golang漏洞扫描工具,看看自己项目有没有坑

企业开发 2023-10-04 20:34:41 阅读次数: 0

最近发现 Go 官方自己推出了新的工具,作用是漏洞管理,告诉你已报告的漏洞,并告知你应该如何升级到什么版本。

版本要求是:Go >= 1.18

go install golang.org/x/vuln/cmd/govulncheck@latest

进入项目目录

govulncheck ./...

输出如下

Scanning your code and 470 packages across 91 dependent modules for known vulnerabilities...

Vulnerability #1: GO-2023-2043
    Improper handling of special tags within script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2043
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.Execute
      #2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate

Vulnerability #2: GO-2023-2041
    Improper handling of HTML-like comments in script contexts in html/template
  More info: https://pkg.go.dev/vuln/GO-2023-2041
  Standard library
    Found in: html/[email protected]
    Fixed in: html/[email protected]
    Example traces found:
      #1: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.Execute
      #2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls template.Template.ExecuteTemplate

Vulnerability #3: GO-2023-1987
    Large RSA keys can cause high CPU usage in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2023-1987
  Standard library
    Found in: crypto/[email protected]
    Fixed in: crypto/[email protected]
    Example traces found:
      #1: pkg/gredis/redis.go:22:24: gredis.Setup calls redis.Dial, which calls tls.Conn.Handshake
      #2: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
      #3: pkg/util/util.go:140:19: util.CreateUuidStringNew calls rand.Read, which eventually calls tls.Conn.Read
      #4: pkg/endless/endless_unix.go:201:24: endless.endlessServer.Serve calls http.Server.Serve, which eventually calls tls.Conn.Write
      #5: pkg/curl/curl.go:62:23: curl.HttpClientRequest calls http.Client.Do, which eventually calls tls.Dialer.DialContext
....
....

GO-2023-2043 为漏洞编号,后面的为漏洞说明和修复建议。

具体说明参考文章:https://mp.weixin.qq.com/s/xO_w3FvNN8OeiuEYFarwGQ

猜你喜欢

转载自blog.csdn.net/raoxiaoya/article/details/133310423
今日推荐
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
周排行
让自己的头脑极度开放
CentOS 6.5(x64) 和Redhat6.5操作系误删libc
高可用注册中心
【日记】12.28/【题解】AtCoder AGC041
XML(5)_XML 约束_DTD
Java集合Map(四)
树梅派安装桌面环境教程
pipenv 的 使用和安装
小程序白屏问题和内存研究
C语言简单选择排序
每日归档
更多
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022