Your code relies on external dependencies. Do you know how secure they are? The Go Vulnerability Database reveals known issues to you.
The Go team rolled out a new component of the Go ecosystem. The Go Vulnerability Database collects known issues of public Go projects, to help make your Go projects more secure. To give you a quick start, here are four Questions You Were Afraid To Ask (probably not) and their answers condensed from the Go Blog article and the Go Vulnerability Management documentation.
Vulnerabilities in software products can be addressed effectively if they are getting collected in a central place, from which developers can pull that information to check if their projects use vulnerable code. This is exactly what the Go Vulnerability Database is for.
The database gets its information from various sources, such as:
There are a number of options to find out about vulnerabilities in importable packages.
The Go Vulnerability Database provides a Web page where you can search for known issues by GO ID: Go Vulnerability Database - Go Packages
Go's package discovery site lists vulnerability information on a package's version list. If a version contains one or more vulnerabilities, they are shown as GO ID's next to the version number in the timeline. Clicking on an ID shows a summary of the vulnerability.
So whenever you search for a package to use for your project, ensure to check the version history of that package.
This image shows the version history of
golang.org/x/text as an example.
To quickly check if one of your projects imports vulnerable packages, run
govulncheck locally at the project's root folder.
govulncheck is go-installable:
go install golang.org/x/vuln/cmd/[email protected]
Run the command from the root folder of your module, using the standard path syntax:
Let's hope it does not find any vulnerabilities this time!
The Go extension for Visual Studio Code has experimental support for
govulncheck. To run the check, open the command palette and select "Go: Run Vulnerability Check" (it should be sufficient to type "go vuln" to get that command at the top of the list).
Go package maintainers can open an issue for
golang/vulndb at GitHub. This link directly opens a new vulnerability issue.
The Go Vulnerability Database was announced in this blog article: Vulnerability Management for Go - The Go Programming Language
The CLI command is documented here: govulncheck command - golang.org/x/vuln/cmd/govulncheck - Go Packages
The database has a Web page that provides a search by GO ID: Go Vulnerability Database - Go Packages
Happy (and secure) coding! ʕ◔ϖ◔ʔPhoto by Laith Abushaar on Unsplash