuln v1.0.4/go.mod h1:NbJdUQhX8jY++FtuhrXs2Eyx0yePo9pF7nPlIjo9aaQ=
+golang.org/x/vuln v1.1.3 h1:NPGnvPOTgnjBc9HTaUx+nj+EaUYxl5SJOWqaDYGaFYw=
+golang.org/x/vuln v1.1.3/go.mod h1:7Le6Fadm5FOqE9C926BCD0g12NWyhg7cxV4BwcPFuNY=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U=

internal/sourceanalysis/__snapshots__/integration_test.snap

@@ -82,8 +82,7 @@
       "trace": [
         {
           "module": "stdlib",
-          "version": "v1.19.0",
-          "package": "net/http/internal"
+          "version": "v1.19.0"
         }
       ]
     },

internal/sourceanalysis/go.go

@@ -162,9 +162,7 @@ func runGovulncheck(moddir string, vulns []models.Vulnerability, goVersion strin
 	cmd := scan.Command(context.Background(), "-db", dbdirURL.String(), "-C", moddir, "-json", "./...")
 	var b bytes.Buffer
 	cmd.Stdout = &b
-	// Disable CGO because govulncheck does not support CGO code, and will always fail.
-	// This still leaves govulncheck enabled for non C related calls.
-	cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion, "CGO_ENABLED=0")
+	cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion)
 	if err := cmd.Start(); err != nil {
 		return nil, err
 	}