The security team maintains the Go Vulnerability Database, and a new tool shows the vulnerabilities relevant to projects.
Google has started a vulnerability database for the Go programming language and released a tool for checking projects for known vulnerabilities. The Go security team is responsible for maintaining the database.
The information about the vulnerabilities comes from public security information such as the Common Vulnerabilities and Exposures (CVE) and the GitHub Security Advisories (GHSA), the information provided by the maintainers of Go packages, and the security fixes for the Go project. To avoid false positives, the Go security team curates the database.
Go package maintainers can post vulnerabilities on a dedicated GitHub issue page. In addition to the description, they specify the affected modules, versions, functions, methods and structs. They can also assign a potentially existing CVE entry.
Targeted vulnerability search
The new command
govulncheck uses the database to identify vulnerabilities that pose a specific threat to a project. To do this, he examines the code base for transitive calls to functions with vulnerabilities. The tool therefore does not warn about all vulnerabilities in external modules, but only about those that actually affect the project.
The declared goal is a “quiet, reliable way” of searching for vulnerabilities, so that developers do not receive too many warnings and, in the general noise, possibly overlook the actually relevant ones.
If you want to integrate the vulncheck tool into external tools or processes, you will find a Go API with the functions of in the vulncheck package
govulncheck. In the near future, the Go team will also release an extension for Visual Studio Code that integrates the functions for detecting vulnerabilities.
The special issue “Programming Languages - Next Generation” contains 156 pages of articles that mainly deal with the languages Go, Rust, TypeScript and Kotlin. In addition to interfaces and concurrency, Go focuses on security. The language from Haus offers methods that are intended to reduce weak points in the software supply chain.
The PDF version of the special issue is available in the voonze shop for EUR 12.99. The printed version can be ordered for EUR 14.90 – no shipping costs until September 15th. In addition, the voonze shop offers a bundle consisting of a printed edition plus a PDF for EUR 19.90. The magazine will also be available in well-stocked kiosks and bookstores from September 8th.
The package discovery site for searching for Go packages now also shows known vulnerabilities in the individual versions in the overview. As an example, the Go team cites the golang.org/x/text package.
More details can be found in the Go Team blog post. In addition to links for submitting vulnerabilities, this also includes a survey on experiences with and requests for