https://zenn.dev/spiegel/articles/20220811-go-vulnerability-management

Go Vulnerability Management

Twitter の TL を眺めていて Go 公式の脆弱性レポートのページがあることを知る。

で,これについて

とか呟いたら

と情報を頂いた。ありがとうございます 🙇

件のページを覗いてみると,こんな感じで脆弱性管理を行っているらしい。

各番号の説明は以下。

  1. A data pipeline that populates the vulnerability database. Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team.
  2. A vulnerability database that stores all information presented by govulncheck and can be consumed by other clients.
  3. A client library (golang.org/x/vuln/client), which reads data from the Go vulnerability database. This is also used by pkg.go.dev to surface vulnerabilities.
  4. A vulncheck API (golang.org/x/vuln/vulncheck), which is used to find vulnerabilities affecting Go packages and perform static analysis. This API is made available for clients that do not want to run the govulncheck binary, such as VS Code Go.
  5. The govulncheck command (golang.org/x/vuln/cmd/govulncheck, a wrapper around the vulncheck library for use on the command line.
  6. A web portal that presents information about vulnerabilities, hosted at pkg.go.dev/vuln.

Go の静的解析をやっておられる方なら client libraryvulncheck API あたりは興味が湧くのではないかと推察するが,今回はお手軽にコマンドライン・ツール govulncheck を試してみたいと思う。

govulncheck を試す

govulncheck のインストールは,まず Go のビルド環境を用意し

$ go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20220810233855-e1dd057bf2a3
...

でビルド結果が $GOPATH/bin または $GOBIN ディレクトリに出力される[1]。とりあえず -h オプションでヘルプを表示してみよう。

$ govulncheck -h
govulncheck: identify known vulnerabilities by call graph traversal.

Usage:

    govulncheck [flags] {package pattern...}

    govulncheck [flags] {binary path} (if built with Go 1.18 or higher)

Flags:

    -json    Print vulnerability findings in JSON format.

    -html    Generate HTML with the vulnerability findings.

    -tags    Comma-separated list of build tags.

    -tests    Boolean flag indicating if test files should be analyzed too.

govulncheck can be used with either one or more package patterns (i.e. golang.org/x/crypto/...
or ./...) or with a single path to a Go binary. In the latter case module and symbol
information will be extracted from the binary to detect vulnerable symbols.

The environment variable GOVULNDB can be set to a comma-separated list of vulnerability
database URLs, with http://, https://, or file:// protocols. Entries from multiple
databases are merged.

ふむふむ。 JSON 形式でも出力できるんだな。さっそく試してみよう。まずは手元の depm の開発環境で試してみる。

$ cd ~/path/to/depm

$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at <https://go.dev/s/govulncheck-feedback>.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

よし。問題なさそう。次に JSON 形式で出力してみる。