Is your Go project vulnerable?
Christoph Berger 
Your code relies on external dependencies. Do you know how secure they are? The Go Vulnerability Database reveals known issues to you.
The Go team rolled out a new component of the Go ecosystem. The Go Vulnerability Database collects known issues of public Go projects, to help make your Go projects more secure. To give you a quick start, here are four Questions You Were Afraid To Ask (probably not) and their answers condensed from the Go Blog article and the Go Vulnerability Management documentation.
What is the Go Vulnerability Database and what can it do for me?
Vulnerabilities in software products can be addressed effectively if they are getting collected in a central place, from which developers can pull that information to check if their projects use vulnerable code. This is exactly what the Go Vulnerability Database is for.
Where do vulnerability reports come from?
The database gets its information from various sources, such as:
- the National Vulnerability Database (NVD),
- the GitHub Advisory Database,
- and Go package maintainers who actively report potential vulnerabilities.
How can I access the vulnerability data?
There are a number of options to find out about vulnerabilities in importable packages.
Query the database directly by ID
The Go Vulnerability Database provides a Web page where you can search for known issues by GO ID: Go Vulnerability Database - Go Packages
Inspect package version information at pkg.go.dev
Go's package discovery site lists vulnerability information on a package's version list. If a version contains one or more vulnerabilities, they are shown as GO ID's next to the version number in the timeline. Clicking on an ID shows a summary of the vulnerability.
So whenever you search for a package to use for your project, ensure to check the version history of that package.
This image shows the version history of golang.org/x/text as an example.
Run govulncheck on your local project
To quickly check if one of your projects imports vulnerable packages, run govulncheck locally at the project's root folder.
govulncheck is go-installable:
go install golang.org/x/vuln/cmd/govulncheck@latest
Run the command from the root folder of your module, using the standard path syntax:
govulncheck ./...
Let's hope it does not find any vulnerabilities this time!
Use the Visual Studio Code Go extension
The Go extension for Visual Studio Code has experimental support for govulncheck. To run the check, open the command palette and select "Go: Run Vulnerability Check" (it should be sufficient to type "go vuln" to get that command at the top of the list).
How can I contribute to the database?
Go package maintainers can open an issue for golang/vulndb at GitHub. This link directly opens a new vulnerability issue.
NOTE that you should not report undisclosed bugs in the Go project here. Instead, send an email to security@golang.org . Ensure to follow Go's security policy.
Where can I read more?
The Go Vulnerability Database was announced in this blog article: Vulnerability Management for Go - The Go Programming Language
The CLI command is documented here: govulncheck command - golang.org/x/vuln/cmd/govulncheck - Go Packages
The database has a Web page that provides a search by GO ID: Go Vulnerability Database - Go Packages
Finally, the Go Security section of the Go documentation contains a subsection on Go Vulnerability Management and another subsection on the Go Vulnerability Database
Happy (and secure) coding! ʕ◔ϖ◔ʔ
Photo by Laith Abushaar on Unsplash