Vulnerability Management for Go
We are excited to announce Go’s new support for vulnerability management, our first step towards helping Go developers learn about known vulnerabilities that may affect them.
This post provides an overview of what’s available today and next steps for this project.
Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.
Go vulnerability database
The Go vulnerability database (https://vuln.go.dev) is a comprehensive source of information about known vulnerabilities in importable packages in public Go modules.
Vulnerability data comes from existing sources (such as CVEs and GHSAs) and direct reports from Go package maintainers. This information is then reviewed by the Go security team and added to the database.
We encourage package maintainers to contribute information about public vulnerabilities in their own projects and update existing information about vulnerabilities in their Go packages. We aim to make reporting a low friction process, so please send us your suggestions for any improvements.
Vulnerability detection using govulncheck
The new govulncheck command is a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects. Govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions. To start using govulncheck, you can run the following from your project:
$ go install golang.org/x/vuln/cmd/govulncheck@latest $ govulncheck ./...
Govulncheck is a standalone tool to allow frequent updates and rapid iteration while we gather feedback from users. In the long term, we plan to integrate the govulncheck tool into the main Go distribution.
To directly integrate vulnerability checking into other tools and processes, the vulncheck package exports govulncheck’s functionality as a Go API.
It’s always better to learn about vulnerabilities as early as possible in the development and deployment process. To that end, we have integrated vulnerability detection into existing Go tools and services, such as the Go package discovery site. For example, this page shows the known vulnerabilities in each version of golang.org/x/text. Vulnerability checking functionality through the VS Code Go extension is also coming soon.
We hope you’ll find Go’s support for vulnerability management useful and help us improve it!
Go’s support for vulnerability management is a new feature that is under active development. You should expect some bugs and limitations.
We would love for you to contribute and help us make improvements in the following ways:
- Contribute new and update existing information about public vulnerabilities for Go packages that you maintain
- Take this survey to share your experience using govulncheck
- Send us feedback about issues and feature requests
We are excited to work with you to build a better and more secure Go ecosystem.