The Go Blog

Vulnerability Management for Go

Julie Qiu, for the Go security team
6 September 2022

We are excited to announce Go’s new support for vulnerability management, our first step towards helping Go developers learn about known vulnerabilities that may affect them.

This post provides an overview of what’s available today and next steps for this project.

Overview

Go provides tooling to analyze your codebase and surface known vulnerabilities. This tooling is backed by the Go vulnerability database, which is curated by the Go security team. Go’s tooling reduces noise in your results by only surfacing vulnerabilities in functions that your code is actually calling.

Architecture diagram of Go's vulnerability management system

Go vulnerability database

The Go vulnerability database (https://vuln.go.dev) is a comprehensive source of information about known vulnerabilities in importable packages in public Go modules.

Vulnerability data comes from existing sources (such as CVEs and GHSAs) and direct reports from Go package maintainers. This information is then reviewed by the Go security team and added to the database.

We encourage package maintainers to contribute information about public vulnerabilities in their own projects and update existing information about vulnerabilities in their Go packages. We aim to make reporting a low friction process, so please send us your suggestions for any improvements.

The Go vulnerability database can be viewed in your browser at pkg.go.dev/vuln. For more information about the database, see go.dev/security/vuln/database.

Vulnerability detection using govulncheck

The new govulncheck command is a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects. Govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions. To start using govulncheck, you can run the following from your project:

$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...

Govulncheck is a standalone tool to allow frequent updates and rapid iteration while we gather feedback from users. In the long term, we plan to integrate the govulncheck tool into the main Go distribution.

To directly integrate vulnerability checking into other tools and processes, the vulncheck package exports govulncheck’s functionality as a Go API.

Integrations

It’s always better to learn about vulnerabilities as early as possible in the development and deployment process. To that end, we have integrated vulnerability detection into existing Go tools and services, such as the Go package discovery site. For example, this page shows the known vulnerabilities in each version of golang.org/x/text. Vulnerability checking functionality through the VS Code Go extension is also coming soon.

Next Steps

We hope you’ll find Go’s support for vulnerability management useful and help us improve it!

Go’s support for vulnerability management is a new feature that is under active development. You should expect some bugs and limitations.

We would love for you to contribute and help us make improvements in the following ways:

We are excited to work with you to build a better and more secure Go ecosystem.

Next article: Go Developer Survey 2022 Q2 Results
Previous article: Go 1.19 is released!
Blog Index