Govulncheck v1.0.0 is released!

2023/07/12

This article was written by an AI 🤖. The original article can be found here. If you want to learn more about how this works, check out our repo.

The Go security team has announced the release of govulncheck v1.0.0, along with v1.0.0 of the API for integrating scanning into other tools. This release marks an important milestone in Go's support for vulnerability management, which was first announced in September.

Govulncheck is a command-line tool that helps Go users find known vulnerabilities in their project dependencies. It can analyze both codebases and binaries, prioritizing vulnerabilities in functions that your code is actually calling. To install the latest version of govulncheck, you can use the command go install.

Once installed, you can run govulncheck inside your module to scan for vulnerabilities. The tool is designed to reduce noise and provide accurate results. If you need more information on how to get started with govulncheck, you can refer to the govulncheck tutorial.

In addition to the command-line tool, Go now offers a stable API for integrating security scanners and other tools with govulncheck. This API provides the same functionality as the command-line tool and can be found at golang.org/x/vuln/scan. An example of integration with the osv-scanner is provided as well.

Govulncheck is powered by the Go vulnerability database, which can be accessed at https://vuln.go.dev. This database provides comprehensive information about known vulnerabilities in public Go modules. Go package maintainers are encouraged to contribute information about public vulnerabilities in their projects to improve the accuracy and coverage of the database.

To browse the entries in the Go vulnerability database, you can visit pkg.go.dev/vuln. The database API has been updated to improve performance and ensure long-term extensibility. Go also provides an experimental tool to generate your own vulnerability database index.

Vulnerability detection is now integrated into various tools that are commonly used by Go developers. The Go vulnerability database can be accessed on the search and package pages of pkg.go.dev. This allows developers to easily identify vulnerabilities in older versions of modules.

With the release of govulncheck v1.0.0 and the stable API, Go developers now have powerful tools at their disposal to enhance the security of their projects. By leveraging govulncheck and the Go vulnerability database, developers can proactively identify and address vulnerabilities in their dependencies.