New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: cmd/go: add "go mod audit" subcommand #54443
Comments
The implementation looks like it will generate quite a few false positives, compared to It would be better to focus efforts there, it can graduate to a |
@seankhliao What is the difference between direct requests to https://vuln.go.dev and |
call graph traversal vs everything in a module, suppport for multiple vulndb servers, reporting for the standard library |
There is also the Open Source Insights service at https://deps.dev, which aims to be more comprehensive. |
cc @golang/vulndb |
Change https://go.dev/cl/423615 mentions this issue: |
govulncheck can detect calls to vulnerable symbols (functions or methods). It constructs a call graph and tries to figure out what vulnerable functions and methods are transitively called from entry points (inits, main, exported functions/methods). It then communicates a description of a call stack witnessing the finding. Detection at this level of granularity is more precise, because a vulnerable symbol can be imported (or its module) but that does not mean it is actually used. govulncheck uses the vuln.go.dev db by default, but more dbs can be added. govulncheck is built on top of vulncheck library, which also supports less expensive detection of vulnerable imports only. More information can also be found here. If you want to add a sub-command like in https://go.dev/cl/423615, this will have to go through a proposal process. Is there anything you'd like to have that govulncheck does not support? |
I was not aware of the existence of |
The goal of govulncheck is to develop a tool which can be eventually be rolled into the standard Go toolchain, it is being developed as a separate tool, for now, so that we can gain UX knowledge before directly integrating it. |
I think it's clear from the above that something like this will happen in the future, but the open PR and this proposal to support it isn't there yet. |
This proposal has been added to the active column of the proposals project |
@rsc should this be active or retracted? |
This proposal has been declined as infeasible. |
Related to #54438, this proposal regards the audit subcommand in
go mod
.Arguably a simple subcommand, the implementation in #54438 uses the already existing vuln.go.dev database to list known vulnerabilities. One drawback of this implementation is that it doesn't account for non-golang.org modules, although this is something for the API itself, not the subcommand.
The text was updated successfully, but these errors were encountered: