DEV Community

Julian Cantillo
Julian Cantillo

Posted on • Updated on • Originally published at cantillo.dev

Go Vuln the Golang Vulnerability Database

What is govuln?

govuln is a new vulnerability database for looking your code for vulnerable packages and prevent supply chain attacks

How to install the govulncheck cli

govulncheck is the command line inferface for interacting with the database and checking your code against it, install it with the following command:

go install golang.org/x/vuln/cmd/govulncheck@latest
Enter fullscreen mode Exit fullscreen mode

Then run it in your project as follows:

govulncheck .
Enter fullscreen mode Exit fullscreen mode

It will search in your dependencies for vulnerable packages. Here is an example of the output:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.

  In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
  Found in: syscall@go1.19.1
  Fixed in: syscall@go1.19.3
  More info: https://pkg.go.dev/vuln/GO-2022-1095
Enter fullscreen mode Exit fullscreen mode

For more details check the official doc: https://go.dev/security/vuln/ and the talk given during the 2022 go day titled
Writing your Applications Faster and More Securely with Go
which also covers Fuzzy Testing but that is for another TIL

Top comments (0)