Back to <til> Today I learned

Go Vuln the Golang Vulnerability Database

What is govuln?

govuln is a new vulnerability database for looking your code for vulnerable packages and prevent supply chain attacks

How to install the govulncheck cli

govulncheck is the command line inferface for interacting with the database and checking your code against it, install it with the following command:

go install golang.org/x/vuln/cmd/govulncheck@latest

Then run it in your project as follows:

govulncheck .

It will search in your dependencies for vulnerable packages. Here is an example of the output:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.

  In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

For more details check the official doc: https://go.dev/security/vuln/ and the talk given during the 2022 go day titled Writing your Applications Faster and More Securely with Go which also covers Fuzzy Testing but that is for another TIL

Back to <til> Today I learned

Posts by me

Los datos de los clientes de Panamericana siguen expuestos

El pasado 5 de abril encontré un link vulnerable en el proceso de actualización de datos de clientes en Panamericana, yo reliacé el reporte y a la fecha de 24 de abril del 2023 no he recibido comunicación alguna de parte de Panamericana.

Los datos de los clientes de Panamericana estuvieron expuestos

El pasado 5 de abril fuí a Panamericana a comprar un libro, al momento de pagar, la cajera me hizo la invitación a actualizar mis datos para que me envien la factura electrónicamente.

Kernel mods with eBFP

Friday, July 19 2024 was a very interesting day, several Windows machines were down showing the blue screen of death. The problem was caused by a software update from a security company named Crowdstrike, which was installed on all the …