Back to <til> Today I learned

Go Vuln the Golang Vulnerability Database

What is govuln?

govuln is a new vulnerability database for looking your code for vulnerable packages and prevent supply chain attacks

How to install the govulncheck cli

govulncheck is the command line inferface for interacting with the database and checking your code against it, install it with the following command:

go install golang.org/x/vuln/cmd/[email protected]

Then run it in your project as follows:

govulncheck .

It will search in your dependencies for vulnerable packages. Here is an example of the output:

govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
No vulnerabilities found.

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-1095
  Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows.

  In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-1095

For more details check the official doc: https://go.dev/security/vuln/ and the talk given during the 2022 go day titled Writing your Applications Faster and More Securely with Go which also covers Fuzzy Testing but that is for another TIL

Back to <til> Today I learned