docs: govulncheck discriminating-stderr pattern#58
Merged
Conversation
Document the panic-safe vulncheck pattern landed in templates/Makefile.{service,library}
+ go-skeleton's Makefile.precommit:
- WHY discriminating stderr (false-negative trap of '2>/dev/null')
- pattern walkthrough (mktemp, trap, exit-code + content discrimination,
robust grep alternation)
- how to add a new known-benign panic signature
- how to add a transient stdlib OSV ignore + when to remove
Closes the doc gap left after the 12-PR Makefile-modernization batch:
the canonical template carries the code, this guide carries the rationale.
![ben-s-pull-request-reviewer[bot]](https://avatars.githubusercontent.com/u/1193284?s=60&v=4){kind=small}
There was a problem hiding this comment.
Based on my review of the diff, here is my consolidated report:
PR Review: docs: govulncheck discriminating-stderr pattern
Scope: 1 file changed (docs/go-tools-versioning-guide.md), +62 lines
Must Fix (Critical)
1. Missing README.md update
- File:
docs/go-tools-versioning-guide.md(new section) - Issue: Per CLAUDE.md § Adding a new guide, step 2: "Add to
README.mdin appropriate table." The guide is a new top-level section ingo-tools-versioning-guide.mdbut is not listed in any README table under the Guides section. - Fix: Add
go-tools-versioning-guide.mdto the appropriate category table in README.md (likely under "Go — Infrastructure" or "Go — Code Quality").
Should Fix (Important)
2. Missing llms.txt update
- File:
docs/go-tools-versioning-guide.md(new section) - Issue: Per CLAUDE.md § Adding a new guide, step 3: "Update
llms.txt." The new section is not indexed inllms.txt, meaning AI tools consuming this plugin will not surface this guidance. - Fix: Regenerate
llms.txtor add the newgovulncheck: Discriminating Stderr Patternsection entry.
3. Template consistency — GO-2026-5037/5038/5039 comment vs doc
- File:
docs/go-tools-versioning-guide.md:265andtemplates/Makefile.service/templates/Makefile.library - Issue: The doc's recipe (line 265–268) describes adding an OSV ignore "when Go ships a stdlib vuln ... whose fix lands in the next patch release." The actual templates already have
GO-2026-5037 GO-2026-5038 GO-2026-5039with a more specific comment: "fixed in 1.26.4 — remove from this list once all CI runners and base images are on 1.26.4+." The doc recipe doesn't mention the existing Go 1.26.3 vulns or the explicit removal trigger. - Fix: Update the "Adding a transient stdlib OSV ignore" subsection to reference the actual template comment style and the specific already-tracked IDs.
Nice to Have (Optional)
- The doc says the pattern "lives in
coding/templates/Makefile.serviceandMakefile.library" — correct, but these paths use the bborbe absolute path convention (~/Documents/workspaces/coding/...). Per CLAUDE.md "Self-Contained" rules, these should use a path relative to the plugin install dir or a generic reference. - The doc at line 251 says "The package + function name in the stack trace is stable across x/tools releases" — this is an assertion that could drift if upstream refactors. The "Adding a new known-benign panic" section (line 256–261) partially mitigates this with instructions for when it happens.
Manual Review Notes
- Step 4 skipped: ast-grep not available in this environment (toolchain gap).
- Step 3b skipped:
make precommitnot run (selector mode); CI covers lint+test. - The govulncheck pattern itself is correct: temp-file stderr capture + content discrimination is sound, and the
trapcleanup is properly placed beforemktemp. Thetypesinternal.ForEachElementgrep is the right stable anchor (package-qualified, not free-text).
{
"verdict": "request-changes",
"summary": "The govulncheck discriminating-stderr documentation is technically sound and accurately reflects the template implementation. However, two procedural violations of CLAUDE.md's 'Adding a new guide' process must be resolved before merge: the new section is missing from README.md and llms.txt. Additionally, a minor consistency gap exists between the doc's generic OSV-ignore recipe and the more specific template comments already tracking GO-2026-5037/5038/5039.",
"comments": [
{
"file": "docs/go-tools-versioning-guide.md",
"line": 1,
"severity": "critical",
"message": "Must Fix: README.md not updated. Per CLAUDE.md § Adding a new guide step 2, the new 'govulncheck: Discriminating Stderr Pattern' section must be added to the appropriate Guides table in README.md."
},
{
"file": "docs/go-tools-versioning-guide.md",
"line": 1,
"severity": "critical",
"message": "Must Fix: llms.txt not updated. Per CLAUDE.md § Adding a new guide step 3, the new section must be added to llms.txt so it is indexed for AI consumers of the plugin."
},
{
"file": "docs/go-tools-versioning-guide.md",
"line": 265,
"severity": "major",
"message": "Should Fix: Template consistency gap — the 'Adding a transient stdlib OSV ignore' recipe describes a generic pattern, but templates/Makefile.service and Makefile.library already track GO-2026-5037/5038/5039 with a more specific comment (fixed in Go 1.26.4). The doc should reference the existing IDs and removal trigger to stay consistent with the canonical templates."
}
],
"concerns_addressed": [
"correctness: Pattern relies on matching specific panic stack frames (typesinternal.ForEachElement) — acknowledged in doc at line 251, with guidance on stable matcher selection. Not a blocking issue.",
"correctness: No automated enforcement for stale OSV ignores — doc at line 267-268 describes manual removal on Go bump, consistent with template comment style. Not a blocking issue."
]
}Bot review on coding#58 flagged 3 items, all addressed:
1. (Must Fix) README.md Go-Infrastructure table now lists go-tools-versioning-guide.md
2. (Should Fix) llms.txt 'Go — Infrastructure & Tools' section now indexes the guide,
with a one-line description that mentions the discriminating-stderr vulncheck
3. (Should Fix) 'Adding a transient stdlib OSV ignore' recipe now shows the actual
GO-2026-5037/5038/5039 entries with the explicit removal trigger ('every CI runner
and base image on 1.26.4+'), matching the comment style already in the templates
The first two fix a pre-existing registration gap: the EXISTING guide was never
listed in README/llms.txt. This PR closes that gap while adding the new section.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Document the panic-safe vulncheck pattern that landed in
templates/Makefile.{service,library}+ go-skeleton'sMakefile.precommitafter the 2026-06-20 12-PR Makefile-modernization batch.2>/dev/null(real motivation)mktemp+trap+ exit-code + content discrimination + robust grep alternation on stack-frame name OR messageDoc-only. Closes the gap where the canonical template carried the code but
go-tools-versioning-guide.mdcarried only thetools.envrationale.