Preface
I wonder if you go
have ever encountered vulnerabilities in some third-party packages or official packages in your development projects. These vulnerabilities may affect the function, performance or security of the code.
Now to address this problem, go
the team has provided govulncheck
tools to help developers quickly discover and fix these vulnerabilities.
What is govulncheck
govulncheck
It is go
an officially provided binary tool for checking go
whether there are known security vulnerabilities in code or binary files.
principle
go
The security team and community members jointly maintain a vulnerability database govulndb , which collects related vulnerability information since 2018
its launch in 2018 .go module
go
govulncheck
First, the version information of the modules and packages used in the code will be found, then the latest data of the vulnerability library will be called through the interface, and finally the data will be compared, and the affected packages or modules will be listed and output.
The picture above is go
the system architecture diagram provided by the official blog
- Vulnerability collection.
go
The security team will collect vulnerability data from a variety of channels, such as the public vulnerability databaseNational Vulnerability Database
(NVD
) andGitHub Advisory Database
community feedback https://go.dev/s/vulndb-report-new (we can also use this to report the vulnerabilities discovered by ourselves) reported) andgo
security vulnerabilities fixed by the team themselves, etc. - Update
go
vulnerability database. After collecting security vulnerabilities,go
the security team will make an assessment, and if they need to be dealt with, they will be directly entered into the vulnerability database. - Tool integration. After new vulnerabilities are dealt with, the vulnerability description on pkg.go.dev will be updated accordingly and new
govulncheck
tools will be released.
Basic usage
Installation and use are relatively simple.
Download the latest version of the tool via the command line
go install golang.org/x/vulndb/cmd/govulncheck@latest
Then execute it in the directory that needs to be checked
govulncheck ./...
The output after execution is as follows, and vulnerability information and suggestions on how to fix it will be given.
some limitations
- When scanning a binary file for security vulnerabilities, it is required that the binary file must be
go 1.18
compiled with or a higher version. Security vulnerability scanning of binary files compiled with lower versions is not supported. - It is not possible to display
go
the call graph ( ) of the security vulnerabilities scanned in the binary filecall graph
becausego
the binary file does not contain detailed call chain information. False positives can also occur for code within binaries. - Only vulnerabilities under the
govulncheck
currently executinggo
compilation environment and configuration ( ) will be reported .GOOS/GOARCH
Example: The vulnerability only existslinux
under , but the development environment iswindows
cross-platform development for , which may result in the vulnerability not being detected in the development environment. - Assuming that
go 1.18
the vulnerability is only in the standard library, if the versiongovulncheck
of the compilation environment where the current execution is , the vulnerability will not be reported.go
1.19
Details can be found on: official blog .
Summarize
govulncheck
It is go
an official vulnerability checking tool. go
The team collects vulnerabilities from multiple places and stores them in its own vulnerability library, and then uses govulncheck
tools to scan codes or binary files for vulnerabilities.
A great tool, it is recommended to introduce vulnerability checking into the daily development process ( CI/CD
, code review, etc.), which can help us go
build high-quality, high-security programs through.