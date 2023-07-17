Menu
Golang vulnerability checker flags Go vulnerabilities

Golang vulnerability checker flags Go vulnerabilities

Govulncheck is a command-line utility that uses the Go vulnerability database to identify known vulnerabilities in Go source code and Go binaries.

Paul Krill Paul Krill (InfoWorld)
Comments
Credit: Fotis Fotopoulos on Unsplash

Govulncheck, a command-line tool to help users of Google’s Go programming language find known vulnerabilities in project dependencies, has reached 1.0.0 status, the Go security team said.

Unveiled July 13, Govulncheck can analyse both binaries and source code. It reduces noise by prioritising vulnerabilities in functions the code is calling.

Govulncheck is powered by the Go vulnerability database, which provides information about known vulnerabilities in public Go modules.

Govulncheck uses static analysis of source code or a binary’s symbol table to limit its reports to only vulnerabilities that could affect a particular application.

Developers can use <a href="https://pkg.go.dev/cmd/go#hdr-Compile_and_install_packages_and_dependencies" rel="nofollow">go install</a> to install the tool:

go install golang.org/x/vuln/cmd/govulncheck@latest

Developers can analyse source code by running Govulncheck inside a module directory:

govulncheck ./...

Govulncheck must be built with Go 1.18 or a later version. Go 1.20 is the current production release of the language.

Govulncheck searches for vulnerabilities using a specific build configuration. For source code, the configuration is the Go version specified by the “go” command found on the path. For binaries, the build configuration is the one used in building the binary. Different build configurations may have different known vulnerabilities.

Govulncheck has a number of limitations:

  • Govulncheck analyses function pointer and interface calls conservatively, which could result in false positives or inaccurate call stacks.
  • Calls to functions made using package reflect are not visible.
  • Because Go binaries do not have detailed call information, Govulncheck cannot show call graphs for detected vulnerabilities. It also might report false positives for code that is in the binary but not reachable.
  • There is no support for silencing vulnerability findings.
  • For binaries where symbol information cannot be extracted, Govulncheck reports vulnerabilities for all modules on which the binary depends.

The Go security team initially announced support for vulnerability management last September, with the project anchored by the vulnerability database.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags programming languageprogramming tools

Events

Brand Post

Featured

Slideshows

Female leaders honoured at Women in ICT Awards in 2023

Female leaders honoured at Women in ICT Awards in 2023

​​Reseller News is proud to announce the winners of the Women in ICT Awards (WIICTA) in 2023, honouring female excellence within the technology channel following an industry-defining celebration in New Zealand. In total, 108 finalists were honoured from a pool of more than 175 nominations, spanning partner, telco, vendor and distributor businesses. Following an intensive judging process,14 winners were selected across eight categories, in addition to four highly commended acknowledgements.

Female leaders honoured at Women in ICT Awards in 2023
Channel celebrates female excellence at Women in ICT Awards 2023

Channel celebrates female excellence at Women in ICT Awards 2023

​Reseller News is proud to showcase Women in ICT Awards (WIICTA) in 2023, honouring female excellence within the technology channel following an industry-defining celebration in New Zealand. Played out in front of more than 330 attendees at the Cordis in Auckland -- the largest ever in-person audience for the market’s leading gender diversity and inclusion (D&I) awards program -- the entire Kiwi ecosystem came together under the Reseller News roof to set the industry benchmark for female achievement and accomplishment. Welcome reception in partnership with Comstor and Cisco​.

Channel celebrates female excellence at Women in ICT Awards 2023
In Pictures: WatchGuard Technologies A/NZ Partner Summit

In Pictures: WatchGuard Technologies A/NZ Partner Summit

WatchGuard Technologies held its regional Apogee partner conference in Phuket, Thailand, earlier this month, which included its Australia and New Zealand (A/NZ) Partner of the Year Awards for 2022.

In Pictures: WatchGuard Technologies A/NZ Partner Summit
Show Comments
 