Is your Go project vulnerable?

Your code relies on external dependencies. Do you know how secure they are? The Go Vulnerability Database reveals known issues to you.

The Go team rolled out a new component of the Go ecosystem. The Go Vulnerability Database collects known issues of public Go projects, to help make your Go projects more secure. To give you a quick start, here are four Questions You Were Afraid To Ask (probably not) and their answers condensed from the Go Blog article and the Go Vulnerability Management documentation.

What is the Go Vulnerability Database and what can it do for me?

Vulnerabilities in software products can be addressed effectively if they are getting collected in a central place, from which developers can pull that information to check if their projects use vulnerable code. This is exactly what the Go Vulnerability Database is for.

Where do vulnerability reports come from?

The database gets its information from various sources, such as:

How can I access the vulnerability data?

There are a number of options to find out about vulnerabilities in importable packages.

Query the database directly by ID

The Go Vulnerability Database provides a Web page where you can search for known issues by GO ID: Go Vulnerability Database - Go Packages

Inspect package version information at pkg.go.dev

Go's package discovery site lists vulnerability information on a package's version list. If a version contains one or more vulnerabilities, they are shown as GO ID's next to the version number in the timeline. Clicking on an ID shows a summary of the vulnerability.

So whenever you search for a package to use for your project, ensure to check the version history of that package.

This image shows the version history of golang.org/x/text as an example.

Run govulncheck on your local project

To quickly check if one of your projects imports vulnerable packages, run govulncheck locally at the project's root folder.

govulncheck is go-installable:

go install golang.org/x/vuln/cmd/[email protected]

Run the command from the root folder of your module, using the standard path syntax:

govulncheck ./...

Let's hope it does not find any vulnerabilities this time!

Use the Visual Studio Code Go extension

The Go extension for Visual Studio Code has experimental support for govulncheck. To run the check, open the command palette and select "Go: Run Vulnerability Check" (it should be sufficient to type "go vuln" to get that command at the top of the list).

How can I contribute to the database?

Go package maintainers can open an issue for golang/vulndb at GitHub. This link directly opens a new vulnerability issue.

NOTE that you should not report undisclosed bugs in the Go project here. Instead, send an email to [email protected] . Ensure to follow Go's security policy.

Where can I read more?

The Go Vulnerability Database was announced in this blog article: Vulnerability Management for Go - The Go Programming Language

The CLI command is documented here: govulncheck command - golang.org/x/vuln/cmd/govulncheck - Go Packages

The database has a Web page that provides a search by GO ID: Go Vulnerability Database - Go Packages

Finally, the Go Security section of the Go documentation contains a subsection on Go Vulnerability Management and another subsection on the Go Vulnerability Database

Happy (and secure) coding! ʕ◔ϖ◔ʔ

Photo by Laith Abushaar on Unsplash

Categories: Ecosystem, Security