Golang program vulnerability detection tool govulncheck (2): Detailed explanation of vulnerability database

The previous article introduced in detail how to use govulncheck, a Golang program vulnerability scanning tool. Behind the powerful functions of govulncheck, it is inseparable from the support of the Go vulnerability database. Next, we will explain in detail the knowledge related to the Go vulnerability database.

What is the Go vulnerability database?

In today's digital world, software security is crucial. As Golang becomes more and more popular in the development field, the security of Go projects becomes more and more important. In order to help developers promptly discover and solve security vulnerabilities related to Golang, the Go vulnerability database came into being.

Go vulnerability database (Go vulnerability database), accessed at https://vuln.go.dev or https://pkg.go.dev/vuln, is a database that stores Golang security vulnerability information and is officially maintained by Golang. Vulnerability information data comes from existing sources such as cve, ghsa, and vulnerability reports submitted directly by Go package maintainers, which are then reviewed and added to the database by the Go security team.

The database supports access to multiple data sources and provides interfaces and default implementations for accessing vulnerability data sources. Vulnerability items are stored and transmitted using the OSV (Open Source Vulnerability format) format. Developers can search for known vulnerabilities from the vulnerability database based on the module's path or ID.

Go Vulnerability Database API

The Go vulnerability database provides a series of interfaces based on the HTTP protocol and the request method is GET. Each interface returns JSON type data.

1. Get database metadata interface/index/db.json[.gz]

Examples are as follows:

$ curl https://vuln.go.dev/index/db.json
{"modified":"2023-08-23T14:38:50Z"}

1. Get each module metadata interface/index/modules.json[.gz]

Examples are as follows:

$ curl https://vuln.go.dev/index/modules.json
[ {
  // The module path.
  "path": string,
  // The vulnerabilities that affect this module.
  "vulns":
    [ {
      // The vulnerability ID.
      "id": string,
      // The latest time the vulnerability should be considered
      // to have been modified, as an RFC3339-formatted UTC
      // timestamp ending in "Z".
      "modified": string,
      // (Optional) The module version (in SemVer 2.0.0 format)
      // that contains the latest fix for the vulnerability.
      // If unknown or unavailable, this should be omitted.
      "fixed": string,
    } ]
} ]

1. Get each vulnerability metadata interface/index/vulns.json[.gz]

Examples are as follows:

$ curl https://vuln.go.dev/index/vulns.json
[ {
     // The vulnerability ID.
     "id": string,
     // The latest time the vulnerability should be considered
     // to have been modified, as an RFC3339-formatted UTC
     // timestamp ending in "Z".
     "modified": string,
     // A list of IDs of the same vulnerability in other databases.
     "aliases": [ string ]
 } ]

1. Get a vulnerability information interface /ID/$id.json[.gz]

Examples are as follows:

$ curl https://vuln.go.dev/ID/GO-2023-2003.json
{
    "schema_version": "1.3.1",
    "id": "GO-2023-2003",
    "modified": "2023-08-10T22:06:06Z",
    "published": "2023-08-10T22:06:06Z",
    "aliases": [
        "GHSA-8c37-7qx3-4c4p"
    ],
    "summary": "Blst fails to perform group signature validation",
    "details": "When complemented with a check for infinity, blst skips performing a signature group-check. Formally speaking, infinity is the identity element of the elliptic curve group and as such it is a member of the group, so the group-check should be performed. The fix performs the check even in the presence of infinity.",
    "affected": [
        {
            "package": {
                "name": "github.com/supranational/blst",
                "ecosystem": "Go"
            },
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0.3.0"
                        },
                        {
                            "fixed": "0.3.11"
                        }
                    ]
                }
            ],
            "ecosystem_specific": {
                "imports": [
                    {
                        "path": "github.com/supranational/blst/bindings/go",
                        "symbols": [
                            "P1Affine.SigValidate",
                            "P2Affine.SigValidate"
                        ]
                    }
                ]
            }
        }
    ],
    "references": [
        {
            "type": "FIX",
            "url": "https://github.com/supranational/blst/commit/fb91221c91c82f65bfc7f243256308977a06d48b"
        },
        {
            "type": "WEB",
            "url": "https://github.com/supranational/blst/releases/tag/v0.3.11"
        }
    ],
    "credits": [
        {
            "name": "Yunjong Jeong (@blukat29)"
        }
    ],
    "database_specific": {
        "url": "https://pkg.go.dev/vuln/GO-2023-2003"
    }
}

govulncheck uses the vulnerability database approach

The vulnerability data address used by govulncheck is https://vuln.go.dev, you can use the -db parameter to specify the vulnerability database, and it supports http://, https:// and file:// protocols. The specified vulnerability database must implement several APIs explained above. The govulncheck command uses the ".json.gz" endpoint when reading from http sources, and the "json" endpoint when reading from file sources.