What is govuln?
govuln is a new vulnerability database for looking your code for vulnerable packages and prevent supply chain attacks
How to install the govulncheck cli
govulncheck is the command line inferface for interacting with the database and checking your code against it, install it with the following command:
go install golang.org/x/vuln/cmd/govulncheck@latest
Then run it in your project as follows:
govulncheck .
It will search in your dependencies for vulnerable packages. Here is an example of the output:
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.
=== Informational ===
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-1095
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.
In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
Found in: [email protected]
Fixed in: [email protected]
More info: https://pkg.go.dev/vuln/GO-2022-1095
For more details check the official doc: https://go.dev/security/vuln/ and the talk given during the 2022 go day titled Writing your Applications Faster and More Securely with Go which also covers Fuzzy Testing but that is for another TIL