mk: exclude govulncheck from lint

The vulnerability database is evolving with time. It can cause the lint
step to fail suddenly without any source code changes on our side.

Moreover, sometimes, there is nothing we can do to fix the issue nor to
silence that specific error.

Found 1 known vulnerability.

Vulnerability #1: GO-2022-1039
  Programs which compile regular expressions from untrusted
  sources may be vulnerable to memory exhaustion or denial of
  service. The parsed regexp representation is linear in the size
  of the input, but in some cases the constant factor can be as
  high as 40,000, making relatively small regexps consume much
  larger amounts of memory. After fix, each regexp being parsed is
  limited to a 256 MB memory footprint. Regular expressions whose
  representation would use more space than that are rejected.
  Normal use of regular expressions is unaffected.

  Call stacks in your code:
    config/config.go:1000:46:
    git.sr.ht/~rjarry/aerc/config.AercConfig.LoadBinds calls
    regexp.Compile, which eventually calls regexp/syntax.Parse

  Found in: regexp/syntax@go1.18.6
  Fixed in: regexp/syntax@go1.19.2
  More info: https://pkg.go.dev/vuln/GO-2022-1039

Move govulncheck into its own make target to be executed manually.

Signed-off-by: Robin Jarry <robin@jarry.cc>
Acked-by: Tim Culverhouse <tim@timculverhouse.com>

1 files changed, 3 insertions, 0 deletions

diff --git a/Makefile b/Makefile
index fa385e7c..04ee08e4 100644
--- a/Makefile
+++ b/Makefile
@@ -65,6 +65,9 @@ lint:
 		&& echo The above files need to be formatted, please run make fmt && exit 1 \
 		|| echo all files formatted.
 	$(GO) run github.com/golangci/golangci-lint/cmd/golangci-lint run
+
+.PHONY: vulncheck
+vulncheck:
 	$(GO) run golang.org/x/vuln/cmd/govulncheck@latest ./...
 
 .PHONY: tests