What is govulncheck?
govulncheck is a command line tool that helps Golang developers quickly find security vulnerabilities in project code and dependent modules. The tool analyzes source code and binary files, identifying any direct or indirect calls to these vulnerabilities in the code.
By default, govulncheck querys whether the relevant module contains vulnerabilities through the interface provided by the Go vulnerability database (the request to query the interface only contains the module path and does not contain the program's code or other properties).
How to install and use
Before installing, you need to upgrade Go version to 1.18 and above. Use the following command to install the latest version of govulncheck:
$ go install /x/vuln/cmd/govulncheck@latest
Run the following command in the project's home directory (the directory containing the file) to scan the vulnerability:
$ govulncheck ./...
govulncheck can also be integrated into its own CI/CD system. Govulncheck takes into account this requirement, so you can choose the json method for the output result, for example:
$ govulncheck -json ./...
If you use govulncheck to scan the compiled binary file, you need to use the parameter -mode=binary and keep up with the path of the binary file, for example:
$ govulncheck -mode=binary $HOME/go/bin/my-go-program
By default, if there is no vulnerability in the project, govulncheck will exit successfully (status code is 0), and if there is a vulnerability, a status code that is not 0 will be returned. If the -json parameter is provided, no matter how many vulnerabilities are detected, it will exit successfully, that is, the status code is 0.
The points to note when using govulncheck are as follows:
- The scanned binary file requires that it is built using Go 1.18 or later.
- The analysis of function pointers and interface calls is conservative, and in some cases it may falsely positive or print inaccurate stack information.
- Calls to functions using package reflection are invisible to static analysis. Vulnerable code that is accessible only through these calls will not report vulnerabilities, and using the unsafe package may also produce false positives.
- Because the Go binary does not contain detailed call information, govulncheck cannot display the call chain of detected vulnerabilities. False positives may also occur for code that exists in the binary file but cannot be accessed.
- Only vulnerabilities under the current execution environment and configuration (GOOS/GOARCH) will be given. Assuming a vulnerability is only available in Linux, it will not be reported in Windows. Therefore, you need to pay attention to cross-platform development and vulnerability scanning is required on different platforms. Another thing to note is that the Go version that performs the scan needs to be consistent with the Go version of the running environment. Assuming that a vulnerability only exists in the Go 1.18 standard library, if the Go version used for performing the scan is 1.19, the vulnerability will not be reported.
This is the article about the installation and use of govulncheck, a powerful Golang program vulnerability detection tool. For more information about Golang govulncheck installation and use, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!