Menu
Golang vulnerability checker flags Go vulnerabilities

Golang vulnerability checker flags Go vulnerabilities

Govulncheck is a command-line utility that uses the Go vulnerability database to identify known vulnerabilities in Go source code and Go binaries.

Credit: Fotis Fotopoulos on Unsplash

Govulncheck, a command-line tool to help users of Google’s Go programming language find known vulnerabilities in project dependencies, has reached 1.0.0 status, the Go security team said.

Unveiled July 13, Govulncheck can analyse both binaries and source code. It reduces noise by prioritising vulnerabilities in functions the code is calling.

Govulncheck is powered by the Go vulnerability database, which provides information about known vulnerabilities in public Go modules.

Govulncheck uses static analysis of source code or a binary’s symbol table to limit its reports to only vulnerabilities that could affect a particular application.

Developers can use <a href="https://pkg.go.dev/cmd/go#hdr-Compile_and_install_packages_and_dependencies" rel="nofollow">go install</a> to install the tool:

go install golang.org/x/vuln/cmd/govulncheck@latest

Developers can analyse source code by running Govulncheck inside a module directory:

govulncheck ./...

Govulncheck must be built with Go 1.18 or a later version. Go 1.20 is the current production release of the language.

Govulncheck searches for vulnerabilities using a specific build configuration. For source code, the configuration is the Go version specified by the “go” command found on the path. For binaries, the build configuration is the one used in building the binary. Different build configurations may have different known vulnerabilities.

Govulncheck has a number of limitations:

  • Govulncheck analyses function pointer and interface calls conservatively, which could result in false positives or inaccurate call stacks.
  • Calls to functions made using package reflect are not visible.
  • Because Go binaries do not have detailed call information, Govulncheck cannot show call graphs for detected vulnerabilities. It also might report false positives for code that is in the binary but not reachable.
  • There is no support for silencing vulnerability findings.
  • For binaries where symbol information cannot be extracted, Govulncheck reports vulnerabilities for all modules on which the binary depends.

The Go security team initially announced support for vulnerability management last September, with the project anchored by the vulnerability database.


Tags programming languageprogramming tools

Show Comments