Move S3, Azure Blob, and Slack reporters to contrib/ as separate modules #2486
Description
Summary
Move the three reporters with heavy external dependencies (reporter/s3.go, reporter/azureblob.go, reporter/slack.go) into contrib/ as standalone Go modules with their own go.mod. Each becomes a CLI tool that reads vuls report -format-json output from stdin or file and sends it to the destination.
Motivation
These three reporters pull in significant external dependencies that bloat go.mod and generate frequent Dependabot PRs, even though most users don't use all of them:
| Reporter | External Dependencies | Impact on go.mod |
|---|---|---|
| s3.go | aws-sdk-go-v2 (5 direct + 10+ indirect modules) |
AWS SDK v2 is the largest direct dependency set |
| azureblob.go | Azure/azure-sdk-for-go (azblob, azcore, azidentity) |
Azure SDK brings multiple internal modules |
| slack.go | nlopes/slack, parnurzeal/gorequest, cenkalti/backoff |
gorequest pulls in outdated transitive deps (lann/builder, moul/http2curl, pkg/errors) |
Moving these to contrib/ with separate go.mod files removes all of these from the main module's dependency tree.
Design
Architecture
vuls scan / vuls report -format-json
│
│ JSON (stdout or file)
▼
contrib/reporter-s3/ ← reads JSON, uploads to S3
contrib/reporter-azureblob/ ← reads JSON, uploads to Azure Blob
contrib/reporter-slack/ ← reads JSON, posts to Slack
Same pattern as existing contrib/future-vuls and contrib/trivy — standalone tools with their own go.mod that consume scan result JSON.
New directory structure
contrib/
├── reporter-s3/
│ ├── cmd/main.go
│ └── go.mod # depends on aws-sdk-go-v2
├── reporter-azureblob/
│ ├── cmd/main.go
│ └── go.mod # depends on Azure SDK
├── reporter-slack/
│ ├── cmd/main.go
│ └── go.mod # depends on nlopes/slack, gorequest
What to remove from main module
reporter/s3.go— S3Writer, getS3(), putObject(), Validate()reporter/azureblob.go— AzureBlobWriterreporter/slack.go— SlackWriterconfig.AWSConf,config.AzureConf,config.SlackConf(if not used elsewhere)- Corresponding
-to-s3,-to-azure-blob,-to-slackflags fromsubcmds/report.go
What stays in main module
These reporters only use stdlib and should remain in the main module:
| Reporter | Dependency |
|---|---|
stdout.go |
stdlib only |
localfile.go |
stdlib only |
email.go |
stdlib only (custom SMTP) |
chatwork.go |
stdlib only |
googlechat.go |
stdlib only |
telegram.go |
stdlib only |
http.go |
stdlib only |
syslog.go |
stdlib only |
sbom/ |
CycloneDX + SPDX (core functionality) |
Shared code
reporter/util.go contains formatting functions (formatOneLineSummary, formatList, formatFullPlainText) used by multiple reporters. These should remain in the main module, and the contrib tools can either:
- Vendor the formatting functions, or
- Only support JSON output (let
vuls reporthandle formatting, contrib tools just transport)
Option 2 is simpler — each contrib tool is a pure transport layer that reads JSON and uploads it.
Breaking change
Users currently using -to-s3, -to-azure-blob, or -to-slack flags will need to switch to the standalone contrib tools. This should be documented in release notes with migration instructions.
Related
- Remove GitHub Advisory detection (detector/github.go) #2484 (Remove GitHub Advisory detection)
- Remove WPScan API vulnerability detection (detector/wordpress.go) #2485 (Remove WPScan API detection)