Editors integrated with the Go language server, such as VS Code with the Go extension, can detect vulnerabilities in your dependencies.
There are two modes for detecting vulnerabilities in dependencies. Both are backed by the Go vulnerability database and complement each other.
go.mod files. This is fast, but may report false positives in case your code imports the packages that contain vulnerable symbols but the functions with the vulnerability are not reachable. This mode can be enabled by the "vulncheck": "Imports" gopls setting.Govulncheck analysis: this is based on the govulncheck command-line tool, which is embedded in gopls. This provides a low-noise, reliable way to confirm whether your code actually invokes vulnerable functions. Because this analysis can be expensive to compute, it must be manually triggered by using the “Run govulncheck to verify” code action associated with the diagnostic reports from the Import-based analysis, or using the "codelenses.run_govulncheck" code lens on go.mod files.Go: Toggle Vulncheck (vulncheck.mp4)
These features are available in gopls v0.11.0 or newer. Please share your feedback at go.dev/s/vsc-vulncheck-feedback.
The Go extension offers the integration with gopls. The following settings are required to enable the vulnerability scanning features:
"go.diagnostic.vulncheck": "Imports", // enable the imports-based analysis by default.
"gopls": {
"ui.codelenses": {
"run_govulncheck": true // "Run govulncheck" code lens on go.mod file.
}
}
The “Go Toggle Vulncheck” command can be used to toggle the imports-based analysis on and off for the current workspace.
When using coc.nvim, the following setting will enable the import-based analysis.
{
"codeLens.enable": true,
"languageserver": {
"go": {
"command": "gopls",
...
"initializationOptions": {
"vulncheck": "Imports",
}
}
}
}
go.mod files if go.work or module replace/exclude is used."Reset go.mod diagnostics" codelens shown on the top of the go.mod file. Otherwise, the result will be automatically invalidated after an hour.