x/vuln: govulncheck doesn't support loading vendored modules

[lachlan-smith]

Since the most recent update to govulncheck (v1.0.2) and the introduction of the LoadModules function (here), govulncheck can no longer run on projects that use private dependencies even when they are vendored locally unless the environment running govulncheck also has access to the private repositories.

We encountered this issue in our CI environment which does not have access to the private repositories and instead rely on the locally vendored dependencies.

The issue seems to be caused by calling go list with the -mod=mod flag, if this flag was omitted I believe it should instead first try using the vendored modules first.

[zpavlinovic]

@maceonthompson

[ffoebel]

Broke our CI as well and since the Github action doesn't support selecting the govulncheck version, the only workaround is to build an own action.

[zpavlinovic]

We are working on this and should have a fix soon.

[gopherbot]

Change https://go.dev/cl/557495 mentions this issue: internal/scan, vulncheck: use packages.load for mod info

[maceonthompson]

The fix for this has just been merged - would those not using the github action try to reproduce the issue after running go install golang.org/x/vuln/cmd/govulncheck@master?