Google has released the Govulncheck tool and the associated API in version 1.0. The tool, which examines projects in the programming language Go for vulnerabilities, is therefore considered to be stable.
Advertisement
The command line tool, which was first presented in autumn 2022, examines the dependencies in projects for known vulnerabilities. The basis is the Go Vulnerability Database, which contains vulnerabilities to public Go modules. The information about the vulnerabilities comes from public security information such as the Common Vulnerabilities and Exposures (CVE) and the GitHub Security Advisories (GHSA), the information provided by the maintainers of Go packages, and the security fixes for the Go project.
The vuln.go.dev database contains records of vulnerabilities. The command line tool, the extension for Visual Studio Code and the Go Package page use the information to warn about vulnerabilities.
To avoid false positives, the Go security team curates the database. For the JavaScript package manager npm exists with npm audit since version 6.0 also a command for checking for vulnerabilities, but at least in its early days it had the reputation delivering far too many false positives.
Command line, API and extension
Govulncheck is a command line tool that can scan both the codebase and compiled binaries for dependencies with vulnerabilities. If one of the dependencies has a vulnerability, the tool checks whether the project uses the affected function. This is to prevent false positives.
Besides Govulncheck also has the associated API for integration into external tools such as security scanners has reached stable version 1.0. It provides the same functionality as the command.
Advertisement
The Extension for Visual Studio Code, which Google also announced in autumn 2022, now has a good 10 million installations. A Tutorial should help you get started.
The extension shows details of known vulnerabilities in project dependencies in the Visual Studio Code editor.
For direct access to the database exists also a direct API for calling via HTTP GET commands. Also, the Go team is providing one marked as experimental GitHub Action for Govulncheck ready to help teams integrate vulnerability scanning into CI/CD (continuous integration, continuous delivery) operations.
Further details on Govulncheck, the Vulnerability Database and the APIs can be found can be found on the Go blog.
(rm)