Go Vulnerability Database

Back to Go Vulnerability Management

Overview

The Go vulnerability database (https://vuln.go.dev) serves Go vulnerability information in the Open Source Vulnerability (OSV) schema.

You can also browse vulnerabilities in the database at pkg.go.dev/vuln.

Do not rely on the contents of the x/vulndb Git repository. The YAML files in that repository are maintained using an internal format that may change without warning.

Contributing

We would love for all Go package maintainers to contribute information about public vulnerabilities in their own projects, and update existing information about vulnerabilities in their Go packages.

We aim to make reporting a low friction process, so feel free to send us your suggestions.

Please do not use the forms above to report a vulnerability in the Go standard library or sub-repositories. Instead, follow the process at go.dev/security/policy for vulnerabilities about the Go project.

API

The canonical Go vulnerability database, https://vuln.go.dev, is an HTTP server that can respond to GET requests for the endpoints specified below.

The endpoints have no query parameters, and no specific headers are required. Because of this, even a site serving from a fixed file system (including a file:// URL) can implement this API.

Each endpoint returns a JSON-encoded response, in either uncompressed (if requested as .json) or gzipped form (if requested as .json.gz).

The endpoints are:

Bulk download

To make it easier to download the entire Go vulnerability database, a zip file containing all the index and OSV files is available at vuln.go.dev/vulndb.zip.

Usage in govulncheck

By default, govulncheck uses the canonical Go vulnerability database at vuln.go.dev.

The command can be configured to contact a different vulnerability database using the -db flag,which accepts a vulnerability database URL with protocol http://, https://, or file://.

To work correctly with govulncheck, the vulnerability database specified must implement the API described above. The govulncheck command uses compressed “.json.gz” endpoints when reading from an http(s) source, and the “.json” endpoints when reading from a file source.

Legacy API

The canonical database contains some additional endpoints that are part of a legacy API. We plan to remove support for these endpoints soon. If you are relying on the legacy API and need additional time to migrate, please let us know.

Schema

Reports use the Open Source Vulnerability (OSV) schema. The Go vulnerability database assigns the following meanings to the fields:

id

The id field is a unique identifier for the vulnerability entry. It is a string of the format GO-<YEAR>-<ENTRYID>.

affected

The affected field is a JSON array containing objects that describes the module versions that contain the vulnerability.

affected[].package

The affected[].package field is a JSON object identifying the affected module. The object has two required fields:

affected[].ecosystem_specific

The affected[].ecosystem_specific field is a JSON object with additional information about the vulnerability, which is used by Go’s vulnerability detection tools.

For now, ecosystem specific will always be an object with a single field, imports.

affected[].ecosystem_specific.imports

The affected[].ecosystem_specific.imports field is a JSON array containing the packages and symbols affected by the vulnerability. Each object in the array will have these two fields:

database_specific

The database_specific field contains custom fields specific to the Go vulnerability database.

database_specific.url

The database_specific.url field is a string representing the fully-qualified URL of the Go vulnerability report, e.g, “https://pkg.go.dev/vuln/GO-2023-1621".

database_specific.review_status

The database_specific.review_status field is a string representing the review status of the vulnerability report. If not present, the report should be considered REVIEWED. The possible values are:

For information on other fields in the schema, refer to the OSV spec.

Note on Versions

Our tooling attempts to automatically map modules and versions in source advisories to canonical Go modules and versions, in accordance with standard Go module version numbers. Tools like govulncheck are designed to rely on these standard versions to determine whether a Go project is affected by a vulnerability in a dependency or not.

In some cases, such as when a Go project uses its own versioning scheme, the mapping to standard Go versions can fail. When this happens, the Go vulnerability database report may conservatively list all Go versions as affected. This ensures that tools such as govulncheck do not fail to report vulnerabilities due to unrecognized version ranges (false negatives). However, conservatively listing all versions as affected may cause tools to incorrectly report a fixed version of a module as containing the vulnerability (false positives).

If you believe govulncheck is incorrectly reporting (or failing to report) a vulnerability, please suggest an edit to the vulnerability report and we will review it.

Examples

All vulnerabilities in the Go vulnerability database use the OSV schema described above.

See the links below for examples of different Go vulnerabilities:

Excluded Reports

The reports in the Go vulnerability database are collected from different sources and curated by the Go Security team. We may come across a vulnerability advisory (for example, a CVE or GHSA) and choose to exclude it for a variety of reasons. In these cases, a minimal report will be created in the x/vulndb repository, under x/vulndb/data/excluded.

Reports may be excluded for these reasons:

At the moment, excluded reports are not served via vuln.go.dev API. However, if you have a specific use case and it would be helpful to have access to this information through the API, please let us know.