govulncheck

command

v0.6.0 Latest Latest Go to latest Published: Jul 11, 2023 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/boss-net/go-vuln

Links

Open Source Insights

Documentation ¶

Overview ¶

Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.

By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths, not code or other properties of your program. See https://vuln.go.dev/privacy.html for more. Use the -db flag to specify a different database, which must implement the specification at https://go.dev/security/vuln/database.

Govulncheck looks for vulnerabilities in Go programs using a specific build configuration. For analyzing source code, that configuration is the Go version specified by the “go” command found on the PATH. For binaries, the build configuration is the one used to build the binary. Note that different build configurations may have different known vulnerabilities.

Govulncheck must be built with Go version 1.18 or later.

Usage ¶

To analyze source code, run govulncheck from the module directory, using the same package path syntax that the go command uses:

$ cd my-module
$ govulncheck ./...

If no vulnerabilities are found, govulncheck will display a short message. If there are vulnerabilities, each is displayed briefly, with a summary of a call stack. The summary shows in brief how the package calls a vulnerable function. For example, it might say

main.go:[line]:[column]: mypackage.main calls golang.org/x/text/language.Parse

To control which files are processed, use the -tags flag to provide a comma-separated list of build tags, and the -test flag to indicate that test files should be included.

To run govulncheck on a compiled binary, pass it the path to the binary file with the -mode=binary flag:

$ govulncheck -mode=binary $HOME/go/bin/my-go-program

Govulncheck uses the binary's symbol information to find mentions of vulnerable functions. Its output omits call stacks, which require source code analysis.

Govulncheck exits successfully (exit code 0) if there are no vulnerabilities, and exits unsuccessfully if there are. It also exits successfully if -json flag is provided, regardless of the number of detected vulnerabilities.

Flags ¶

A few flags control govulncheck's behavior.

The -C flag causes govulncheck to change its working directory to the provided directory before running. Any patterns or files named on the command line are interpreted after changing directories.

The -db flag causes govulncheck to read from the specified database, which must implement the specification at https://go.dev/security/vuln/database. By default, govulncheck fetches vulnerability data from https://vuln.go.dev.

The -json flag causes govulncheck to print its output as a JSON object corresponding to the type github.com/boss-net/go-vuln/internal/govulncheck.Result. The exit code of govulncheck is 0 when this flag is provided.

The -mode flag causes govulncheck to run source or binary analysis. By default, govulnchecks runs source analysis.

The -tags flag accepts a comma-separated list of build tags to control which files should be included in loaded packages for source analysis.

The -test flag causes govulncheck to include test files in the source analysis.

The -v flag causes govulncheck to output more information when run on source. It has no effect when run on a binary.

Limitations ¶

Govulncheck has these limitations:

Govulncheck analyzes function pointer and interface calls conservatively, which may result in false positives or inaccurate call stacks in some cases.
Calls to functions made using package reflect are not visible to static analysis. Vulnerable code reachable only through those calls will not be reported.
Because Go binaries do not contain detailed call information, govulncheck cannot show the call graphs for detected vulnerabilities. It may also report false positives for code that is in the binary but unreachable.
There is no support for silencing vulnerability findings.
Govulncheck only reads binaries compiled with Go 1.18 and later.
Govulncheck only reports vulnerabilities that apply to the current Go version. For example, a standard library vulnerability that only applies for Go 1.18 will not be reported if the current Go version is 1.19. See https://go.dev/issue/54841 for updates to this limitation.
For binaries where the symbol information cannot be extracted, govulncheck reports vulnerabilities for all modules on which the binary depends.

Feedback ¶

Govulncheck is an experimental tool under active development. To share feedback, see https://go.dev/security/vuln#feedback.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
integration
internal/integration
k8s
stackrox-scanner

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL