Design Draft: Go Vulnerability Database

Authors: Roland Shoemaker, Filippo Valsorda

golang.org/design/draft-vulndb

This is a Draft Design, not a formal Go proposal, since it is a large change that is still flexible. The goal of circulating this draft design is to collect feedback to shape an intended eventual proposal.

Goal

We want to provide a low-noise, reliable way for Go developers to be alerted of known security vulnerabilities that affect their applications.

We aim to build a first-party, curated, consistent database of security vulnerabilities open to community submissions, and static analysis tooling to surface only the vulnerabilities that are likely to affect an application, minimizing false positives.

The database

The vulnerability database will provide entries for known vulnerabilities in importable (non-main) Go packages in public modules.

Curated dataset. The database will be actively maintained by the Go Security team, and will provide consistent metadata and uniform analysis of the tracked vulnerabilities, with a focus on enabling not just detection, but also precise impact assessment.

Basic metadata. Entries will include a database-specific unique identifier for the vulnerability, affected package and version ranges, a coarse severity grade, and GOOS/GOARCH if applicable. If missing, we will also assign a CVE number.

Targeting metadata. Each database entry will include metadata sufficient to enable detection of impacted downstream applications with low false positives. For example, it will include affected symbols (functions, methods, types, variables…) so that unaffected consumers can be identified with static analysis.

Web pages. Each vulnerability will link to a web page with the description of the vulnerability, remediation instructions, and additional links.

Source of truth. The database will be maintained as a public git repository, similar to other Go repositories. The database entries will be available via a stable protocol (see “The protocol”). The contents of the repository itself will be in an internal format which can change without notice.

Triage process. Candidate entries will be sourced from existing streams (such as the CVE database, and security mailing lists) as well as community submissions. Both will be processed by the team to ensure consistent metadata and analysis. We want to specifically encourage maintainers to report vulnerabilities in their own modules.

Not a disclosure process. Note that the goal of this database is tracking known, public vulnerabilities, not coordinating the disclosure of new findings.

The protocol

The vulnerability database will be served through a simple, stable HTTPS and JSON-based protocol. Vulnerabilities will be grouped by module, and an index file will list the modules with known vulnerabilities and the last time each entry has been updated.

The protocol will be designed to be served as a collection of static files, and cacheable by simple HTTP proxies. The index allows downloading and hosting a full mirror of the database to avoid leaking module usage information.

Multiple databases can be fetched in parallel, and their entries are combined, enabling private and commercial databases. We’ll aim to use an interoperable format.

The tooling

The primary consumer of the database and the protocol will be a Go tool, tentatively go audit, which will analyze a module and report what vulnerabilities it’s affected by.

The tool will analyze what vulnerabilities are likely to affect the current module not only based on the versions of the dependencies, but also based on the packages and code paths that are reachable from a configured set of entry points (functions and methods).

The precision of this analysis will be configurable. When available, the tool will provide sample traces of how the vulnerable code is reachable, to aid in assessing impact and remediation.

The tool accepts a list of packages and reports the vulnerabilities that affect them (considering as entry points the main and init functions for main packages, and exported functions and methods for non-main packages).

The tool will also support a -json output mode, to integrate reports in other tools, processes such as CI, and UIs, like how golang.org/x/tools/go/packages tools use go list -json.

Integrations

Besides direct invocations on the CLI and in CI, we want to make vulnerability entries and audit reports widely available. The details of each integration involve some open questions.

vscode-go will surface reports for vulnerabilities affecting the workspace and offer easy version bumps. Open question: can vscode-go invoke go audit, or do we need a tighter integration into gopls?

pkg.go.dev will show vulnerabilities in the displayed package, and possibly vulnerabilities in its dependencies. Open question: if we analyze transitive dependencies, what versions should we consider?

At runtime, programs will be able to query reports affecting the dependencies they were built with through debug.BuildInfo. Open question: how should applications handle the fact that runtime reports will have higher false positives due to lack of source code access?

In the future, we'll also consider integration into other go tool commands, like go get and/or go test.

Finally, we hope the entries in the database will flow into other existing systems that provide vulnerability tracking, with their own integrations.