|Vulnerability Management Added To Go 1.19|
|Written by Kay Ewbank|
|Thursday, 08 September 2022|
Vulnerability management support has been added to Go 1.19. This is a first step towards helping Go developers learn about known vulnerabilities that may affect them.
Go is an open source project developed by a team at Google and many contributors from the open source community over more than 8 years. The main intended use is as a systems programming language, and it has been used in high profile commercial successes such as Docker.
The new tool uses a combination of features that analyze your codebase, and use Go's vulnerability database to identify any code that calls known vulnerabilities. The Go vulnerability database is curated by the Go security team.
The Go vulnerability database contains details about known vulnerabilities in importable packages in public Go modules. The information is drawn from existing sources such as CVEs and GHSAs, and direct reports from Go package maintainers. This information is then reviewed by the Go security team and added to the database, which can be viewed in browsers. CVEs, Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws that have been assigned a CVE ID number. GHSAs are GitHub Security Advisories.
The new ability within Go comes in the form of a new govulncheck command, which the GoLang developers describe a low-noise, reliable way for Go users to learn about known vulnerabilities that may affect their projects. Govulncheck analyzes your codebase and reports on any vulnerabilities that actually affect your project, based on which functions in your code are calling vulnerable functions.
Govulncheck has been developed as a standalone tool. This is to allow frequent updates and rapid iteration while the team gathers feedback from users. In the long term, the plan is to integrate the govulncheck tool into the main Go distribution.
To directly integrate vulnerability checking into other tools and processes, the vulncheck package exports govulncheck’s functionality as a Go API.
Go 1.19 is available for download now.
Go 1.18 Released With Generics And Fuzzing
Insights Into Where Go Is Going
Go 1.11 Adds WebAssembly Port
Why invent a new language? Go creator explains
A Programmer's Guide To Go Part 2 - Objects And Interfaces
A Programmer's Guide To Go Part 3 - Goroutines And Concurrency
To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
or email your comment to: email@example.com
|Last Updated ( Tuesday, 13 September 2022 )|