Golang adds vulnerability management tooling

Google’s Go programming language has added support for vulnerability management, which project developers said was an initial step toward helping Go developers learn about known vulnerabilities that could impact them.

In a blog post on September 6, the Go security team gave an overview of Go’s vulnerability management project, anchored by the Go vulnerability database, which contains data about vulnerabilities in importable packages in public Go modules. The database, which is curated by the security team, backs Go tools that will analyze a codebase and surface known vulnerabilities. These tools will only surface vulnerabilities in functions that the developer’s code is actually calling, thereby reducing noise in the results, the security team said.

Vulnerability data in the database comes from existing sources such as CVEs and GHSAs and direct reports from Go package maintainers. This information is reviewed by the Go security team and added to the database. The team is encouraging package maintainers to contribute information about public vulnerabilities in their projects and update existing information about vulnerabilities in Go packages.

A new <a href="https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" rel="nofollow">govulnulcheck</a> command provides a low-noise mechanism for Go users to learn about vulnerabilities. The tool analyzes a codebase and surfaces vulnerabilities that could affect a project, based on which functions in code are transitively calling vulnerable functions. Also, vulnerability detection has been integrated into existing Go tools and services such as the Go package discovery site.

The Go vulnerability management project remains in active development; the Go security team cautions users to expect some limitations and bugs. Go developers are encouraged to contribute to the project and provide feedback. They also can take a survey on the effort.