Govulncheck, a command-line tool to help users of Google’s Go programming language find known vulnerabilities in project dependencies, has reached 1.0.0 status, the Go security team said.
Unveiled July 13, Govulncheck can analyze both binaries and source code. It reduces noise by prioritizing vulnerabilities in functions the code is calling. Govulncheck is powered by the Go vulnerability database, which provides information about known vulnerabilities in public Go modules. Govulncheck uses static analysis of source code or a binary’s symbol table to limit its reports to only vulnerabilities that could affect a particular application.
Developers can use go install
to install the tool:
go install golang.org/x/vuln/cmd/govulncheck@latest
Developers can analyze source code by running Govulncheck inside a module directory:
govulncheck ./...
Govulncheck must be built with Go 1.18 or a later version. Go 1.20 is the current production release of the language.
Govulncheck searches for vulnerabilities using a specific build configuration. For source code, the configuration is the Go version specified by the “go” command found on the path. For binaries, the build configuration is the one used in building the binary. Different build configurations may have different known vulnerabilities.
Govulncheck has a number of limitations:
- Govulncheck analyzes function pointer and interface calls conservatively, which could result in false positives or inaccurate call stacks.
- Calls to functions made using package reflect are not visible.
- Because Go binaries do not have detailed call information, Govulncheck cannot show call graphs for detected vulnerabilities. It also might report false positives for code that is in the binary but not reachable.
- There is no support for silencing vulnerability findings.
- For binaries where symbol information cannot be extracted, Govulncheck reports vulnerabilities for all modules on which the binary depends.
The Go security team initially announced support for vulnerability management last September, with the project anchored by the vulnerability database.