This page describes the Go vulnerability management system.
The Go vulnerability management system consists of the following high-level pieces:
A data pipeline that populates the vulnerability database. Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team.
A vulnerability database that stores all information presented by govulncheck and can be consumed by other clients.
A client library (golang.org/x/vuln/client), which reads data from the Go vulnerability database. This is also used by pkg.go.dev to surface vulnerabilities.
A vulncheck API (golang.org/x/vuln/vulncheck), which is used to find vulnerabilities affecting Go packages and perform static analysis. This API is made available for clients that do not want to run the govulncheck binary, such as VS Code Go.
The govulncheck command (golang.org/x/vuln/cmd/govulncheck, a wrapper around the vulncheck library for use on the command line.
A web portal that presents information about vulnerabilities, hosted at pkg.go.dev/vuln.
The Go vulnerability database is rooted at https://vuln.go.dev and provides data as JSON. We recommend using client.Client to read data from the Go vulnerability database.
Do not rely on the contents of the x/vulndb repository. The YAML files in that repository are maintained using an internal format that is subject to change without warning.
The endpoints in the table below are supported. For each path:
$base is the path portion of a Go vulnerability database URL (https://vuln.go.dev).$module is a module path$vuln is a Go vulnerabilitiy ID (for example, GO-2021-1234)Note that these paths and format are provisional and likely to change until an approved proposal.