The open source Go programming language, developed by Google, has added support for vulnerability management in a way designed to preserve programmers’ patience.
The Go team recently set up a website at vuln.go.dev to host a selection of known vulnerabilities in packages that can be imported from public Go modules. These chosen vulnerabilities have been curated and reviewed by the Go security team, based on CVEs, GitHub Security Advisories, and reports from maintainers.
Presumably, this results in a high-quality database of flaws because the inconsequential issues have been filtered out. But there’s more to it than selectivity.
Back in 2018, before its acquisition by GitHub, npm introduced an
audit command, to find and identify npm packages with known vulnerabilities in apps that rely on npm for package management.
npm audit proved problematic because it flooded developers with false alarms, prompting Facebook software engineer Dan Abramov last year to declare, “
npm audit is a stain on the entire npm ecosystem.”
Though npm has seen some improvements since then, npm’s overeager vulnerability reporting appears to remain unresolved.
Go, on the other hand, has implemented a more targeted approach with its
govulncheck command, which in conjunction with vuln.go.dev serves as “a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects.”
And there’s also the related
vulncheck package which exports govulncheck’s functionality as a Go API, for integration with security tools.
Govulncheck analyzes your codebase and only surfaces vulnerabilities that actually affect you, based on which functions in your code are transitively calling vulnerable functions,” said Qiu in a blog post.
The package documentation explains that
govulncheck “uses static analysis of source code or a binary’s symbol table to narrow down reports to only those that could affect the application.”
That bit about low-noise and alerting developers only to relevant vulnerabilities is the key. It means fewer false alarms, though it won’t necessarily eliminate them entirely. The documentation for the command states that the code’s conservative approach to function pointer and interface calls “may result in false positives or inaccurate call stacks in some cases,” among other limitations.
Even so, this should be a significant improvement over the way current Go vulnerability scanners rely on
go.sum files to check the cryptographic hashes of Go modules. ®