blob: c65e8ccd82ef73b650903ca726652b9a3e2e35a9 [file] [log] [blame]
// Copyright 2022 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
/*
Govulncheck reports known vulnerabilities that affect Go code. It uses static
analysis of source code or a binary's symbol table to narrow down reports to
only those that could affect the application.
By default, govulncheck makes requests to the Go vulnerability database at
https://vuln.go.dev. Requests to the vulnerability database contain only module
paths, not code or other properties of your program. See
https://vuln.go.dev/privacy.html for more. Set the GOVULNDB environment
variable to specify a different database, which must implement the
specification at https://go.dev/security/vuln/database.
Govulncheck looks for vulnerabilities in Go programs using a specific build
configuration. For analyzing source code, that configuration is the Go version
specified by the “go” command found on the PATH. For binaries, the build
configuration is the one used to build the binary. Note that different build
configurations may have different known vulnerabilities.
Govulncheck must be built with Go version 1.18 or later.
# Usage
To analyze source code, run govulncheck from the module directory, using the
same package path syntax that the go command uses:
$ cd my-module
$ govulncheck ./...
If no vulnerabilities are found, govulncheck will display a short message. If
there are vulnerabilities, each is displayed briefly, with a summary of a call
stack. The summary shows in brief how the package calls a vulnerable function.
For example, it might say
main.go:[line]:[column]: mypackage.main calls golang.org/x/text/language.Parse
For a more detailed call path that resembles Go panic stack traces, use the -v flag.
To control which files are processed, use the -tags flag to provide a
comma-separated list of build tags, and the -test flag to indicate that test
files should be included.
To run govulncheck on a compiled binary, pass it the path to the binary file:
$ govulncheck $HOME/go/bin/my-go-program
Govulncheck uses the binary's symbol information to find mentions of vulnerable
functions. Its output omits call stacks, which require source code analysis.
Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
and exits unsuccessfully if there are. It also exits successfully if -json flag
is provided, regardless of the number of detected vulnerabilities.
# Flags
A few flags control govulncheck's behavior.
The -v flag causes govulncheck to output more information about call stacks
when run on source. It has no effect when run on a binary.
The -json flag causes govulncheck to print its output as a JSON object
corresponding to the type [golang.org/x/vuln/vulncheck.Result]. The exit code
of govulncheck is 0 when this flag is provided.
The -tags flag accepts a comma-separated list of build tags to control which
files should be included in loaded packages for source analysis.
The -test flag causes govulncheck to include test files in the source analysis.
# Limitations
Govulncheck uses [golang.org/x/vuln/vulncheck], which has these limitations:
- Govulncheck analyzes function pointer and interface calls conservatively,
which may result in false positives or inaccurate call stacks in some cases.
- Calls to functions made using package reflect are not visible to static
analysis. Vulnerable code reachable only through those calls will not be
reported.
- Because Go binaries do not contain detailed call information, govulncheck
cannot show the call graphs for detected vulnerabilities. It may also
report false positives for code that is in the binary but unreachable.
- There is no support for silencing vulnerability findings.
- Govulncheck only reads binaries compiled with Go 1.18 and later.
- Govulncheck only reports vulnerabilities that apply to the current Go
version. For example, a standard library vulnerability that only applies for
Go 1.18 will not be reported if the current Go version is 1.19. See
https://go.dev/issue/54841 for updates to this limitation.
# Feedback
Govulncheck is an experimental tool under active development. To share
feedback, see https://go.dev/security/vuln#feedback.
*/
package main